Discover Compelling Narratives from the SOC

Government Abstract

In September 2024, LevelBlue performed a complete risk hunt concentrating on artifacts indicative of Phishing-as-a-Service (PhaaS) exercise throughout our monitored buyer fleet. Through the investigation, the LevelBlue Managed Detection and Response (MDR) Blue Crew found a brand new PhaaS equipment, now recognized as RaccoonO365. The hunt confirmed true-positive compromises of Workplace 365 accounts, prompting swift buyer notifications and steering on remediation actions. The preliminary findings had been handed over to the LevelBlue Labs Risk Intelligence staff, which additional uncovered extra infrastructure and deconstructed the equipment’s JavaScript. This evaluation offered essential insights into the options and capabilities of the rising PhaaS equipment.

Investigation

An anomalous artifact recognized throughout a buyer investigation was escalated to the Risk Looking staff for evaluation. Additional examination revealed that this artifact was linked to a selected Phishing-as-a-Service (PhaaS) platform generally known as ‘RaccoonO365’. Promoted as a cutting-edge phishing toolkit, it makes use of a customized Person Agent, domains mimicking Microsoft O365 providers, and Cloudflare infrastructure. Together with these findings in our threat-hunting queries led to 2 extra discoveries tallying three complete detections throughout the shopper fleet. The 2 proactive detections recognized occasions obtained, however no alarms had been triggered within the concerned buyer’s LevelBlue USM Wherever cases. The third reactive detection was a confirmed enterprise electronic mail compromise (BEC), detected after triggering an alarm. The risk actor utilized the consumer agent ‘RaccoonO365’ previous to the enterprise electronic mail compromise detection that means there was a brief interval of unauthorized entry that went undetected. Every prevalence was triaged individually, and investigations had been performed in all three buyer cases referring to the noticed exercise. Partnering with LevelBlue Labs, a brand new Correlation Rule was created to go looking particularly for a RaccoonO365 consumer agent inside related logs. As well as, the LevelBlue Labs staff uncovered extra structural and descriptive options attributed to RaccoonO365, which later was was a Pulse Indicator of Compromise (IOC) detection.

Expanded Investigation

Alarm and USMA log overview

1. An unrelated potential enterprise electronic mail compromise (BEC) alarm was obtained and triaged by the LevelBlue MDR SOC. The recognized consumer utilized a overseas VPN to efficiently log into buyer’s Microsoft Workplace setting. A customized alarm rule was created attributable to its excessive chance of being a True Optimistic. Whereas conducting their investigation, they uncovered a suspicious consumer agent associated to the compromised electronic mail handle –RaccoonO365.

2. Data was handed off to LevelBlue Risk Hunters to conduct additional inside and exterior analysis for the recognized artifact.

3. A devoted risk hunter performed a overview of occasions together with the topic consumer agent. Occasion logs had been in contrast towards one another and the profitable logins offered extra key information factors.

Shared Entry Signature (SAS) authentication

•  “SAS authentication” refers to a way of consumer entry management utilizing a “Shared Entry Signature” (SAS) token, which basically grants non permanent, restricted entry to particular sources inside a cloud platform like Azure. This enables customers to entry information with out instantly sharing the complete account entry key, by offering a novel token containing the useful resource URL and an expiry time, signed with a cryptographic key, to authenticate entry to that useful resource.

4. Broad seek for recognized consumer agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)” throughout total buyer fleet.

48 complete occurrences over the past 12 months throughout three buyer cases. Cloudflare noticed as the principle supply ISP. Subnets 172.69.xx.xx, 172.70.xx.xx, and 172.71.xx.xx recognized in exercise. Three occasion names noticed, ‘UserLoggedIn’, ‘UserLoginFailed’ and ‘Signal-in exercise’.

5. Seek for failed login occasions together with consumer agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)” to determine purpose for failure.

Recognized justifications for failed logins had been: UserStrongAuthClientAuthNRequiredInterrupt – Sturdy authentication is required and the consumer didn’t move MFA problem (AADSTS50074) ExternalSecurityChallenge – Exterior safety problem was not happy (AADSTS50158) DeviceAuthenticationRequired – Gadget authentication is required (AADSTS50097)

6. Seek for ‘Signal-in exercise’ occasions together with consumer agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)”.

Noticed occasions had been denied, nonetheless findings included a brand new information supply ‘Azure AD Signal In’ to incorporate in our search –no extra findings noticed underneath alternate information supply (not pictured).

7. Alarm log seek for consumer agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)” inside recognized information sources ‘Workplace 365 Audit’, and ‘Azure AD Signal In’.

No findings throughout the final 12 months.

