The DomainTools Research team discovered lots of new malicious-looking PDFs dating back to July 30, 2021. While they did not cover malicious content, they did contain links to dozens of short-lived Glitch apps that hosted a SharePoint phishing page with obfuscated JavaScript designed to harvest credentials.
Employees at major corporations are the targets of the spearphishing campaign, with an apparent emphasis on employees working in the Middle East. Further investigation reveals that this appears to be a single campaign in a long line of similar, SharePoint-themed phishing attempts.
Anderson explained that Glitch shared spaces are difficult to detect, their “ephemeral nature” makes them ideal for threat actors looking to host malicious content. This is particularly true “because Glitch’s domains are already trusted and frequently allowlisted on many networks.”
“For example, one document directed the recipient to hammerhead-resilient-birch.glitch[.]me, where the malicious content was stored,” Anderson wrote in his blog post. “Once the five-minute timer expires, the account behind the page must click to serve their page again.”
Due to the ephemerality of these pages, none of the 70 documents discovered by DomainTools Research contained a live page serving up a next stage payload. Fortunately, there are a number of tools available to aid in the hunt in this case.
The first was URLScan, which allows you to search through all of the sites that have been scanned in the last month. While there were dozens of other URLs that led to new documents, this unfortunately just showed that many others were experiencing the same problem with deactivated pages.
DomainTools Research discovered a live site on the Any.Run service while scouring other OSINT sources. Any.Run is a commercial malware sandbox and public repository of executed malware that can be used for hunting specific interactions from malicious code. While the report did not include the next stage payload, it did include a screenshot of the Microsoft SharePoint phishing login that was used to entice the victim.
Finally Anderson concluded that in order to understand how the campaign works, one must first understand how the free version of Glitch works. He wrote that the platform allows an app to run for five minutes while exposed to the internet with a Glitch-provided hostname and three random words.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 