Pierluigi Paganini February 16, 2021

Researchers from threat intelligence Cyble have discovered threat actors abusing the Ngrok platform in a fresh phishing campaign.

Researchers at the threat intelligence firm Cyble discovered a new wave of phishing attacks targeting multiple organizations that are abusing the ngrok platform, a secure and introspectable tunnel to the localhost.

ngrok is a cross-platform application used to expose a local development server to the Internet, the server appears to be hosted on a subdomain of ngrok (e.g., 4f421deb219c[.]ngrok[.]io) by creating a long-lived TCP tunnel to the localhost. The experts pointed out that ngrok server software runs on a VPS or a dedicated server and can bypass NAT mapping and Firewall restriction.

Threat actors are abusing the protocol for multiple malicious purposes.

“Multiple threat actors have abused the ngrok platform to gain unauthorized access to the target for delivering the additional payload, exfiltrating financial data such as credit/debit card information, and carrying out targeted phishing attacks.” reads the post published by Cyble.

Experts pointed out that attacks abusing the ngrok platform are hard to detect because connections to subdomains of ngrok.com are not filtered by security measures.

Experts provided a list of ngrok-based attacks conducted by cybercrime organizations and nation-stated actors such as Fox Kitten and Pioneer Kitten APT groups.

The experts reported multiple malware strains and phishing campaigns abusing ngrok tunnelling, including

Some of the new strains of malware/phishing campaign using ngrok tunneling are:

• Njrat
• DarkComet
• Quasar RAT
• asynrat
• Nanocore RAT

Cyble focuses on threat actors abusing ngrok.io to deliver phishing attacks.

“Interestingly, we found multiple ngrok.io links used in darkweb markets/leaks and cybercrime forums by different threat actors such as BIN CARDERS, Telegram- carder data, and linlogpass.” continues Cybler.

Cyble also spotted a phishing tool kit, named “KingFish3 (Social master), advertised on a cybercrime forum. The experts discovered that a threat actor shared on the forum a Github link to the tool, which also abuses ngrok tunnels to carry out the attack.

Below the steps identified by the experts to abuse the ngrok tunnels and carry out phishing attacks:

1. The tool creates a tunnel using ngrok to the chosen phishing URL with the specified port.
2. The hacker tracks real-time logs in the first session and waits for the victims to enter their phone number.
3. The hacker then logs into the affected application’s official site with the harvested credentials and generates an OTP (2FA).
4. Victims then enter the received OTP in the phishing site, which the hacker captures.
5. Finally, the hacker gains access to the victims’ official account using the OTP(2FA).

The post includes a partial list of ngrok based phishing Indicators of Compromise (IOCs).

Below, Cyble experts’ recommendations:   

• Users of ngrok and other tunnelling services are advised to obtain authorization from their information security teams.
•  It is advised to password-protect their tunnel access and enable IP whitelisting to restrict access to only trusted IP addresses.
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.   
• Regularly monitor your financial transactions, and if you notice any suspicious activity, contact your bank immediately.   
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.   
• People concerned about their exposure to the Dark web can register at AmiBreached.com to ascertain their exposure.   
• Refrain from opening untrusted links and email attachments without verifying their authenticity.  

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]