How An Attacker's Blunder Gave Us a Rare Look Inside Their Day-to-Day Operations

Summary

Figure 8: Threat actor starts to rely on automated workflows The threat actor also appeared to be interested in other AI tools to help with data generation and writing. We saw multiple Google searches for “free ai no signup” and for “csv generator ai.” We also saw the threat actor using Toolbaz AI, which is a writing assistant; the CSV spreadsheet generator feature of DocsBot AI, which is an AI chatbot tool; and the AI data generator feature of Explo AI, which is an embedded analytics tool. Finding running instances of Evilginx We saw evidence of the threat actor searching for running instances of the Evilginx man-in-the-middle attack framework using Censys, and then attempting to access those instances. Figure 9: Using Censys to search for running instances of Evilginx Figure 10: One example of the Evilginx instance that the attacker tried to access In addition to Evilginx, we also found evidence of multiple installed tools on the threat actor’s system—or, in some cases, an interest in tools based on the threat actor browser history. These tools included recon and attack tool GraphSpy, open source tool Bloodhound, the TeamFiltration framework used for enumeration and exfiltration, and more. Figure 11: Various tools that the attacker may have used Interest in residential proxy services The Chrome browser history also revealed visits by the threat actor to multiple residential proxy webpages, including LunaProxy and Nstbrowser (which bills itself as an anti-detect browser and supports the use of residential proxies). The threat actor visited the pricing plan page for LunaProxy, researched specific products, and looked up quick start guides throughout May, June, and July. Residential proxy services have become increasingly popular with threat actors as a way to route their traffic through residential IP addresses, allowing them to obscure malicious activity, like avoiding suspicious login alerts while using compromised credentials. Figure 12: A VirusTotal lookup of Lu...