Discover Compelling Narratives from the SOC

Government Abstract

In September 2024, LevelBlue performed a complete risk hunt concentrating on artifacts indicative of Phishing-as-a-Service (PhaaS) exercise throughout our monitored buyer fleet. In the course of the investigation, the LevelBlue Managed Detection and Response (MDR) Blue Workforce found a brand new PhaaS equipment, now recognized as RaccoonO365. The hunt confirmed true-positive compromises of Workplace 365 accounts, prompting swift buyer notifications and steering on remediation actions. The preliminary findings had been handed over to the LevelBlue Labs Risk Intelligence workforce, which additional uncovered further infrastructure and deconstructed the equipment’s JavaScript. This evaluation offered essential insights into the options and capabilities of the rising PhaaS equipment.

Investigation

An anomalous artifact recognized throughout a buyer investigation was escalated to the Risk Looking workforce for evaluation. Additional examination revealed that this artifact was linked to a selected Phishing-as-a-Service (PhaaS) platform often called ‘RaccoonO365’. Promoted as a cutting-edge phishing toolkit, it makes use of a customized Consumer Agent, domains mimicking Microsoft O365 companies, and Cloudflare infrastructure. Together with these findings in our threat-hunting queries led to 2 further discoveries tallying three whole detections throughout the shopper fleet. The 2 proactive detections recognized occasions acquired, however no alarms had been triggered within the concerned buyer’s LevelBlue USM Wherever cases. The third reactive detection was a confirmed enterprise e-mail compromise (BEC), detected after triggering an alarm. The risk actor utilized the person agent ‘RaccoonO365’ previous to the enterprise e-mail compromise detection that means there was a brief interval of unauthorized entry that went undetected. Every incidence was triaged individually, and investigations had been performed in all three buyer cases referring to the noticed exercise. Partnering with LevelBlue Labs, a brand new Correlation Rule was created to look particularly for a RaccoonO365 person agent inside related logs. As well as, the LevelBlue Labs workforce uncovered further structural and descriptive options attributed to RaccoonO365, which later was became a Pulse Indicator of Compromise (IOC) detection.

Expanded Investigation

Alarm and USMA log evaluation

1. An unrelated potential enterprise e-mail compromise (BEC) alarm was acquired and triaged by the LevelBlue MDR SOC. The recognized person utilized a international VPN to efficiently log into buyer’s Microsoft Workplace surroundings. A customized alarm rule was created on account of its excessive likelihood of being a True Optimistic. Whereas conducting their investigation, they uncovered a suspicious person agent associated to the compromised e-mail handle –RaccoonO365.

2. Data was handed off to LevelBlue Risk Hunters to conduct additional inner and exterior analysis for the recognized artifact.

3. A devoted risk hunter performed a evaluation of occasions together with the topic person agent. Occasion logs had been in contrast towards one another and the profitable logins offered further key knowledge factors.

Shared Entry Signature (SAS) authentication

•  “SAS authentication” refers to a way of person entry management utilizing a “Shared Entry Signature” (SAS) token, which primarily grants non permanent, restricted entry to particular assets inside a cloud platform like Azure. This enables customers to entry knowledge with out instantly sharing the total account entry key, by offering a novel token containing the useful resource URL and an expiry time, signed with a cryptographic key, to authenticate entry to that useful resource.

4. Broad seek for recognized person agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)” throughout complete buyer fleet.

48 whole occurrences during the last 12 months throughout three buyer cases. Cloudflare noticed as the primary supply ISP. Subnets 172.69.xx.xx, 172.70.xx.xx, and 172.71.xx.xx recognized in exercise. Three occasion names noticed, ‘UserLoggedIn’, ‘UserLoginFailed’ and ‘Signal-in exercise’.

5. Seek for failed login occasions together with person agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)” to establish motive for failure.

Recognized justifications for failed logins had been: UserStrongAuthClientAuthNRequiredInterrupt – Sturdy authentication is required and the person didn’t move MFA problem (AADSTS50074) ExternalSecurityChallenge – Exterior safety problem was not glad (AADSTS50158) DeviceAuthenticationRequired – Gadget authentication is required (AADSTS50097)

6. Seek for ‘Signal-in exercise’ occasions together with person agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)”.

Noticed occasions had been denied, nevertheless findings included a brand new knowledge supply ‘Azure AD Signal In’ to incorporate in our search –no further findings noticed below alternate knowledge supply (not pictured).

7. Alarm log seek for person agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)” inside recognized knowledge sources ‘Workplace 365 Audit’, and ‘Azure AD Signal In’.

No findings throughout the final 12 months.

