TodayZoo phishing kit borrows the code from other kits

Microsoft uncovered an extensive series of credential phishing campaigns that employed a custom phishing kit tracked as TodayZoo.

Microsoft researchers uncovered a custom phishing kit, dubbed TodayZoo, that was used in an extensive series of credential phishing campaigns.

A “phishing kit” is a set of software or services aimed at facilitating phishing campaigns, In most cases a phishing kit is an archive file containing images, scripts, and HTML pages that allow threat actors to creat a phishing page that is used to trick recipients into providing their credentials.

TodayZoo borrows large pieces of code from other phishing kits investigated by Microsoft in the past, these portions of code also include the comment markers, dead links, and other holdovers from the previous kits.

The kit was first spotted by the IT giant in December 2020, because of the consistency in the redirection patterns, domains, and other techniques, tactics, and procedures (TTPs) of its related campaigns, experts attributes the kit to a threat actor that is behind an old phishing kit template. Microsoft experts specula the three actor has implemented its own credential harvesting logic.

Since March 2021, Microsoft observed a series of phishing campaigns abusing the AwsApps[.]com domain to send the phishing messages. The email messages impersonated Microsoft and leveraged a zero-point font obfuscation technique to evade detection. 

Attackers used different lures in the message body over the months, including password reset, and fake fax and scanner notifications.

The analysis of the kit revealed that a large part of the code borrows from the DanceVida phishing kit.

“Upon further investigation, we identified the dead links and markers as holdovers from many other commoditized kits available for free or purchase. We then compared TodayZoo with other phishing kits we have analyzed previously and found that even these kits also contained references to sites like Dancevida[.]com but would have different code blocks for their obfuscation or credential harvest components.” reads the analysis from Microsoft. ““DanceVida” is more of a code block than a full-fledged phishing kit. As such, kits that use DanceVida are rather diverse in their delivery, lures, and location because they are directly for sale on various forums under kit-naming schemas, as well as under a wider variety of landing page templates, including document download pages. Most of the credentials that the DanceVida-based kits’ harvesting pages gather are exfiltrated to accounts using free email services, such as GMail, Yahoo!, and Yandex.”

The imitation and obfuscation-related components of the TodayZoo phishing kit overlap with the code from at least five other kits such as Botssoft, FLCFood, Office-RD117, WikiRed, and Zenfo.

TodayZoo demonstrates that threat actors could create their own variants of phishing kits from publicly available frameworks to meet their needs.

“Our analysis of TodayZoo, DanceVida, and other phishing kits gives us several insights into the underground economy today. First, this research further proves that most phishing kits observed or available today are based on a smaller cluster of larger kit “families.” While this trend has been observed previously, it continues to be the norm, given how phishing kits we’ve seen share large amounts of code among themselves.” concludes Microsoft.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, TodayZoo phishing kit)

[adrotate banner=”5″]

[adrotate banner=”13″]