Threat actors are targeting Middle-East-based employees of major corporations in a scam that uses a specific ‘ephemeral’ aspect of the project-management tool to link to SharePoint phishing pages.

A long-term spear-phishing campaign is targeting employees of major corporations with emails containing PDFs that link to short-lived Glitch apps hosting credential-harvesting SharePoint phishing pages, researchers have found.

Researchers from DomainTools discovered the suspicious PDFs – which themselves do not include malicious content – back in July, wrote Senior Security Researcher Chad Anderson, in a report published Thursday.

Instead, the malicious activity propagated by the PDFs is a link to Glitch apps hosting phishing pages that included obfuscated JavaScript for stealing credentials, he wrote. Glitch is a Web-based project-management tool with a built-in code editor for running and hosting software projects ranging from simple websites to large applications.

The campaign appears to be targeting only employees working in the Middle East as “a single campaign” in a series of similar, SharePoint-themed phishing scams, Anderson wrote.

Abusing Glitch

To understand how the campaign works, one needs to understand how the free version of Glitch works, Anderson explained. The platform allows an app to operate for five minutes exposed to the internet with a Glitch-provided hostname using three random words, he wrote.

“For example, one document directed the recipient to hammerhead-resilient-birch.glitch[.]me where the malicious content was stored,” Anderson explained in the post. “Once the five minutes is up, the account behind the page has to click to serve their page again.”

It’s this “ephemeral nature” that makes Glitch shared spaces ideal for threat actors that wish to host malicious content, given that they are difficult to detect. This is especially true “because Glitch’s domains are trusted and often allowlisted on many networks already,” Anderson explained.

“Spaces where code can run and be hosted for free are a gold mine for attackers, especially considering many of the base domains are implicitly trusted by the blocklists corporations ingest,” he wrote. “This delegation of trust allows for attackers to utilize a seemingly innocuous PDF with only a link to a trusted base domain to maneuver past defenses and lure in user trust.”

In this campaign, attackers used this aspect alongside exfiltration of credentials to compromised WordPress sites to create an attack chain that can sneak past defensive tooling, Anderson wrote. DomainTools Research attempted to speak to Glitch about this potential for abuse of the platform, but as yet has been unsuccessful, he added.

Discovering the Campaign

DomainTools researchers discovered the threat activity during regular monitoring and hunting for malicious documents tied to previous campaigns, Anderson wrote. Specifically, the team came across a PDF document purporting to be an invoice that included a URI section that linked to an outside page – something that typically wouldn’t sound an alarm, he wrote.

However, in this case, an email address was appended to the URL as a fragment, which typically references an “id” element on an HTML page, but which also can be manipulated using CSS. Moreover, the email address belonged to a legitimate employee at a corporation based in the United Arab Emirates: something that smacked of spear-phishing to researchers, Anderson wrote.

Researchers hunted for similar documents and found nearly 70 dating back to July 30, all using different URLs to target email addresses of actual individuals working at large corporations, he explained.

“Though each URL and email was one of a kind, the documents themselves did link to the same named page each time: red.htm,” suggesting a common scam, Anderson wrote.

Evading Detection

Because of the short-lived nature of the pages being used to harvest credentials, researchers said they were challenged to find live pages serving up the ultimate payload of the campaign. They had to use the tool URLScan, which allowed them to search through all of the scanned sites over the last month.

Eventually, researchers uncovered a live site using the AnyRun service, a commercial malware sandbox and public repository of executed malware that can be used to find specific interactions from malicious code, Anderson explained. While the team still didn’t find the next-stage payload, it did uncover a screenshot of the Microsoft SharePoint phishing login being used to lure the victim, he wrote.

“While the page content was not available, DomainTools Research did take note of the document name as well as the redirect to ‘in.htm’ as the next page after the ‘red.htm’ page in the initial PDF document,” Anderson explained.

Researchers found a number of matching HTML documents that tied to previous PDFs on VirusTotal – the initial PDF documents designed to pass the email of the target along as a URL fragment – by using email addresses pre-populated on the page, he wrote.

The team also found “chunks” of obfuscated JavaScript that, once revealed, showed the email address and password being submitted to compromised WordPress sites and forwarded to an email address found in the body of the script of uzohifeanyi@outlook[.]com. Once attackers have harvested credentials, the JavaScript then redirects the user to the URL of their email address, Anderson wrote.

Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost for “An Intro to OSquery and CloudQuery,” an on-demand Town Hall with Eric Kaiser, Uptycs’ senior security engineer, and find out how this open-source tool can help tame security across your organization’s entire campus.

Register NOW to access the on-demand event!