SOC Investigations

1. Topic investigation A was created previous to risk hunt in response to an alarm acquired by the MDR SOC. If unauthorized VPN entry to a goal community is noticed, it needs to be addressed quickly by revoking concerned lively classes and resetting the affected e-mail accounts in addition to MFA tokens.

Additional triage was performed through buyer request.

The LevelBlue MDR SOC was in a position to establish the supply URL that contributed to the enterprise e-mail compromise –though the risk actor eliminated the malicious information from the shared repository.

2. Risk Hunt Investigations B and C had been opened by the LevelBlue MDR SOC, however didn’t embody a corresponding alarm inside every buyer occasion respectively. Investigation B concerned a person who had beforehand been compromised lately using the topic person agent RaccoonO365. The LevelBlue MDR SOC was in a position to monitor down the e-mail sender of the originating phishing e-mail.

MDR SOC created an investigation based mostly on the collaboration with Risk Hunters and findings.

3. Investigation C and its included occasions didn’t include the topic person agent RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7). The Cloudflare subnet vary 172.71.xx.xx recognized beforehand, offered IPs that had been utilized by a buyer e-mail account.

MDR SOC created an investigation based mostly on the collaboration with Risk Hunters and findings.

Cloudflare CAPTCHA Turnstile

The Cloudflare ISP “Turnstile” providing has develop into more and more in style inside PhaaS kits. This know-how behind the providing from Cloudflare permits for automated rotation of problem web page choices that give phishing campaigns false legitimacy within the eyes of victims and filter out challenges which can be much less efficient. Related machine studying fashions can go as far as to detect whether or not a topic person has handed beforehand administered CAPTCHA challenges. The risk actor’s finish purpose is to make sure that the phishing hyperlink is clicked on by a human person slightly than a bot. One other ancillary profit granted through using Cloudflare’s CAPTCHA is the prevention of bots and automatic net scans.

Technical Analyses – LevelBlue Labs

RaccoonO365 is designed to focus on Microsoft 365 and Outlook customers, specializing in enterprise customers and cloud dependent enterprises. Its main purpose is to bypass multi-factor authentication (MFA) protections and steal session cookies via subtle phishing methods. This equipment is on the market via a subscription mannequin on Telegram, providing numerous pricing tiers. Subscribers obtain entry to phishing templates, instruments for producing dynamic URLs, and performance to steal session cookies. The equipment makes use of Base64 encoding and XOR obfuscation for JavaScript, alongside session cookie hijacking, to successfully bypass MFA. To stay stealthy and improve marketing campaign longevity, RaccoonO365 makes use of Cloudflare Turnstile. This service supplies CAPTCHA challenges for filtering out bots and lowering detection by safety methods. This service can also be utilized by infamous PaaS platforms corresponding to Tycoon2FA, Greatness, or ONNX. Initially, the Risk Actor promoted the Phishing equipment via a Telegram channel and the web site raccoono365 [.]com, however these are not publicly accessible. Two further web sites had been later created, raccoono365 [.]web and raccoono365 [.]org.  

Determine 1: Raccoono365 web site (raccoono365[.]com)

Nevertheless, the Risk Actor had transitioned to a brand new area, walkingdead0365[.]com, which seems to function the admin panel for the RaccoonO365 phishing equipment. 

Determine 2: RaccoonO365 Login Web page (walkingdead0365[.]com)

On September 23, Trustwave printed an insightful weblog detailing numerous phishing kits, together with RaccoonO365. The weblog highlighted the rising sophistication and accessibility of phishing-as-a-service (PaaS) platforms. Trustwave shared a screenshot from the Raccoon Telegram channel, showcasing its subscription-based pricing mannequin.

The RaccoonO365 phishing equipment operates on a subscription-based mannequin with tiered pricing, making it accessible to cybercriminals of various budgets. Plans vary from a 4-day free trial for $50 to longer durations like 11 days for $75, 20 days for $175, one month for $250, and two months for $450—considerably discounted from their authentic costs. When the RaccoonO365 license expires, a message will seem on the web site claiming that the license must be renewed.

Determine 3: License Expiration

The infrastructure supporting the RaccoonO365 phishing equipment is often hosted in IPs below Cloudflare’s ASN AS13335. The recognized domains are strategically crafted to impersonate Microsoft Workplace 365 companies, incorporating key phrases corresponding to “drive,” “file,” “cloud,” “doc,” “suite,” and “shared” to deceive customers.

