JavaScript Keylogger used to Steal Credentials
During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across multiple URLs hosting pages pretending to be Greece’s tax refund site. The page mentions the tax refund amount and asks users to confirm their current account number to transfer funds. The page tricks users into providing their net banking credentials through this process.
Phishing pages are usually designed to send the victim’s credentials to the Threat Actor (TA) when the user clicks the submit button. The TA in this campaign has used a JavaScript keylogger to steal keystrokes when users enter their credentials on the phishing website. This sophisticated technique makes this campaign unique, as we rarely observe such techniques being used.
Phishing Pages Analysis
The figure below shows the phishing site with the official logo of the Greek Government website.
When users visit the website hosted on the URLs: hxxp://mygov-refund[.]me/ret/tax & hxxps://govgr-tax[.]me/ret/tax, the pages ask the users to confirm their current account number to transfer tax refund money.
While choosing the bank, the user is given the option to choose between seven major banks, including the National Bank of Greece, Alpha Bank, and WinBank.
When the user selects the bank, the website redirects them to a page that contains a fake net banking login UI similar to the legitimate URLs being imitated.
The below image depicts the fake login UI hosted on the URL: hxxp://mygov-refund[.]me/bg/internet banking/tax pretending to be the National Bank of Greece’s net banking page.
The below image shows the fake login UI hosted on the URL: hxxp://mygov-refund[.]me/alpha/internet banking/tax, which pretends to be the Alpha Bank net banking page.
Technical Analysis
The below JavaScript code snippet has been used to capture keystrokes entered on the website’s text fields and upload these captured credentials back to the Threat Actor’s Command and Control (C&C).
Traffic Analysis
The below image shows the network communication after capturing any keystrokes entered on the phishing website’s text field.
Based on our investigation, CRIL observed that the IP address: 195.178.120[.]25 has been used as a base to host various malicious domains containing phishing pages related to tax refunds in Greece. The complete list of phishing sites can be found in the IOC section of this analysis.
Upon further investigation, we determined that this campaign started through phishing emails targeting Greek taxpayers.
Conclusion
Phishing has been one of the most commonly used tactics leveraged by Threat Actors to harvest personal and financial information. In this particular case, we observed the TAs using sophisticated techniques to steal whatever inputs were entered in the text fields of their phishing sites without the need for further user input (such as clicking “Submit”).
This is a rarely seen feature, as it can capture credentials with minimal inputs from the user, making the campaign even harder to detect and analyze.
Cyble Research & Intelligence Labs actively monitors new malicious phishing campaigns to keep our readers updated with our latest findings about phishing and other types of data theft attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Regularly monitor your financial transactions, and if you notice any suspicious activity, contact your bank immediately.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Initial Access | T1190 | Exploit Public-Facing Application |
| Input Capture | T1056/001 | Input Capture: Keylogging |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| hxxp://mygov-refund[.]me/ret/tax | URL | Phishing URL |
| hxxps://govgr-tax[.]me/ret/tax | URL | Phishing URL |
| hxxps://hodewood[.]com/ | URL | Phishing URL |
| hxxp://rodriguez@hodewood[.]com/ | URL | Phishing URL |
| hxxp://govgr-tax[.]me/ret/tax | URL | Phishing URL |
| hxxp://govgreece-tax[.]me/ret/tax | URL | Phishing URL |
| hxxps://mygovrefund-tax[.]me/c1/refund | URL | Phishing URL |
| hxxp://govgreece-tax[.]me/ | URL | Phishing URL |
| hxxps://govgreece-tax[.]me/ret/tax | URL | Phishing URL |
| hxxps://govgr-refund[.]me/ret/tax | URL | Phishing URL |
