Government Abstract
In September 2024, LevelBlue performed a complete risk hunt concentrating on artifacts indicative of Phishing-as-a-Service (PhaaS) exercise throughout our monitored buyer fleet. Throughout the investigation, the LevelBlue Managed Detection and Response (MDR) Blue Group found a brand new PhaaS package, now recognized as RaccoonO365. The hunt confirmed true-positive compromises of Workplace 365 accounts, prompting swift buyer notifications and steering on remediation actions. The preliminary findings had been handed over to the LevelBlue Labs Risk Intelligence workforce, which additional uncovered further infrastructure and deconstructed the package’s JavaScript. This evaluation supplied essential insights into the options and capabilities of the rising PhaaS package.
Investigation
An anomalous artifact recognized throughout a buyer investigation was escalated to the Risk Looking workforce for evaluation. Additional examination revealed that this artifact was linked to a selected Phishing-as-a-Service (PhaaS) platform often known as ‘RaccoonO365’. Promoted as a cutting-edge phishing toolkit, it makes use of a customized Person Agent, domains mimicking Microsoft O365 providers, and Cloudflare infrastructure. Together with these findings in our threat-hunting queries led to 2 further discoveries tallying three complete detections throughout the client fleet. The 2 proactive detections recognized occasions obtained, however no alarms had been triggered within the concerned buyer’s LevelBlue USM Anyplace cases. The third reactive detection was a confirmed enterprise e-mail compromise (BEC), detected after triggering an alarm. The risk actor utilized the person agent ‘RaccoonO365’ previous to the enterprise e-mail compromise detection that means there was a brief interval of unauthorized entry that went undetected. Every prevalence was triaged individually, and investigations had been performed in all three buyer cases referring to the noticed exercise. Partnering with LevelBlue Labs, a brand new Correlation Rule was created to go looking particularly for a RaccoonO365 person agent inside related logs. As well as, the LevelBlue Labs workforce uncovered further structural and descriptive options attributed to RaccoonO365, which later was became a Pulse Indicator of Compromise (IOC) detection.
Expanded Investigation
Alarm and USMA log evaluation
1. An unrelated potential enterprise e-mail compromise (BEC) alarm was obtained and triaged by the LevelBlue MDR SOC. The recognized person utilized a international VPN to efficiently log into buyer’s Microsoft Workplace setting. A customized alarm rule was created resulting from its excessive chance of being a True Optimistic. Whereas conducting their investigation, they uncovered a suspicious person agent associated to the compromised e-mail deal with –RaccoonO365.
2. Info was handed off to LevelBlue Risk Hunters to conduct additional inside and exterior analysis for the recognized artifact.
3. A devoted risk hunter performed a evaluation of occasions together with the topic person agent. Occasion logs had been in contrast in opposition to one another and the profitable logins supplied further key knowledge factors.
Shared Entry Signature (SAS) authentication
- “SAS authentication” refers to a technique of person entry management utilizing a “Shared Entry Signature” (SAS) token, which primarily grants momentary, restricted entry to particular sources inside a cloud platform like Azure. This enables customers to entry knowledge with out straight sharing the complete account entry key, by offering a singular token containing the useful resource URL and an expiry time, signed with a cryptographic key, to authenticate entry to that useful resource.
4. Broad seek for recognized person agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)” throughout total buyer fleet.
48 complete occurrences over the past 12 months throughout three buyer cases. Cloudflare noticed as the principle supply ISP. Subnets 172.69.xx.xx, 172.70.xx.xx, and 172.71.xx.xx recognized in exercise. Three occasion names noticed, ‘UserLoggedIn’, ‘UserLoginFailed’ and ‘Signal-in exercise’.
5. Seek for failed login occasions together with person agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)” to determine cause for failure.
Recognized justifications for failed logins had been: UserStrongAuthClientAuthNRequiredInterrupt – Sturdy authentication is required and the person didn’t go MFA problem (AADSTS50074) ExternalSecurityChallenge – Exterior safety problem was not happy (AADSTS50158) DeviceAuthenticationRequired – Gadget authentication is required (AADSTS50097)
6. Seek for ‘Signal-in exercise’ occasions together with person agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)”.
Noticed occasions had been denied, nonetheless findings included a brand new knowledge supply ‘Azure AD Signal In’ to incorporate in our search –no further findings noticed beneath alternate knowledge supply (not pictured).
7. Alarm log seek for person agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)” inside recognized knowledge sources ‘Workplace 365 Audit’, and ‘Azure AD Signal In’.
No findings throughout the final 12 months.
SOC Investigations
1. Topic investigation A was created previous to risk hunt in response to an alarm obtained by the MDR SOC. If unauthorized VPN entry to a goal community is noticed, it ought to be addressed quickly by revoking concerned energetic classes and resetting the affected e-mail accounts in addition to MFA tokens.
Additional triage was performed by way of buyer request.
The LevelBlue MDR SOC was capable of determine the supply URL that contributed to the enterprise e-mail compromise –though the risk actor eliminated the malicious information from the shared repository.
