Summary:
The TRAC Labs team has identified a phishing campaign named “Gabagool” that targets corporate and government employees by leveraging Cloudflare R2 buckets to host malicious content. The attackers compromise email accounts to send phishing emails containing malicious links that redirect victims to fake documents and credential harvesting pages.
Keypoints:
Gabagool is a phishing kit targeting corporate and government employees.
The campaign utilizes Cloudflare R2 buckets to host phishing content.
Attackers compromise email accounts to send phishing emails with malicious links.
Phishing emails often contain disguised attachments leading to credential harvesting pages.
Malicious URLs are often shortened and embedded in images.
The phishing landing pages employ various techniques to detect bots.
Indicators of compromise include unusual connections to Cloudflare R2 buckets.
MITRE Techniques
Phishing (T1566): Uses email to deliver malicious links or attachments to victims.
Credential Dumping (T1003): Harvests user credentials through phishing landing pages.
Command and Control (T1071): Utilizes Cloudflare R2 buckets for hosting malicious content and maintaining communication with compromised systems.
Obfuscated Files or Information (T1027): Uses obfuscation techniques in JavaScript to hide malicious activities.
IoC:
[domain] o365.alnassers.net
[url] pub-{32 hexadecimal characters}.r2.dev/{html_filename}.html
[url] https://outlook.office365.com/Encryption/ErrorPage.aspx?src=3&code=11
[url] emcs.cnt.br/27942f91ec60abe507e5e85c70f2a95a/services/mathon/PX-%20o365%20v1.2/
[url] https://api.ipify.org?format=json
[url] tiny.cc
[url] tiny.pl
[url] sharepoint.com
[url] sugarsync.com
[url] box.com
Full Research: https://medium.com/@traclabs_/aitm-phishing-hold-the-gabagool-analyzing-the-gabagool-phishing-kit-531f5bbaf0e4