Researchers Detailed CarPhish, EDG, Tpass, and Mamba2FA phishing kits

Cybersecurity researchers at VMRay have identified four advanced phishing kits—CarPhish, EDG, TPass, and Mamba2FA—that highlight the evolving tactics of cybercriminals.

These kits employ sophisticated methods to deceive users and evade detection, posing significant threats to individuals and organizations alike.

CarPhish: Obfuscation and Evasion Tactics

CarPhish, first observed in the summer of 2024, uses Cloudflare infrastructure to host its phishing pages.

Victims are greeted with a fake Microsoft OAuth 2 login form designed to steal credentials.

The phishing kit employs obfuscated JavaScript code and dynamic page rewriting to hinder automated analysis.

It also introduces noise by embedding over 200 car-related references in its HTML payload to appear as a benign car enthusiast website.

Despite these evasion techniques, VMRay’s Adaptive Browser Simulation successfully detects the phishing activity and identifies its command-and-control (C2) servers.

EDG: Targeted Credential Harvesting

EDG, discovered in September 2024, mimics login pages of popular email providers.

The phishing URLs include Base64-encoded email addresses that are decoded to prefill login forms with user-specific information, enhancing the illusion of legitimacy.

EDG’s pages are hosted on temporary web services and feature branding from targeted email providers like Gmail.

Once users enter their credentials, the data is exfiltrated via POST requests to malicious endpoints.

VMRay’s platform detects these phishing attempts by analyzing URL patterns, embedded email addresses, and hosting infrastructure.

TPass: Decentralized Hosting Exploitation

TPass emerged in August 2024 and is notable for hosting its phishing pages on IPFS (InterPlanetary File System), a decentralized storage platform rarely used for legitimate login pages.

The kit features basic login forms adorned with misleading security logos, such as Norton’s branding, to gain user trust.

A JavaScript function extracts credentials entered by victims and transmits them to malicious servers.

VMRay highlights IPFS hosting as a suspicious indicator and effectively flags TPass phishing activities.

Mamba2FA: Multi-Themed Deception

Mamba2FA, detected in late September 2024, stands out for its versatility and use of multiple themes tailored to deceive users.

Depending on URL parameters, Mamba2FA can present fake Microsoft login pages styled as voicemail notifications, OneDrive access prompts, or generic login forms.

Each theme is designed to lure victims into providing their credentials under different pretexts.

VMRay’s AutoUI feature automates the detection process by bypassing interactive elements like voicemail overlays to analyze underlying phishing content.

These phishing kits demonstrate the increasing sophistication of cyber threats as attackers adopt advanced techniques such as obfuscation, targeted deception, decentralized hosting, and multi-themed designs.

VMRay’s proactive monitoring and detection capabilities underscore the importance of staying ahead in the fight against phishing campaigns.

Organizations must remain vigilant and leverage cutting-edge tools to protect against these evolving threats.

Also Read:

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here