Blog

The Fresh Phish Market: Behind the Scenes of the Caffeine Phishing-as-a-Service Platform

Adrian McCabe, Steve Sedotto
Oct 10, 2022
14 mins read
|   Last updated: Oct 17, 2022
phishing
Managed Defense

While investigating phishing activity targeting Mandiant Managed Defense customers in March 2022, Managed Defense analysts discovered malicious actors using a shared Phishing-as-a-Service (PhaaS) platform called “Caffeine”. This platform has an intuitive interface and comes at a relatively low cost while providing a multitude of features and tools to its criminal clients to orchestrate and automate core elements of their phishing campaigns. These features include (but are not limited to) self-service mechanisms to craft customized phishing kits, manage intermediary redirect pages and final-stage lure pages, dynamically generate URLs for hosted malicious payloads, and track campaign email activity.

Unlike most PhaaS platforms Mandiant encounters, Caffeine is somewhat unique in that it features an entirely open registration process, allowing just about anyone with an email to register for their services instead of working directly through narrow communication channels (such as underground forums or encrypted messaging services) or requiring an endorsement or referral through an existing user. Additionally, to seemingly maximize support for a variety of clientele, Caffeine also provides phishing email templates earmarked for use against Chinese and Russian targets; a generally uncommon and noteworthy feature of the platform (more on this later in the post).

Although the use of phishing platforms is certainly not a novel mechanism to facilitate attacks, it is worth noting that such feature-rich options, like Caffeine, are readily accessible to cybercriminals. In this blog post, we explore the method through which we first identified evidence of its use, show the relatively low barrier of entry to the PhaaS platform market, elaborate on the platform’s core capabilities, and delve into the more technical configurations available to Caffeine’s phishermen that allow them to evade detection. We also provide a core set of detections designed to identify phishing campaign elements leveraged by both Caffeine-specific actors as well as more generalized phishing activity.

Phishy Activity at Mandiant Customers

Advancements in automated inspection and detection methods by email security platforms have spurred an evolution in phishing tactics. In addition to its use in highly targeted activity—such as APT29’s clever use of compromised email credentials to target diplomatic organizations as one of many examples—more generalized “traditional” phishing in pursuit of stolen credentials still remains a common avenue of attack for cybercriminals (see Figure 1). Per M-Trends 2022, credential theft was responsible for approximately 9% of the intrusions Mandiant responded to in 2021.

Typical credential theft phishing attack flow
Figure 1: Typical credential theft phishing attack flow

A broadly distributed credential phishing campaign was also Mandiant’s initial observation point of the Caffeine platform in use. In March 2022, Managed Defense observed an email sent to a European architectural consulting firm containing a suspicious URL. While the contents of the email were not recovered in their entirety, domain data contained within the phishing email, eduardorodiguez9584[.]ongraphy[.]com (which resolved to IP address 134.209.156[.]27 around the time of the activity), was recovered and subsequently analyzed.

First-stage phishing campaign redirect page, `eduardorodiguez9584[.]ongraphy[.]com
Figure 2: First-stage phishing campaign redirect page, eduardorodiguez9584[.]ongraphy[.]com

Ultimately, the domain eduardorodiguez9584[.]ongraphy[.]com (Figure 2) served as a redirect page to a second-stage URL at oculisticaspizzirri[.]it/fill/ (domain resolution at time of analysis 134.209.156[.]27). This URL was found to ultimately lead to a compromised portion of an otherwise legitimate web site for the medical practice of an Italian ophthalmologist (parent domain oculisticaspizzirri[.]it). While Mandiant does not have any definitive insights into the Initial Intrusion Vector (IIV) of the compromise of the site, the site itself was found to be leveraging Wordpress and several of its custom plugins. Wordpress vulnerabilities have been observed by Mandiant in the past as a common IIV for website compromises, though at the time of this writing, Mandiant notes the domain no longer appears to be compromised.

Additionally, the second-stage lure page being hosted on the compromised portion of the site (during the period of time at which it was compromised) was ultimately misconfigured by the attacker (see Figure 3).

Misconfigured second-stage campaign page with support link, oculisticaspizzirri[.]it
Figure 3: Misconfigured second-stage campaign page with support link, oculisticaspizzirri[.]it

If it were correctly configured, the page shown in Figure 3 would likely display the final lure page for a campaign as configured by the Caffeine user/attacker (typically a fake Microsoft 365 login page, see Figure 4).

Correctly configured lure page for Microsoft 365 credential theft
Figure 4: Correctly configured lure page for Microsoft 365 credential theft

Yet, the error message on this page indicates that the associated phishing domain was not configured correctly within the Caffeine platform infrastructure and offers attackers a support link to get help with this issue. While this shows an admirable dedication to user experience on the part of the Caffeine engineers, the provided link to create a support ticket is also a direct link to the support page within the Caffeine platform. In the event a user accessing the support URL is not logged in as a configured user of the platform at the time they access the link, they are simply redirected to the Caffeine login page (see Figure 5).

Main Caffeine login screen
Figure 5: Main Caffeine login screen

Over the course of its research into the Caffeine platform, Managed Defense observed newer versions of the error page that have replaced the support ticket URL portion with support contact information for an encrypted messaging service instead. This is a good operational security improvement on the part of the platform engineers.

