Executive Summary
In September 2024, StageBlue carried out a complete menace hunt concentrating on artifacts indicative of Phishing-as-a-Service (PhaaS) exercise throughout our monitored buyer fleet. During the investigation, the StageBlue Managed Detection and Response (MDR) Blue Team found a brand new PhaaS equipment, now recognized as RaccoonO365. The hunt confirmed true-positive compromises of Office 365 accounts, prompting swift buyer notifications and steerage on remediation actions. The preliminary findings have been handed over to the StageBlue Labs Threat Intelligence group, which additional uncovered further infrastructure and deconstructed the equipment’s JavaScript. This evaluation offered important insights into the options and capabilities of the rising PhaaS equipment.
Investigation
An anomalous artifact recognized throughout a buyer investigation was escalated to the Threat Hunting group for evaluation. Further examination revealed that this artifact was linked to a selected Phishing-as-a-Service (PhaaS) platform often called ‘RaccoonO365’. Promoted as a cutting-edge phishing toolkit, it makes use of a customized User Agent, domains mimicking Microsoft O365 companies, and Cloudflare infrastructure. Including these findings in our threat-hunting queries led to 2 further discoveries tallying three complete detections throughout the client fleet. The two proactive detections recognized occasions acquired, however no alarms have been triggered within the concerned buyer’s StageBlue USM Anywhere cases. The third reactive detection was a confirmed enterprise electronic mail compromise (BEC), detected after triggering an alarm. The menace actor utilized the consumer agent ‘RaccoonO365’ previous to the enterprise electronic mail compromise detection which means there was a brief interval of unauthorized entry that went undetected. Each incidence was triaged individually, and investigations have been carried out in all three buyer cases referring to the noticed exercise. Partnering with StageBlue Labs, a brand new Correlation Rule was created to look particularly for a RaccoonO365 consumer agent inside related logs. In addition, the StageBlue Labs group uncovered further structural and descriptive options attributed to RaccoonO365, which later was become a Pulse Indicator of Compromise (IOC) detection.
Expanded Investigation
Alarm and USMA log assessment
1. An unrelated potential enterprise electronic mail compromise (BEC) alarm was acquired and triaged by the StageBlue MDR SOC. The recognized consumer utilized a overseas VPN to efficiently log into buyer’s Microsoft Office setting. A customized alarm rule was created attributable to its excessive likelihood of being a True Positive. While conducting their investigation, they uncovered a suspicious consumer agent associated to the compromised electronic mail tackle –RaccoonO365.
2. Information was handed off to StageBlue Threat Hunters to conduct additional inside and exterior analysis for the recognized artifact.
3. A devoted menace hunter carried out a assessment of occasions together with the topic consumer agent. Event logs have been in contrast in opposition to one another and the profitable logins offered further key knowledge factors.
Shared Access Signature (SAS) authentication
- “SAS authentication” refers to a technique of consumer entry management utilizing a “Shared Access Signature” (SAS) token, which basically grants momentary, restricted entry to particular sources inside a cloud platform like Azure. This permits customers to entry knowledge with out immediately sharing the total account entry key, by offering a novel token containing the useful resource URL and an expiry time, signed with a cryptographic key, to authenticate entry to that useful resource.
4. Broad seek for recognized consumer agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)” throughout complete buyer fleet.
48 complete occurrences during the last 12 months throughout three buyer cases. Cloudflare noticed as the principle supply ISP. Subnets 172.69.xx.xx, 172.70.xx.xx, and 172.71.xx.xx recognized in exercise. Three occasion names noticed, ‘UserLoggedIn’, ‘UserLoginFailed’ and ‘Sign-in activity’.
5. Search for failed login occasions together with consumer agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)” to establish motive for failure.
Identified justifications for failed logins have been: UserStrongAuthClientAuthNRequiredInterrupt – Strong authentication is required and the consumer didn’t move MFA problem (AADSTS50074) ExternalSecurityChallenge – External safety problem was not glad (AADSTS50158) DeviceAuthenticationRequired – Device authentication is required (AADSTS50097)
6. Search for ‘Sign-in activity’ occasions together with consumer agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)”.
Observed occasions have been denied, nonetheless findings included a brand new knowledge supply ‘Azure AD Sign In’ to incorporate in our search –no further findings noticed below alternate knowledge supply (not pictured).
7. Alarm log seek for consumer agent “RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)” inside recognized knowledge sources ‘Office 365 Audit’, and ‘Azure AD Sign In’.
No findings inside the final 12 months.
SOC Investigations
1. Subject investigation A was created previous to menace hunt in response to an alarm acquired by the MDR SOC. If unauthorized VPN entry to a goal community is noticed, it must be addressed quickly by revoking concerned energetic classes and resetting the affected electronic mail accounts in addition to MFA tokens.
Further triage was carried out by way of buyer request.
The StageBlue MDR SOC was capable of establish the supply URL that contributed to the enterprise electronic mail compromise –though the menace actor eliminated the malicious recordsdata from the shared repository.
