EvilProxy Phishing-As-A-Service with MFA Bypass Has Emerged in the Dark Web

Resecurity researchers have discovered a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised on the Dark Web.

Original post: https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web

Following the recent Twilio hack that resulted in the leak of 2FA (OTP) codes, cybercriminals continue to upgrade their arsenal of attacks to orchestrate advanced phishing campaigns targeting users around the world. Security recently identified a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised on the Dark Web. On some sources, the alternate name is Molochwhich has a connection to a phishing kit developed by several notable underground players that previously targeted financial institutions and the e-commerce industry.

While the incident with Twilio is purely supply chain related, cybersecurity risks obviously lead to attacks against downstream targets, the underground service produced like EvilProxy allows threat actors to attack users with MFA enabled at the largest scale without the need to hack upstream services.

EvilProxy actors use Reverse Proxy and Injection of cookies methods to bypass 2FA authentication – proxyfying victim’s session. Previously, such methods were seen in targeted campaigns by APT and cyber espionage groups, but now these methods have been successfully produced in EvilProxy, which highlights the importance of the growth of attacks against online services and MFA authorization mechanisms.

Based on the ongoing investigation surrounding the outcome of attacks against several employees of Fortune 500 companies, Resecurity was able to obtain substantial knowledge about EvilProxy, including its structure, modules, functions, and network infrastructure used. to carry out malicious activities. The first occurrences of EvilProxy were initially identified in connection with attacks against Google and MSFT customers that MFA enabled on their accounts – either with SMS Where Application token.

The first mention of EvilProxy was detected in early May 2022, which is when the actors running it released a demo video detailing how it could be used to provide advanced phishing links for the purpose. to compromise the accounts of consumers belonging to major brands such as Apple, Facebook, come on daddy, GitHub, Google, drop box, instagram, Microsoft, Twitter, yahoo, yandex and others.

Notably, EvilProxy also supports phishing attacks against Python package index (PyPi):

The official software repository for the Python language (Python Package Index (PyPI)) recently (last week) reported that contributors to the project had been subjected to a phishing attack that attempted to trick them into disclosing the credentials of login to their account. The attack used JuiceStealer (as the final payload after the initial compromise) and according to findings from Resecurity’s HUNTER team – related to EvilProxy actors who added this function shortly before the attack was carried out.

Apart from PyPi, EvilProxy’s feature also supports GitHub and npmjs (JavaScript package manager widely used by over 11 million developers worldwide) enabling supply chain attacks via advanced phishing campaigns. It is highly likely that actors aim to target software developers and IT engineers to gain access to their repositories with the end goal of hacking “downstream” targets. These tactics allow cybercriminals to capitalize on insecure end users who assume they are downloading software packages from secure resources and do not expect them to be compromised.

How it works?

EvilProxy uses the “Reverse Proxy” principle. The concept of reverse proxy is simple: malicious actors direct victims to a phishing page, use the reverse proxy to retrieve all legitimate content expected by the user, including login pages – it sniffs their traffic when goes through the proxy. This way they can harvest valid session cookies and bypass the need to authenticate with usernames, passwords and/or 2FA tokens.

Resecurity has acquired videos posted by EvilProxy actors demonstrating how it can be used to steal the victim’s session and successfully go through Microsoft 2FA and Google messaging services to gain access to the target account.

Google 2FA

Microsoft 2FA

EvilProxy is offered on a subscription basis, when the end user (a cybercriminal) chooses a service of interest to target (e.g. Facebook or Linkedin), the activation will be for a specific period of time (10, 20 or 31 days according to the description of the plans that has been posted by the actors on several Dark Web forums). One of the key players – John_Malkovich, acting as an administrator to review new customers. The service is represented in all major underground communities, including XSS, To exploit and violated.

Payment for EvilProxy is arranged manually through an operator on Telegram. Once the subscription funds are received, they will be deposited into the customer portal account hosted in TOR. The kit is available for $400 per month on the Dark Web hosted on the TOR network.

EvilProxy’s portal contains multiple tutorials and interactive videos regarding the use of the service and configuration tips. To be frank, the bad actors did a great job in terms of the usability of the service and the configurability of new campaigns, traffic flows, and data collection.

After activation, the operator will be prompted for SSH credentials to further deploy a Docker container and set of scripts. This approach was also used in another Phaas service called “Frappo” which was identified by Resecurity this year. The automated installer has a reference to a user “Olf Dobs” (ksh8h297aydO) on Gitlab:

apt update -qqy && apt dist-upgrade –no-install-recommends –no-install-suggests -o Dpkg::options::=”–force-confdef” -y \ && apt install –no-install-recommends –no -install-suggests -y git \ && rm -rf /srv/control-agent && git clone –recurse-submodules https://gitlab.com/ksh8h297ayd0/docker-control-agent.git /srv/control-agent\ && cd /srv/control-agent && chmod +x ./install.sh \ && /srv/control-agent/install.sh ‘[license_key]’ ===*=

After successful deployment, the scripts will route victim traffic through 2 gateways defined as “upstream”:

Based on further analysis, we have identified some of the domain names used for phishing campaigns. Malicious actors register similar domains (by spelling) with the intention of obfuscating them under legitimate online services.

Some of the links generated by EvilProxy to impersonate Microsoft E-Mail services are provided below:

Login Phishing URL
https://lmo.msdnmail[.]net/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2Fopenid%20profile%20https%3 A%2F%2Fwwwofc.msdnmail.net%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=637975588496970710 .Zjg3YzFkMmEtYTUxYy00NDliLWEzYzAtMTExZTliNjBkY2ZkY2U3NzM2MDMtZWNhZC00ZWFmLWE5YjMtYzgzZTFjM2E1ZDdl&ui_locales=en-US&mkt=en-US&state=jHi-CP0Nu4oFHIxklcT1adstnCWbwJwuXQWTxNSSsw-23qiXK-6EzyYoAyNZ6rHuHwsIYSkRp99F-bqPqhN4JVCnT4-3MQIDvdTKapKarcqaMFi6_xv2__3D0KfqBQ070ykGBGlwxFQ6Mzt9CwUsz2zdgcB4jFux2BhZQwcj-WumSBz0VQs5VePV-wz00E8rDxEXfQdlv-AT29EwdG77AmGWinyf3yQXSZTHJyo8s-IWSHoly3Kbturwnc87sDC3uwEn6VDIjKbbaJ-c-WOzrg&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=

Post-Authorization URL

Malicious actors use several techniques and approaches to recognize victims and prevent detection of phishing kit code. Like fraud prevention and cyber threat intelligence (CTI) solutions, they aggregate data about VPN Services, Proxies, Discrete output nodes and other hosts that can be used for IP reputation analysis (of potential victims). In case they suspect a bot or seeker, they either drop the connection or redirect it to a specific host (e.g. “brave.com”).

Another approach that has been identified is based on fingerprints.

Bad actors are particularly diligent when it comes to detecting possible virtual machines, typically used by security analysts to scan for malicious content and clients connecting via RDP (Remote Desktop Protocol):


While the sale of EvilProxy requires verification, cybercriminals now have a cost-effective and scalable solution to perform advanced phishing attacks to compromise consumers of popular online services with MFA enabled. The appearance of such services in the Dark Web will lead to a significant increase in ATO/BEC activity and cyberattacks targeting the identity of end users, where MFA can be easily circumvented using tools like EvilProxy.

The Indicators of Compromise (IoC) along with other information is included in the original post posted by Resecurity.


Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, EvilProxy)

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button