Mamba Toolkit Abuses Multi-Factor Authentication In Sophisticated Phishing Attack


Phishing attacks are stealthy cyber threats where threat actors impersonate reputable entities to trick individuals into revealing sensitive information (“passwords” or “financial details”). 

These types of attacks are executed via “emails” or “messages” that create a sense of urgency. 

EHA

Not only that, all these scams often lead victims to “malicious websites” or “prompt them to download harmful attachments.” 

Cybersecurity researchers at Sekoia recently found that the “Mamba” toolkit has been actively abusing multi-factor authentication in sophisticated phishing attacks.

In October 2024, cybersecurity researchers discovered an advanced phishing campaign called “Mamba 2FA.” 

This phishing campaign targets Microsoft 365 users via sophisticated “HTML attachments” that create convincing replicas of “Microsoft login pages.” 

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

While this phishing toolkit employs an “AiTM” technique and leverages the “Socket[.]IO” JavaScript library to establish “real-time websocket connections” with backend servers that enable it to evade traditional MFA protections. 

The phishing infrastructure operates through a “two-layer system” with URLs following a specific pattern (https://{domain}/{m,n,o}/?{Base64 string}):- 

  • Link domains
  • Relay servers

The kit supports four distinct phishing page templates, “OneDrive (o365_#one),” “generic Microsoft sign-in (o365#nom),” “SharePoint Online secure link (o365#sp),” and “voice mail notifications (o365#_voice).” 

It’s available as a “PhaaS platform” for ‘$250 per 30-day subscription’ via Telegram. So, with this subscription customers can generate customized “phishing links” and “HTML attachments” via a dedicated bot. 

Mamba Toolkit Abuses Multi-Factor Authentication In Sophisticated Phishing Attack
The architecture of the Mamba 2FA phishing kit (Source – Sekoia)

The HTML attachments are particularly sophisticated and contain obfuscated ‘JavaScript code’ that redirects victims to phishing pages while using ‘CSS’ to hide harmless content, which makes the detection more challenging, according to the Sekoia report.

The service maintains a shared pool of servers and domain names that demonstrates its evolution from its initial appearance on “ICQ” in November 2023 to its current sophisticated form that targets “multiple organizations” via its “distributed infrastructure.”

Mamba 2FA phishing platform offers the following capabilities:-

  • Supports non-phishing-resistant MFA.
  • Integrates with Entra ID, AD FS, third-party SSO, and Microsoft accounts.
  • Reflects enterprise custom login branding dynamically.
  • Instantly sends stolen credentials and cookies via Telegram bot.
  • Blocks access from security scanning services.

Link domains are specialized web addresses used in sophisticated phishing operations that employ an “antibot” detection system to filter out security tools and automated scanners. 

When these domains detect potential security solutions, they automatically redirect visitors to a harmless page (“https://google[.]com/404”). 

However, for regular visitors, the system serves a minimal HTML document that includes critical components (“a Socket.IO JavaScript library (version 4.7.5) for real-time bidirectional communication,” “unique identifiers stored in HTML attributes (with the ‘sti’ attribute containing a double Base64-encoded customer ID, and ‘vic’ attribute storing the target email),” and “template scripts (like jsdrive.js for OneDrive,” “jsnom.js for Microsoft sign-in, “jssp.js for SharePoint,” and “jsv.js for voice mail templates”). 

These templates manage the phishing page’s appearance and establish WebSocket connections with relay servers that help in processing user inputs like ’email addresses,’ ‘passwords,’ and ‘MFA codes’ through specific event commands (‘new-session’, ‘password_command’, ‘otp_command’). 

The system uses response events (‘s2c’, ‘s2c_cookies’, ‘s2c_restart’) to control page behavior and updates while utilizing proxy servers to mask the true origin of authentication attempts against Microsoft’s “Entra ID servers,” which makes the attack infrastructure more “resilient” and “harder” to trace.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar



Source link