The Phish Page

Recently I came across an interesting phishing page which when I browsed to, showed nothing but a white blank page. There was no 404, or server not found error, just an empty page.

DHL Phishing Site

I found this curious, so I observed the source code for the page. Much of the page was junk, however, after scrolling to the bottom, I did notice a script that looked of interest. 

<script>
var canvas = document.createElement('canvas');
var gl = canvas.getContext('webgl');
var debugInfo = gl.getExtension('WEBGL_debug_renderer_info');
var vendor = gl.getParameter(debugInfo.UNMASKED_VENDOR_WEBGL);
var renderer = gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL);
console.log(vendor);
console.log(renderer);
var width = screen.width;
var height = screen.height;
var color_depth = screen.colorDepth;

setTimeout(function(){
  if (true) {

    // seems we use data above to check render!

    if (/swiftshader/i.test(renderer.toLowerCase()) || /llvmpipe/i.test(renderer.toLowerCase()) || /virtualbox/i.test(renderer.toLowerCase()) || !renderer) {



      // blacklist!
       console.log("Virtual Machine / RDP");
    }
    
    
     else if (color_depth < 24 || width < 100 || width < 100 || !color_depth) {

      alert('bot detected')

      console.log("No Display (Probably Bot)")
    } 
    
    else {
      $.get("m3dularbh/ajax.php?n=m3d", function(data, status){ window.location.href = 'main/';}); // document ready
    }
  } 
  
 
 
}, 200);

It appears the script above is attempting to detect whether the user is viewing the webpage in a virtual machine or not. In short, it’s a virtual machine aware phishing page. It does this by checking a few values.

First, it attempts to get the value for two constants in relation to debugging the graphics driver used on a host. The WebGL API WEBGL_debug_renderer_info has two constants, which are debug Info.UNMASKED_RENDERER_WEBGL and debugInfo.UNMASKED_RENDERER_WEB. The script checks these for three values, swiftshader/llvmpipe/virtualbox. If the value matches one of these values, the phishing page is not shown.

Secondly, the script looks to check information around the user’s display, like size and colour depth, again this is to check whether the user is running in a VM. The default colour depth for a VirtualBox Virtual Machine is 24bit, which is what is being checked here.

If these conditions and checks are not met, then the page ” m3dularbh/ajax.php?n=m3d ” is loaded.

Why would a phishing page check if the user is viewing the page in a virtual machine? Well, most analysts analyse malicious pages in a dirty virtual machine to avoid causing an infection to their main device.

Bypassing Anti-analysis

So we now know what the script is looking for. When these conditions are met, we’re shown a blank page. But how do we bypass these anti-analysis techniques so we can see the actual phish page?

Well, it’s actually pretty easy, all we need is a Browser Extension. WebGL Fingerprint Defender allows you to spoof your Browser Fingerprint. Doing so allows us to see that the phishing page in this case was a well crafted DHL card harvester.

DHL Phishing Site

The extension WebGL Fingerprnt Defender is available for both Firefox and Chrome. There are also alternative extensions that do the same thing.

Threat Actor

When the phishing page is successfully loaded, a script called m3dularbh is run. I found this to be an interesting string, so I performed some OSINT on it. It would appear that m3dular is the name of the threat actor/phish kit used to generate this page and other similar courier based phishing campaigns.

Below we have another example of a post office based phish campaign with the same strings seen. Here we can see a bit more information on the structure of the phishing page.

m3dular phish kit

I then came across this Tweet which showed a telegram channel with what appears to be the threat actor advertising their services.

m3dular telegram channel

The phish pages from this phishing kit all seem to be high quality and it’s likely they all contain virtual machine aware phishing pages.

IOCS

Phishing Links

  • hxxps://royalmail.co.uk-redelivery[.]net/
  • hxxps://ce44966.tmweb[.]ru/
  • hxxps://www.billingissue-ee[.]com
  • hxxps://postofficeuk[.]online
  • hxxps:/royalmail-services[.]com
  • hxxps://royalices[.]com
  • hxxps://myinfo-postoffice[.]com
  • hxxps://payee-security-alerts[.]com

Mail IOCs

  • Sender Domain: support@package.failedeliveryattempt[.]com
  • Sender IP: 209.17.115[.]10
  • Mail Subject: Failed attempt to deliver your package!

References

https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_debug_renderer_info

@JCyberSec_

@dave_daves