2. Risk Hunt Investigations B and C had been opened by the LevelBlue MDR SOC, however didn’t embrace a corresponding alarm inside every buyer occasion respectively. Investigation B concerned a person who had beforehand been compromised lately using the topic person agent RaccoonO365. The LevelBlue MDR SOC was capable of monitor down the e-mail sender of the originating phishing e-mail.
MDR SOC created an investigation based mostly on the collaboration with Risk Hunters and findings.
3. Investigation C and its included occasions didn’t include the topic person agent RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7). The Cloudflare subnet vary 172.71.xx.xx recognized beforehand, supplied IPs that had been utilized by a buyer e-mail account.
MDR SOC created an investigation based mostly on the collaboration with Risk Hunters and findings.
Cloudflare CAPTCHA Turnstile
The Cloudflare ISP “Turnstile” providing has turn out to be more and more in style inside PhaaS kits. This expertise behind the providing from Cloudflare permits for automated rotation of problem web page choices that give phishing campaigns false legitimacy within the eyes of victims and filter out challenges which might be much less efficient. Related machine studying fashions can go as far as to detect whether or not a topic person has handed beforehand administered CAPTCHA challenges. The risk actor’s finish objective is to make sure that the phishing hyperlink is clicked on by a human person quite than a bot. One other ancillary profit granted by way of using Cloudflare’s CAPTCHA is the prevention of bots and automatic net scans.
Technical Analyses – LevelBlue Labs
RaccoonO365 is designed to focus on Microsoft 365 and Outlook customers, specializing in enterprise customers and cloud dependent enterprises. Its major objective is to bypass multi-factor authentication (MFA) protections and steal session cookies via refined phishing methods. This package is obtainable via a subscription mannequin on Telegram, providing numerous pricing tiers. Subscribers obtain entry to phishing templates, instruments for producing dynamic URLs, and performance to steal session cookies. The package makes use of Base64 encoding and XOR obfuscation for JavaScript, alongside session cookie hijacking, to successfully bypass MFA. To stay stealthy and improve marketing campaign longevity, RaccoonO365 makes use of Cloudflare Turnstile. This service supplies CAPTCHA challenges for filtering out bots and lowering detection by safety methods. This service can be utilized by infamous PaaS platforms corresponding to Tycoon2FA, Greatness, or ONNX. Initially, the Risk Actor promoted the Phishing package via a Telegram channel and the web site raccoono365 [.]com, however these are not publicly accessible. Two further web sites had been later created, raccoono365 [.]internet and raccoono365 [.]org.
Determine 1: Raccoono365 web site (raccoono365[.]com)
Nevertheless, the Risk Actor had transitioned to a brand new area, walkingdead0365[.]com, which seems to function the admin panel for the RaccoonO365 phishing package.
Determine 2: RaccoonO365 Login Web page (walkingdead0365[.]com)
On September 23, Trustwave revealed an insightful weblog detailing numerous phishing kits, together with RaccoonO365. The weblog highlighted the rising sophistication and accessibility of phishing-as-a-service (PaaS) platforms. Trustwave shared a screenshot from the Raccoon Telegram channel, showcasing its subscription-based pricing mannequin.
The RaccoonO365 phishing package operates on a subscription-based mannequin with tiered pricing, making it accessible to cybercriminals of various budgets. Plans vary from a 4-day free trial for $50 to longer durations like 11 days for $75, 20 days for $175, one month for $250, and two months for $450—considerably discounted from their unique costs. When the RaccoonO365 license expires, a message will seem on the web site claiming that the license needs to be renewed.
Determine 3: License Expiration
The infrastructure supporting the RaccoonO365 phishing package is normally hosted in IPs beneath Cloudflare’s ASN AS13335. The recognized domains are strategically crafted to impersonate Microsoft Workplace 365 providers, incorporating key phrases corresponding to “drive,” “file,” “cloud,” “doc,” “suite,” and “shared” to deceive customers.
HTML/Javascript Evaluation
Evaluation of user-agent strings referencing RaccoonO365 prompted additional investigation into this uncommon identify. An preliminary search indicated that RaccoonO365 is a newly recognized phishing package with restricted public reporting. As of scripting this weblog, an organization by the identify of Morado lately revealed data on the PaaS package not beforehand reported. The safety workforce uncovered a number of insights that overlapped with the findings of LevelBlue Labs.
As quickly because the focused person is offered with a malicious URL hyperlink, the redirection HTML web page exhibits indicators of obfuscation and hex encoding that dynamically hundreds a decoded block of HTML/Javascript.
Determine 4: encodedContent
The decoded Javascript block seems via the visiting person’s cookies and checks if the ‘visited’ tag is current in any of them. If the visited tag is current, the visiting person will get redirected to the official Microsoft web site.
Determine 5: checkVisitStatus()
The code additionally seems to enumerate the visiting person brokers and makes an attempt to determine them by way of a listing in the event that they go to from a cell phone. It seems that the makers of RaccoonO365 aren’t too involved with customers accessing the phishing domains from cell units, because the anti-debugging options aren’t enabled if visiting from a listed cell person agent.