SOC Investigations

1. Topic investigation A was created previous to risk hunt in response to an alarm obtained by the MDR SOC. If unauthorized VPN entry to a goal community is noticed, it needs to be addressed quickly by revoking concerned lively classes and resetting the affected electronic mail accounts in addition to MFA tokens.

Additional triage was performed by way of buyer request.

The LevelBlue MDR SOC was capable of determine the supply URL that contributed to the enterprise electronic mail compromise –though the risk actor eliminated the malicious recordsdata from the shared repository.

2. Risk Hunt Investigations B and C had been opened by the LevelBlue MDR SOC, however didn’t embrace a corresponding alarm inside every buyer occasion respectively. Investigation B concerned a consumer who had beforehand been compromised not too long ago using the topic consumer agent RaccoonO365. The LevelBlue MDR SOC was capable of monitor down the e-mail sender of the originating phishing electronic mail.

MDR SOC created an investigation based mostly on the collaboration with Risk Hunters and findings.

3. Investigation C and its included occasions didn’t include the topic consumer agent RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7). The Cloudflare subnet vary 172.71.xx.xx recognized beforehand, offered IPs that had been utilized by a buyer electronic mail account.

MDR SOC created an investigation based mostly on the collaboration with Risk Hunters and findings.

Cloudflare CAPTCHA Turnstile

The Cloudflare ISP “Turnstile” providing has turn into more and more common inside PhaaS kits. This expertise behind the providing from Cloudflare permits for automated rotation of problem web page choices that give phishing campaigns false legitimacy within the eyes of victims and filter out challenges which might be much less efficient. Related machine studying fashions can go as far as to detect whether or not a topic consumer has handed beforehand administered CAPTCHA challenges. The risk actor’s finish objective is to make sure that the phishing hyperlink is clicked on by a human consumer reasonably than a bot. One other ancillary profit granted by way of the usage of Cloudflare’s CAPTCHA is the prevention of bots and automatic internet scans.

Technical Analyses – LevelBlue Labs

RaccoonO365 is designed to focus on Microsoft 365 and Outlook customers, specializing in enterprise customers and cloud dependent enterprises. Its main objective is to bypass multi-factor authentication (MFA) protections and steal session cookies by subtle phishing methods. This equipment is obtainable by a subscription mannequin on Telegram, providing numerous pricing tiers. Subscribers obtain entry to phishing templates, instruments for producing dynamic URLs, and performance to steal session cookies. The equipment makes use of Base64 encoding and XOR obfuscation for JavaScript, alongside session cookie hijacking, to successfully bypass MFA. To stay stealthy and improve marketing campaign longevity, RaccoonO365 makes use of Cloudflare Turnstile. This service supplies CAPTCHA challenges for filtering out bots and lowering detection by safety methods. This service can be utilized by infamous PaaS platforms equivalent to Tycoon2FA, Greatness, or ONNX. Initially, the Risk Actor promoted the Phishing equipment by a Telegram channel and the web site raccoono365 [.]com, however these are now not publicly accessible. Two extra web sites had been later created, raccoono365 [.]web and raccoono365 [.]org.  

Determine 1: Raccoono365 web site (raccoono365[.]com)

Nonetheless, the Risk Actor had transitioned to a brand new area, walkingdead0365[.]com, which seems to function the admin panel for the RaccoonO365 phishing equipment. 

Determine 2: RaccoonO365 Login Web page (walkingdead0365[.]com)

On September 23, Trustwave revealed an insightful weblog detailing numerous phishing kits, together with RaccoonO365. The weblog highlighted the rising sophistication and accessibility of phishing-as-a-service (PaaS) platforms. Trustwave shared a screenshot from the Raccoon Telegram channel, showcasing its subscription-based pricing mannequin.

The RaccoonO365 phishing equipment operates on a subscription-based mannequin with tiered pricing, making it accessible to cybercriminals of various budgets. Plans vary from a 4-day free trial for $50 to longer durations like 11 days for $75, 20 days for $175, one month for $250, and two months for $450—considerably discounted from their unique costs. When the RaccoonO365 license expires, a message will seem on the web site claiming that the license needs to be renewed.

Determine 3: License Expiration

The infrastructure supporting the RaccoonO365 phishing equipment is often hosted in IPs underneath Cloudflare’s ASN AS13335. The recognized domains are strategically crafted to impersonate Microsoft Workplace 365 providers, incorporating key phrases equivalent to “drive,” “file,” “cloud,” “doc,” “suite,” and “shared” to deceive customers.

