EvilProxy Phishing Toolkit Spotted on Dark Web Forums

  • A new Phishing-as-a-Service (PhaaS) named EvilProxy (also known as Moloch) was seen for sale in dark web forums, according to the Resecurity team.

    “EvilProxy actors are using reverse proxy and cookie injection methods to bypass 2FA [two-factor authentication] – proxifying victim’s session,” Resecurity wrote in an advisory published earlier today.

    The analysis warns that such methods have been seen in targeted campaigns of advanced persistent threats (APTs) and cyber-espionage groups before.

    “However, now these methods have been successfully productized in EvilProxy, which highlights the significance of growth in attacks against online services and MFA authorization mechanisms,” Resecurity wrote.

    Further, based on the ongoing investigation of attacks against multiple employees from Fortune 500 companies, Resecurity said it obtained substantial knowledge about EvilProxy, including its structure, modules, functions and the network infrastructure used.

    “Early occurrences of EvilProxy have been initially identified in connection to attacks against Google and MSFT customers who have MFA enabled on their accounts – either with SMS or Application Token,” said the security researchers.

    In an attempt to establish a timeline of EvilProxy’s operations, Resecurity said the malware was first spotted in early May 2022, when the threat actors (TAs) behind it released a demonstration video describing how it could be used to deliver advanced phishing links.

    These, in turn, could be used to compromise consumer accounts belonging to Apple, Facebook, Google, Instagram, Microsoft and Twitter, among others.

    “Notably, EvilProxy also supports phishing attacks against Python Package Index (PyPi),” warned Resecurity.

    Several PyPi software repository project contributors were subject to a phishing attack aimed at tricking them into divulging their account login credentials last week.

    That attack, linked to the JuiceStealer payload, was now connected to EvilProxy actors by Resecurity. According to the security experts, the TA would have added this function shortly before the attack was performed.

    “Besides PyPi, the functionality of EvilProxy also supports GitHub and npmjs…enabling supply chain attacks via advanced phishing campaigns,” said Resecurity in its advisory.

    The analysis also suggests it is highly likely these threat actors target software developers and IT engineers in order to gain access to their repositories with the end goal of hacking “downstream” targets.

    “These tactics allow cybercriminals to capitalize on the end users’ insecurity who assume they’re downloading software packages from secure resources and don’t expect it to be compromised.”