HTML/Javascript Evaluation

Evaluation of user-agent strings referencing RaccoonO365 prompted additional investigation into this uncommon title. An preliminary search indicated that RaccoonO365 is a newly recognized phishing equipment with restricted public reporting. As of penning this weblog, an organization by the title of Morado lately printed data on the PaaS equipment not beforehand reported. The safety workforce uncovered a number of insights that overlapped with the findings of LevelBlue Labs.

As quickly because the focused person is offered with a malicious URL hyperlink, the redirection HTML web page reveals indicators of obfuscation and hex encoding that dynamically masses a decoded block of HTML/Javascript.

Determine 4: encodedContent

The decoded Javascript block appears via the visiting person’s cookies and checks if the ‘visited’ tag is current in any of them. If the visited tag is current, the visiting person will get redirected to the official Microsoft web site.

Determine 5: checkVisitStatus()

The code additionally appears to enumerate the visiting person brokers and makes an attempt to establish them through a listing in the event that they go to from a cell phone. It seems that the makers of RaccoonO365 will not be too involved with customers accessing the phishing domains from cellular gadgets, because the anti-debugging options will not be enabled if visiting from a listed cellular person agent.

Determine 6: Cell Consumer Agent Record

Determine 7: Not Cell Consumer

Increasing on the visiting person, the code makes an attempt to detect the net browser getting used whereas visiting the Phishing web page. If the visiting person is utilizing both Chrome, Firefox, or Edge, anti-analysis capabilities corresponding to setInterval(), are used to detect when the debugging instruments are opened via the net browser.

Determine 8: Chrome, Firefox, Edge

The Javascript additionally goals to detect scanning person brokers trying to entry/crawl via the phishing domains. The hardcoded checklist appears for frequent scanning brokers corresponding to scrapy, googlebot, curl, amongst many extra. After validating the person agent just isn’t a part of the hardcoded lists, it then proceeds to run the notblocked() operate which proceeds to shows a faux PDF picture file.

Determine 9: Bot Patterns

Determine 10: Bot Detected

Upon touchdown on the ultimate phishing web page the place person is prompted to enter their Workplace 365 username and password, the LevelBlue Labs workforce uncovered what seems to be configuration settings which point out how RaccoonO365 handles authentication flows between the phished person, relaying server, and legit Microsoft companies.

Determine 11: Phishing Website

Determine 12: Configuration Choices

For instance, we see a number of redirection URLs set for when a person makes an attempt to reset their password. The password reset request is first despatched to the official Microsoft web site https://passwordreset.microsoftonline.com/, and upon finishing the reset, the response is then redirected again to the phishing area.

Determine 13: Password Reset

Different config settings corresponding to fEnableShowResendCode & iShowResendCodeDelay seem to handle resend code behaviors in two-factor authentication flows:

Determine 14: MFA Choices

Primarily based on current reporting by the safety workforce Morado, the RaccoonO365 phishing-as-a-service (PhaaS) equipment is present process important evolution, with updates to its infrastructure and options anticipated. LevelBlue Labs will proceed monitoring these developments, incorporating new options and indicators of compromise (IOCs) to reinforce protections for USM Wherever customers. Leveraging the insights from deconstructing the phishing equipment, the LevelBlue workforce labored intently with affected clients to implement swift remediation actions, mitigate additional dangers, and strengthen defenses towards related threats. Response Remediation Upon receiving remediation suggestions from LevelBlue, the shopper acted swiftly to make sure any compromised O365 accounts had been accounted for and remediated.

Investigation A’s buyer response to the remediation suggestions. Additional triage was performed through buyer request.

LevelBlue SOC was in a position to establish the supply URL that contributed to the enterprise e-mail compromise –though the risk actor eliminated the malicious information from the shared repository. 1. The LevelBlue Labs workforce was consulted on behalf of the SOC and Risk Hunters’ collaborative findings. Together with all three USM Wherever associated findings in addition to open-source IOCs and analysis, the purpose was to offer justification for including a brand new correlation rule which might profit the purchasers being monitored.

2. Whereas a Correlation Rule was labored on by LevelBlue Labs, to offer protection based mostly on the logging data and findings throughout the September seventeenth submitted risk hunt, the MDR SOC carried out an Orchestration Rule throughout the shopper fleet accounting for the artifacts recognized throughout the risk hunt.

Detections

LevelBlue USM Wherever clients will profit from a Pulse created with new domains found attributed to RaccoonO365. The Pulse title might be discovered beneath.

RaccoonO365 AiTM – C2 IP/Area Tracker

The next correlation guidelines are designed to assist USMA customers establish potential phishing makes an attempt and adversary-in-the-middle (AiTM) assault exercise.

RaccoonO365 Domains Noticed by LevelBlue Labs