Analysis of the latest LogoKit phishkit
LogoKit is a comprehensive set of phishing kits, known for using services that provide company logos and screenshots of target websites
The background is retrieved via request to a website screenshot service, using the following template:
hxxps://thum[.]io/get/width/<DPI>/https://<Domain>
The company's logo is fetched from a legitimate logo storage service:
hxxps://logo.clearbit[.]com/<Domain>
Example: https://app.any.run/tasks/1362e3bd-72a9-44a3-9128-5919fb6a6fd9/
The domain chain is led by a decoder-redirector:
hxxps:// asiangrocers [.]store/fri/?haooauvpco=bWlubmllQGRpc25leS5jb20
It is a fake Asian food store website built on a WordPress template, with a domain age of around four years. The template contains email addresses filled with typos
The decoder-redirector shields the page from analysis and redirects the victim to the actual phishing page
In this case, the real content of the phish page and the associated scripts are hosted on the Cloudflare Pages platform. They are stored in the assets/ folder, which contains styles, images, and scripts
Three scripts with random 10-character names are designed to protect the page from analysis and send stolen data to the threat actors:
assets/js/e0nt7h8uiw[.]js
assets/js/vddq2ozyod[.]js
assets/js/j3046eqymn[.]js
The stolen authentication data is sent to a remote Command and Control (C2) server controlled by the attackers via an HTTP POST request containing the following parameters:
fox=<E-mail>&con=<Password>
Take a look at another sandbox session: https://app.any.run/tasks/8a95135f-1339-491e-8762-d874d9970602/
