Threat Hunters Corner: A Phisher’s Love Affair With AI

Welcome 

Welcome back to the Threat Hunters Corner! I’m Josh Shepard, Principal Threat Hunter at Radical, and in this episode, we’ll diving into a recent phishing campaign we found during a threat hunt that makes use of an AI augmented app developer tool to create a captcha style page to help bypass automated spam filters.

RADBot Generated Text Summary

Unveiling a Sophisticated Phishing Campaign Leveraging AI-Powered Tools 

Hello everyone, Josh Shepard here, Principal Threat Hunter at Radical. Welcome to this special edition of the Threat Hunter's Corner. Today, we’re diving into an intriguing phishing campaign we uncovered during a recent threat hunt. This campaign cleverly uses an AI-powered app builder to bypass automated Office 365 (O365) phishing filters. 

Anatomy of the Phishing Campaign 

The phishing attempt starts with a seemingly innocuous email, mimicking a common notification: "You have a voicemail. Click this link." When the unsuspecting user clicks the link, they are eventually redirected to an O365 credential-stealing page. However, the journey to this malicious page is what makes this campaign particularly interesting. 

Step-by-Step Breakdown 

1. Initial Email and Link: The phishing email contains a link wrapped by Barracuda's Safe Link protection. Clicking this link redirects the user to a domain named math-gatekeeper-safeguard[.]lovable[.]app. 

1. Lovable App CAPTCHA: The lovable[.]app domain is legitimate and belongs to Lovable, an AI-augmented app development tool. Threat actors can use natural language commands to create applications, such as a number-based CAPTCHA system, which is what we see here. 

1. Bypassing Spam Filters: The use of Lovable’s AI tools helps the phishing attempt bypass spam and phishing filters. The user is presented with a CAPTCHA, which, when solved, redirects them to a suspicious Russian domain. 

1. Cloudflare CAPTCHA: On this new domain, the user encounters a legitimate Cloudflare CAPTCHA. Solving this CAPTCHA leads to a simulated Outlook interface, where the user is prompted to play their voicemail. 

1. Fake Microsoft Login Page: The final step involves a fake Microsoft login page, still hosted on the sketchy Russian domain. The user is asked to enter their credentials, which are then captured by the attackers. 

Technical Insights 

The campaign’s flow—from Lovable’s CAPTCHA to Cloudflare’s CAPTCHA, and finally to the fake login page—appears very convincing. However, the attackers have also implemented additional measures to evade detection and analysis. 

Debugger Breakpoints 

One notable tactic is the use of debugger breakpoints within the malicious website. These breakpoints can detect when a threat analyst or security researcher opens developer tools to inspect network connections and data flows. If such an attempt is detected, the code redirects the user to a benign site, such as eBay, thereby thwarting the analysis. 

Conclusion 

This phishing campaign is a prime example of how threat actors continuously adapt and leverage new technologies to enhance their attack strategies. The use of AI-powered tools like Lovable to create CAPTCHA systems and the implementation of debugger breakpoints for defense evasion highlight the sophistication of modern phishing attempts. 

As always, it’s crucial to stay vigilant and informed about the latest tactics used by cybercriminals. If you have any questions or need further insights, feel free to reach out. Stay safe, and we’ll see you in the next episode of the Threat Hunter's Corner.