During recent phishing incident handled by ThreatSign incident response team, a phishing link lead to a discovery of the Phishing Kit. The prompt actions allowed to mitigate the threat and avoid its distribution in the wild.

Let's skip the attack background and head to the Phish Kit details:

MD5: b46a0a1035e49e2e9e0218ebbd97fffe

The file is a zipped file that contains the whole directory of the phishing kit. Upon loading the files on a web server it shows a familiar Office 365 login page:

Upon entering fictional credentials, the fake Office login page made the following requests:

We checked the file that is executed to ensure we are not missing anything:

What it would do is it would take your credentials and send them to an email address and then you would get redirected to a genuine Microsoft site.

It also has a list of banned IP’s from accessing an installed phish kit:

The phish Kit also has some IP’s being blocked on access to the phishing link as well for evasion:

After the hacker is done with its bidding, a simple call to the file will remove all of the files being used for the phishing attack:

We would like to remind everyone to be skeptical when entering your credentials. Always check the link integrity and if you think there is something suspicious, the chances are you're right.

We are always quick to respond in such cases like these to protect our customers and everyone else. If you need help in checking or cleaning a phishing infection in your site kindly check our page here ThreatSign plans and our experts will be happy to do the job for you.

Our experts are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select appropriate ThreatSign! Anti-Malware plan and get back online.

For other issues and help: Quttera help-desk