Threat players are targeting Middle East based employees of major corporations in a fraud that uses a specific ‘ephemeral’ aspect of the project-management tool to link to SharePoint phishing pages.
A long-term spear-phishing campaign is targeting employees of major corporations with emails containing PDFs that link to short-lived Glitch apps hosting credential-harvesting SharePoint phishing pages, researchers have discovered.
Researchers from Domain Tools discovered the suspicious PDFs – which themselves do not include malicious content – back in July, wrote Senior Security Researcher Chad Anderson, in a report published Thur.
The campaign appears to be targeting only employees working in the Middle East as “a single campaign” in a series of similar, SharePoint-themed phishing scams, Anderson wrote.
To fully understand how the campaign works, you need to understand how the free version of Glitch works, Anderson explained. The platform allows an app to operate for 5 minutes exposed to the internet with a Glitch-provided hostname using 3 random words, he observed.
“For example, 1 document directed the recipient to hammerhead-resilient-birch.glitch[.]me where the malicious content was stored,” Anderson explained in the post. “Once the 5 minutes is up, the account behind the page has to click to serve their page again.”
It is this “ephemeral nature” that makes Glitch shared spaces ideal for threat players that wish to host malicious content, given that they are difficult to detect. This is especially true “because Glitch’s domains are trusted and often ‘allowlisted’ on many networks already,” Anderson explained.
“Spaces where code can run & be hosted for free are a gold mine for attackers, especially considering many of the base domains are implicitly trusted by the blocklists corporations ingest,” he wrote.
“This delegation of trust allows for attackers to utilize a seemingly innocuous PDF with only a link to a trusted base domain to manoeuvre past defences & lure in user trust.”
In this campaign, attackers used this aspect alongside exfiltration of credentials to compromised WordPress sites to create an attack chain that can ‘’sneak past’ defensive tooling, Anderson wrote. Domain Tools Research attempted to speak to Glitch about this potential for abuse of the platform, but as yet has been unsuccessful, he further added.
Domain Tools researchers discovered the threat activity during regular monitoring & hunting for malicious documents tied to previous campaigns, Anderson wrote.
Specifically, the team came across a PDF document purporting to be an invoice that included a URI section that linked to an outside page – something that typically would not sound an alarm, he wrote.
However, in this case, an email address was appended to the URL as a fragment, which typically references an “id” element on an HTML page, but which also can be manipulated using CSS.
Also, the email address belonged to a legitimate employee at a corporation based in the United Arab Emirates: something that suggested spear-phishing to researchers, Anderson wrote.
Researchers hunted for similar documents & found nearly 70 dating back to July 30, all using different URLs to target email addresses of actual individuals working at large corporations, he explained.
“Though each URL & email was 1 of a kind, the documents themselves did link to the same named page each time: red.htm,” suggesting a common scam, Anderson wrote.
Because of the short-lived nature of the pages being used to steal credentials, researchers explained that they were challenged to find live pages serving up the ultimate payload of the campaign. They had to use the tool URL Scan, which allowed them to search through all of the scanned sites over the last month.
Eventually, researchers uncovered a live site using the Any Run service, a commercial malware sandbox & public repository of executed malware that can be used to find specific interactions from malicious code, Anderson observed.
While the team still did not find the next-stage payload, it did uncover a screenshot of the Microsoft SharePoint phishing login being used to lure the victim, he revealed.
“While the page content was not available, Domain Tools Research did take note of the document name as well as the redirect to ‘in.htm’ as the next page after the ‘red.htm’ page in the initial PDF document,” Anderson explained.
Researchers found a number of matching HTML documents that tied to previous PDFs on Virus Total – the initial PDF documents designed to pass the email of the target along as a URL fragment – by using email addresses pre-populated on the page, he wrote.