Determine 6: Cellular Person Agent Checklist
Determine 7: Not Cellular Person
Increasing on the visiting person, the code makes an attempt to detect the online browser getting used whereas visiting the Phishing web page. If the visiting person is utilizing both Chrome, Firefox, or Edge, anti-analysis features corresponding to setInterval(), are used to detect when the debugging instruments are opened via the online browser.
Determine 8: Chrome, Firefox, Edge
The Javascript additionally goals to detect scanning person brokers making an attempt to entry/crawl via the phishing domains. The hardcoded record seems for frequent scanning brokers corresponding to scrapy, googlebot, curl, amongst many extra. After validating the person agent shouldn’t be a part of the hardcoded lists, it then proceeds to run the notblocked() perform which proceeds to shows a faux PDF picture file.
Determine 9: Bot Patterns
Determine 10: Bot Detected
Upon touchdown on the ultimate phishing web page the place person is prompted to enter their Workplace 365 username and password, the LevelBlue Labs workforce uncovered what seems to be configuration settings which point out how RaccoonO365 handles authentication flows between the phished person, relaying server, and bonafide Microsoft providers.
Determine 11: Phishing Web site
Determine 12: Configuration Choices
For instance, we see a number of redirection URLs set for when a person makes an attempt to reset their password. The password reset request is first despatched to the official Microsoft web site https://passwordreset.microsoftonline.com/, and upon finishing the reset, the response is then redirected again to the phishing area.
Determine 13: Password Reset
Different config settings corresponding to fEnableShowResendCode & iShowResendCodeDelay seem to handle resend code behaviors in two-factor authentication flows:
Determine 14: MFA Choices
Based mostly on latest reporting by the safety workforce Morado, the RaccoonO365 phishing-as-a-service (PhaaS) package is present process vital evolution, with updates to its infrastructure and options anticipated. LevelBlue Labs will proceed monitoring these developments, incorporating new options and indicators of compromise (IOCs) to boost protections for USM Anyplace customers. Leveraging the insights from deconstructing the phishing package, the LevelBlue workforce labored intently with affected prospects to implement swift remediation actions, mitigate additional dangers, and strengthen defenses in opposition to related threats. Response Remediation Upon receiving remediation suggestions from LevelBlue, the client acted swiftly to make sure any compromised O365 accounts had been accounted for and remediated.
Investigation A’s buyer response to the remediation suggestions. Additional triage was performed by way of buyer request.
LevelBlue SOC was capable of determine the supply URL that contributed to the enterprise e-mail compromise –though the risk actor eliminated the malicious information from the shared repository. 1. The LevelBlue Labs workforce was consulted on behalf of the SOC and Risk Hunters’ collaborative findings. Together with all three USM Anyplace associated findings in addition to open-source IOCs and analysis, the objective was to supply justification for including a brand new correlation rule which might profit the shoppers being monitored.
2. Whereas a Correlation Rule was labored on by LevelBlue Labs, to supply protection based mostly on the logging data and findings throughout the September seventeenth submitted risk hunt, the MDR SOC applied an Orchestration Rule throughout the client fleet accounting for the artifacts recognized throughout the risk hunt.
Detections
LevelBlue USM Anyplace prospects will profit from a Pulse created with new domains found attributed to RaccoonO365. The Pulse title may be discovered beneath.
RaccoonO365 AiTM – C2 IP/Area Tracker
The next correlation guidelines are designed to assist USMA customers determine potential phishing makes an attempt and adversary-in-the-middle (AiTM) assault exercise.
|
Rule Methodology Title |
|
O365 Adversary In The Center Phishing – MFA Reset Verfication Modified With Login |
|
Okta Phishing Detection with FastPass Origin Examine |
RaccoonO365 Domains Noticed by LevelBlue Labs
|
TYPE |
INDICATOR |
DESCRIPTION |
|
DOMAIN |
sharedfilesclouddrive[.]com
|
RaccoonO365 area |
|
DOMAIN
|
doccloudonedrivefiles[.]com |
RaccoonO365 area
|
|
DOMAIN
|
e-sharedonedrivefile[.]com |
RaccoonO365 area
|
|
DOMAIN
|
e-storagedrive[.]com |
RaccoonO365 area
|
|
DOMAIN
|
ecloud-sharedfile[.]com |
RaccoonO365 area
|
|
DOMAIN
|
eclouddrivesharedfiles[.]com |
RaccoonO365 area
|
|
DOMAIN
|
ecloudfileshare[.]com |
RaccoonO365 area
|
|
DOMAIN
|
office365suite[.]cloud
|
RaccoonO365 area
|
|
DOMAIN
|
docsoffice365[.]cloud
|
RaccoonO365 area
|
|
DOMAIN
|
officefilesecloud[.]cloud
|
RaccoonO365 area
|
|
SURICATA IDS SIGNATURES |
|
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”AV USER_AGENTS RaccoonO365 user_agent noticed”; move:established,to_server; content material:”RaccoonO365″; http_user_agent; startswith; reference:url,https://ig3thack3d4u.com/weblog/RaccoonO365PAAS; classtype:web-application-attack; sid:4002782; rev:1; metadata:created_at 2024_12_10, updated_at 2024_12_10;) |