2. Threat Hunt Investigations B and C have been opened by the StageBlue MDR SOC, however didn’t embody a corresponding alarm inside every buyer occasion respectively. Investigation B concerned a consumer who had beforehand been compromised not too long ago using the topic consumer agent RaccoonO365. The StageBlue MDR SOC was capable of monitor down the e-mail sender of the originating phishing electronic mail.
MDR SOC created an investigation primarily based on the collaboration with Threat Hunters and findings.
3. Investigation C and its included occasions didn’t comprise the topic consumer agent RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7). The Cloudflare subnet vary 172.71.xx.xx recognized beforehand, offered IPs that have been utilized by a buyer electronic mail account.
MDR SOC created an investigation primarily based on the collaboration with Threat Hunters and findings.
Cloudflare CAPTCHA Turnstile
The Cloudflare ISP “Turnstile” providing has turn into more and more widespread inside PhaaS kits. This expertise behind the providing from Cloudflare permits for automated rotation of problem web page choices that give phishing campaigns false legitimacy within the eyes of victims and filter out challenges which can be much less efficient. Associated machine studying fashions can go as far as to detect whether or not a topic consumer has handed beforehand administered CAPTCHA challenges. The menace actor’s finish aim is to make sure that the phishing hyperlink is clicked on by a human consumer moderately than a bot. Another ancillary profit granted by way of using Cloudflare’s CAPTCHA is the prevention of bots and automatic net scans.
Technical Analyses – StageBlue Labs
RaccoonO365 is designed to focus on Microsoft 365 and Outlook customers, specializing in enterprise customers and cloud dependent enterprises. Its major aim is to bypass multi-factor authentication (MFA) protections and steal session cookies by subtle phishing strategies. This equipment is accessible by a subscription mannequin on Telegram, providing varied pricing tiers. Subscribers obtain entry to phishing templates, instruments for producing dynamic URLs, and performance to steal session cookies. The equipment makes use of Base64 encoding and XOR obfuscation for JavaScript, alongside session cookie hijacking, to successfully bypass MFA. To stay stealthy and improve marketing campaign longevity, RaccoonO365 makes use of Cloudflare Turnstile. This service supplies CAPTCHA challenges for filtering out bots and lowering detection by safety methods. This service can be utilized by infamous PaaS platforms equivalent to Tycoon2FA, Greatness, or ONNX. Initially, the Threat Actor promoted the Phishing equipment by a Telegram channel and the web site raccoono365 [.]com, however these are not publicly accessible. Two further web sites have been later created, raccoono365 [.]internet and raccoono365 [.]org.
Figure 1: Raccoono365 web site (raccoono365[.]com)
However, the Threat Actor had transitioned to a brand new area, walkingdead0365[.]com, which seems to function the admin panel for the RaccoonO365 phishing equipment.
Figure 2: RaccoonO365 Login Page (walkingdead0365[.]com)
On September 23, Trustwave revealed an insightful weblog detailing varied phishing kits, together with RaccoonO365. The weblog highlighted the rising sophistication and accessibility of phishing-as-a-service (PaaS) platforms. Trustwave shared a screenshot from the Raccoon Telegram channel, showcasing its subscription-based pricing mannequin.
The RaccoonO365 phishing equipment operates on a subscription-based mannequin with tiered pricing, making it accessible to cybercriminals of various budgets. Plans vary from a 4-day free trial for $50 to longer durations like 11 days for $75, 20 days for $175, one month for $250, and two months for $450—considerably discounted from their authentic costs. When the RaccoonO365 license expires, a message will seem on the web site claiming that the license needs to be renewed.
Figure 3: License Expiration
The infrastructure supporting the RaccoonO365 phishing equipment is normally hosted in IPs below Cloudflare’s ASN AS13335. The recognized domains are strategically crafted to impersonate Microsoft Office 365 companies, incorporating key phrases equivalent to “drive,” “file,” “cloud,” “doc,” “suite,” and “shared” to deceive customers.
HTML/Javascript Analysis
Analysis of user-agent strings referencing RaccoonO365 prompted additional investigation into this uncommon title. An preliminary search indicated that RaccoonO365 is a newly recognized phishing equipment with restricted public reporting. As of scripting this weblog, an organization by the title of Morado not too long ago revealed data on the PaaS equipment not beforehand reported. The safety group uncovered a number of insights that overlapped with the findings of StageBlue Labs.
As quickly because the focused consumer is offered with a malicious URL hyperlink, the redirection HTML web page exhibits indicators of obfuscation and hex encoding that dynamically hundreds a decoded block of HTML/Javascript.
Figure 4: encodedContent
The decoded Javascript block appears to be like by the visiting consumer’s cookies and checks if the ‘visited’ tag is current in any of them. If the visited tag is current, the visiting consumer will get redirected to the official Microsoft website.
Figure 5: checkVisitStatus()
The code additionally appears to be like to enumerate the visiting consumer brokers and makes an attempt to establish them by way of an inventory in the event that they go to from a cell phone. It seems that the makers of RaccoonO365 will not be too involved with customers accessing the phishing domains from cell units, because the anti-debugging options will not be enabled if visiting from a listed cell consumer agent.
