[Phishing Kit] Jizhu code reuse

I have been running across landing pages harvesting credentials initiated by Telegram social engineering. It appears most of the landing pages are using a similar kit landing page which usually has the following paths for different aspects of the login page…

/index/user/login.html (login page with code reuse like login_btn which calls /index/user/do_login.html)

1 Sample seen to be reused is this
/点击登录/ (Eng: Click to Login)
$(“.login_btn”).on(‘click’,function(){

        if(check()){
            var loading = null;
            var tel   = $("input[name=tel]").val();
            var pwd   = $("input[name=pwd]").val();
            var jizhu = $("input[name=jizhu]").val();
            $.ajax({
                url:"/index/user/do_login.html",
                data:{tel:tel,pwd:pwd,jizhu:jizhu},

Other paths referenced by the kit include:
/index/user/register (target registration info page like phone, email, name, etc.)
/index/user/register_desc.html (privacy policy page)
/index/index/home.html (setTimeout Function)

Any knowledge as to what kit might be behind this?

VT Search: index/user/login.html should present quite a few samples that match the above - occurring over the past 3+ months.

4 Likes

Thank you for sharing @S1nglet0n. Currently, we do not have a phishing kit with a similar code block and referenced paths. We setup an alert for this and will let you know if something pops up.

2 Likes

great find and thanks for sharing @S1nglet0n, ill keep an eye out for this one too

2 Likes

Thank you very much. Looking forward to what can be uncovered. Seems like a common landing page used by many actors using different objectives on different brands/themes.

I don’t have access to it, but GREATNESS PhaaS seemed like an obvious choice from OSINT

Also in the mix were CAFFEINE, LABHOST, FRAPPO

From 2022 data, I didn’t see many leads:
https://www.resecurity.com/blog/article/welcome-frappo-the-new-phishing-as-a-service-used-by-cybercriminals-to-attack-customers-of-major-financial-institutions-and-online-retailers

1 Like

Something worth noting too:
phishkit vs. phaas

1 Like

Here is a good/better VT hash search showing some of the jizhu samples going as far back as May 2023 with the similar code seen in recent samples…

virustotal search:
vhash:“htm:3fe983f4f4faed24155219f2ddfa0418”

OR

entity:url path:/index/user/login.html

// Add your logic to submit to your backend server here.
form_submit(token)
function form_submit(reCAPTCHA) {
var loading = null
var tel = $("input[name=tel]").val()
var pwd = $("input[name=pwd]").val()
var jizhu = $("input[name=jizhu]").val()
var tc08d2f7709807240b0578c61f8013850 = "60425c8d045e9"
$.ajax({
url: "/index/user/do_login.html",
data: {
tel: tel,
pwd: pwd,
jizhu: jizhu,
'_csrf_': tc08d2f7709807240b0578c61f8013850,
'reCAPTCHA': reCAPTCHA
type: 'POST',
beforeSend: function(request) {
request.setRequestHeader('User-Token-Csrf', tc08d2f7709807240b0578c61f8013850)
loading = $(document).dialog({
type: 'notice',
infoIcon: '/static_new/img/loading.gif',
infoText: 'loading...',
autoClose: 0
success: function(data) {
loading.close()
if (data.code == 0) {
infoText: data.info
setTimeout(function() {
location.href = "/index/index/home.html"
if (data.info) {
infoText: "The network is unstable, please try again in a place with a better signal
autoClose: 2000
error: function(data) {
--tj--></body></html>
1 Like

@S1nglet0n can you share a couple of landing pages on here? We can try to pivot off of these.

Sure - if you go to VirusTotal and type: entity:url path:/index/user/login.html

First sample from today:

And just scroll through the results…there are 100’s & 1000’s (depending on your access level to VT historical data)

2 Likes