HTML/Javascript Evaluation

Evaluation of user-agent strings referencing RaccoonO365 prompted additional investigation into this uncommon title. An preliminary search indicated that RaccoonO365 is a newly recognized phishing equipment with restricted public reporting. As of penning this weblog, an organization by the title of Morado not too long ago revealed data on the PaaS equipment not beforehand reported. The safety staff uncovered a number of insights that overlapped with the findings of LevelBlue Labs.

As quickly because the focused consumer is introduced with a malicious URL hyperlink, the redirection HTML web page exhibits indicators of obfuscation and hex encoding that dynamically masses a decoded block of HTML/Javascript.

Determine 4: encodedContent

The decoded Javascript block appears to be like by the visiting consumer’s cookies and checks if the ‘visited’ tag is current in any of them. If the visited tag is current, the visiting consumer will get redirected to the official Microsoft website.

Determine 5: checkVisitStatus()

The code additionally appears to be like to enumerate the visiting consumer brokers and makes an attempt to determine them by way of a listing in the event that they go to from a cell phone. It seems that the makers of RaccoonO365 will not be too involved with customers accessing the phishing domains from cell units, because the anti-debugging options will not be enabled if visiting from a listed cell consumer agent.

Determine 6: Cellular Person Agent Listing

Determine 7: Not Cellular Person

Increasing on the visiting consumer, the code makes an attempt to detect the online browser getting used whereas visiting the Phishing web page. If the visiting consumer is utilizing both Chrome, Firefox, or Edge, anti-analysis capabilities equivalent to setInterval(), are used to detect when the debugging instruments are opened by the online browser.

Determine 8: Chrome, Firefox, Edge

The Javascript additionally goals to detect scanning consumer brokers trying to entry/crawl by the phishing domains. The hardcoded listing appears to be like for widespread scanning brokers equivalent to scrapy, googlebot, curl, amongst many extra. After validating the consumer agent is just not a part of the hardcoded lists, it then proceeds to run the notblocked() operate which proceeds to shows a pretend PDF picture file.

Determine 9: Bot Patterns

Determine 10: Bot Detected

Upon touchdown on the ultimate phishing web page the place consumer is prompted to enter their Workplace 365 username and password, the LevelBlue Labs staff uncovered what seems to be configuration settings which point out how RaccoonO365 handles authentication flows between the phished consumer, relaying server, and bonafide Microsoft providers.

Determine 11: Phishing Website

Determine 12: Configuration Choices

For instance, we see a number of redirection URLs set for when a consumer makes an attempt to reset their password. The password reset request is first despatched to the official Microsoft website https://passwordreset.microsoftonline.com/, and upon finishing the reset, the response is then redirected again to the phishing area.

Determine 13: Password Reset

Different config settings equivalent to fEnableShowResendCode & iShowResendCodeDelay seem to handle resend code behaviors in two-factor authentication flows:

Determine 14: MFA Choices

Primarily based on latest reporting by the safety staff Morado, the RaccoonO365 phishing-as-a-service (PhaaS) equipment is present process important evolution, with updates to its infrastructure and options anticipated. LevelBlue Labs will proceed monitoring these developments, incorporating new options and indicators of compromise (IOCs) to reinforce protections for USM Wherever customers. Leveraging the insights from deconstructing the phishing equipment, the LevelBlue staff labored carefully with affected clients to implement swift remediation actions, mitigate additional dangers, and strengthen defenses towards related threats. Response Remediation Upon receiving remediation suggestions from LevelBlue, the shopper acted swiftly to make sure any compromised O365 accounts had been accounted for and remediated.

Investigation A’s buyer response to the remediation suggestions. Additional triage was performed by way of buyer request.

LevelBlue SOC was capable of determine the supply URL that contributed to the enterprise electronic mail compromise –though the risk actor eliminated the malicious recordsdata from the shared repository. 1. The LevelBlue Labs staff was consulted on behalf of the SOC and Risk Hunters’ collaborative findings. Together with all three USM Wherever associated findings in addition to open-source IOCs and analysis, the objective was to offer justification for including a brand new correlation rule which might profit the purchasers being monitored.

2. Whereas a Correlation Rule was labored on by LevelBlue Labs, to offer protection based mostly on the logging data and findings throughout the September seventeenth submitted risk hunt, the MDR SOC carried out an Orchestration Rule throughout the shopper fleet accounting for the artifacts recognized throughout the risk hunt.

Detections

LevelBlue USM Wherever clients will profit from a Pulse created with new domains found attributed to RaccoonO365. The Pulse title will be discovered beneath.

RaccoonO365 AiTM – C2 IP/Area Tracker

The next correlation guidelines are designed to assist USMA customers determine potential phishing makes an attempt and adversary-in-the-middle (AiTM) assault exercise.

RaccoonO365 Domains Noticed by LevelBlue Labs