Figure 6: Mobile User Agent List
Figure 7: Not Mobile User
Expanding on the visiting consumer, the code makes an attempt to detect the net browser getting used whereas visiting the Phishing web page. If the visiting consumer is utilizing both Chrome, Firefox, or Edge, anti-analysis features equivalent to setInterval(), are used to detect when the debugging instruments are opened by the net browser.
Figure 8: Chrome, Firefox, Edge
The Javascript additionally goals to detect scanning consumer brokers trying to entry/crawl by the phishing domains. The hardcoded listing appears to be like for widespread scanning brokers equivalent to scrapy, googlebot, curl, amongst many extra. After validating the consumer agent is just not a part of the hardcoded lists, it then proceeds to run the notblocked() operate which proceeds to shows a pretend PDF picture file.
Figure 9: Bot Patterns
Figure 10: Bot Detected
Upon touchdown on the ultimate phishing web page the place consumer is prompted to enter their Office 365 username and password, the StageBlue Labs group uncovered what seems to be configuration settings which point out how RaccoonO365 handles authentication flows between the phished consumer, relaying server, and legit Microsoft companies.
Figure 11: Phishing Site
Figure 12: Configuration Options
For instance, we see a number of redirection URLs set for when a consumer makes an attempt to reset their password. The password reset request is first despatched to the official Microsoft website https://passwordreset.microsoftonline.com/, and upon finishing the reset, the response is then redirected again to the phishing area.
Figure 13: Password Reset
Other config settings equivalent to fEnableShowResendCode & iShowResendCodeDelay seem to handle resend code behaviors in two-factor authentication flows:
Figure 14: MFA Options
Based on latest reporting by the safety group Morado, the RaccoonO365 phishing-as-a-service (PhaaS) equipment is present process vital evolution, with updates to its infrastructure and options anticipated. StageBlue Labs will proceed monitoring these developments, incorporating new options and indicators of compromise (IOCs) to boost protections for USM Anywhere customers. Leveraging the insights from deconstructing the phishing equipment, the StageBlue group labored intently with affected prospects to implement swift remediation actions, mitigate additional dangers, and strengthen defenses in opposition to comparable threats. Response Remediation Upon receiving remediation suggestions from StageBlue, the client acted swiftly to make sure any compromised O365 accounts have been accounted for and remediated.
Investigation A’s buyer response to the remediation suggestions. Further triage was carried out by way of buyer request.
StageBlue SOC was capable of establish the supply URL that contributed to the enterprise electronic mail compromise –though the menace actor eliminated the malicious recordsdata from the shared repository. 1. The StageBlue Labs group was consulted on behalf of the SOC and Threat Hunters’ collaborative findings. Including all three USM Anywhere associated findings in addition to open-source IOCs and analysis, the aim was to supply justification for including a brand new correlation rule which might profit the purchasers being monitored.
2. While a Correlation Rule was labored on by StageBlue Labs, to supply protection primarily based on the logging data and findings inside the September seventeenth submitted menace hunt, the MDR SOC applied an Orchestration Rule throughout the client fleet accounting for the artifacts recognized inside the menace hunt.
Detections
StageBlue USM Anywhere prospects will profit from a Pulse created with new domains found attributed to RaccoonO365. The Pulse title could be discovered beneath.
RaccoonO365 AiTM – C2 IP/Domain Tracker
The following correlation guidelines are designed to assist USMA customers establish potential phishing makes an attempt and adversary-in-the-middle (AiTM) assault exercise.
|
Rule Method Title |
|
O365 Adversary In The Middle Phishing – MFA Reset Verfication Changed With Login |
|
Okta Phishing Detection with FastPass Origin Check |
RaccoonO365 Domains Observed by StageBlue Labs
|
TYPE |
INDICATOR |
DESCRIPTION |
|
DOMAIN |
sharedfilesclouddrive[.]com
|
RaccoonO365 area |
|
DOMAIN
|
doccloudonedrivefiles[.]com |
RaccoonO365 area
|
|
DOMAIN
|
e-sharedonedrivefile[.]com |
RaccoonO365 area
|
|
DOMAIN
|
e-storagedrive[.]com |
RaccoonO365 area
|
|
DOMAIN
|
ecloud-sharedfile[.]com |
RaccoonO365 area
|
|
DOMAIN
|
eclouddrivesharedfiles[.]com |
RaccoonO365 area
|
|
DOMAIN
|
ecloudfileshare[.]com |
RaccoonO365 area
|
|
DOMAIN
|
office365suite[.]cloud
|
RaccoonO365 area
|
|
DOMAIN
|
docsoffice365[.]cloud
|
RaccoonO365 area
|
|
DOMAIN
|
officefilesecloud[.]cloud
|
RaccoonO365 area
|
|
SURICATA IDS SIGNATURES |
|
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”AV USER_AGENTS RaccoonO365 user_agent noticed”; move:established,to_server; content material:”RaccoonO365″; http_user_agent; startswith; reference:url,https://ig3thack3d4u.com/blog/RaccoonO365PAAS; classtype:web-application-attack; sid:4002782; rev:1; metadata:created_at 2024_12_10, updated_at 2024_12_10;) |