Use of Caffeine Platform Components

A properly configured and campaign-ready, end-to-end implementation of the Caffeine Phishing Platform has several elements, three of which are:

  • Core Caffeine account
  • Licensing
  • Campaign infrastructure and configuration

Each of these aspects are explored in detail in the following sections.

Core Caffeine Account

Like any other modern Software-as-a-Service (SaaS) platform, the core of Caffeine’s infrastructure for a new user begins with the creation of a user account.

While not all PhaaS platforms function in this manner, in Caffeine’s case, the web site itself is open to the public (all you need to know is the URL). It is possible to register for an account with no significant disclosure of information and no external validation mechanisms (such as endorsement through other existing Caffeine users) to access the site.

Once registered, a new Caffeine user is then directed to the service’s main index page to begin their phishing voyages (see Figure 6). It is worth noting that over the course of its investigation into the Caffeine platform, Managed Defense observed Caffeine’s administrators announce several key platform improvements via the Caffeine news feed, including feature updates and expansions of their accepted cryptocurrencies.

Caffeine homepage
Figure 6: Caffeine homepage

Caffeine Phishing Licenses

In addition to word of mouth via its existing users, Caffeine is also advertised on underground forums dedicated to cybercrime. Figure 7 shows a post on nulled[.]to, advertising an email management component for Caffeine, as well as other seemingly malicious utilities that appear to be associated with the same malware author.

Caffeine advertisement on nulled[.]to
Figure 7: Caffeine advertisement on nulled[.]to

Another example is a post from the site crax[.]tube demo-ing an older version of some of the platform’s features as shown in Figure 8.

Caffeine advertisement on crax[.]tube
Figure 8: Caffeine advertisement on crax[.]tube

As is typical of most modern SaaS platforms, Caffeine does not support perpetual use licenses and is wholly subscription based. Additionally, as modern subscription-based software design doctrine dictates, Caffeine offers three different tiers of service.

It is interesting to note that the Caffeine subscription models lean towards a slightly more expensive base price than some other PhaaS platforms; its base subscription costs approximately $250 per month. Yet, in a blog post by security firm Cyren in 2019, which examined numerous PhaaS platforms, it was noted the average PhaaS platform varies in costs typically ranging from $50-$80. It is likely that Caffeine may be a pricier subscription model due to the unlimited customer service support options and the extensive anti-detection and anti-analysis features it offers (see next section for more details).

Campaign Infrastructure and Configuration

Much of the Caffeine platform feature-set allows users to pick and choose granular configuration settings for use in their credential phishing campaigns. As mentioned previously, this includes, but is not limited to, self-service mechanisms to customize dynamic URL schemas to assist in dynamically generating pages with potential victim information pre-populated for additional campaign chicanery (see Figure 9), first-stage campaign redirect pages, and final lure pages. It also includes several options to blacklist IP addresses within CIDR ranges and block connections based on their points of origin (see Figure 10).

Supported dynamic URL schemas
Figure 9: Supported dynamic URL schemas
Caffeine platform configuration settings
Figure 10: Caffeine platform configuration settings

A School of Caffeinated Phish: A Case Study of the Caffeine Platform in Action

Once an attacker has configured the necessary components of their main campaign tooling (as shown in Figure 10), they must then deploy their tooling (conventionally referred to as “phishing kits”) to their hosted campaign infrastructure. After that step is complete, all that is left to do is connect their deployed kits to their main Caffeine account via a special license token. At that point, an attacker is ready to go phishing!

Deployment of Caffeine Phishing Kits: Preparing the Bait

For most traditional phishing campaigns, phishermen generally employ two main mechanisms to host their malicious content. They will typically leverage purpose-built web infrastructure set up for the sole purpose of facilitating their phishing voyages, use legitimate third-party sites and infrastructure compromised by attackers to host their content, or some combination of both.

Given the prevalence of compromised web infrastructure observed by Mandiant across its customer base, the authors will focus on this particular avenue of attack for further scenario-based analysis within this blog post.

Though a full analysis of the general tactics, techniques, and procedures involved in the deployment of kits to compromised web infrastructure is beyond the scope of this blog post, general techniques for deployment of these kits include:

  • Compromised web administrator user accounts.
  • Exploitation of vulnerabilities in web infrastructure platforms and technologies.
  • Abuse of web applications configured in a vulnerable way.

No matter which technique is used, however, the attacker’s ultimate goal is to achieve file-write capabilities on hosted web infrastructure. Once this is achieved, they simply upload the files from their kit, and ensure all relevant dependencies are resolved.

Fully deployed Caffeine phishing kit on hosted infrastructure shown in Caffeine instructional video
Figure 11: Fully deployed Caffeine phishing kit on hosted infrastructure shown in Caffeine instructional video

At that point, in Caffeine’s case, the attacker must also ensure their kits are configured to leverage a user-specific license token. This links their deployed kits to their main Caffeine user account and allows them to fully utilize the Caffeine platform (and its respective administrative dashboards) to effectively manage campaign operations.

Caffeine token management UI
Figure 12: Caffeine token management UI
Caffeine phishing campaign management dashboard
Figure 13: Caffeine phishing campaign management dashboard

If completed correctly, the final lure for Caffeine phishing kits will appear as a Microsoft 365 login page, similar to the one in Figure 4. Pages like this one are the main mechanism to drive successful credential theft during campaign operations.

If this step is not completed correctly, anyone accessing the lure page will instead receive an error message like the one shown in Figure 3.

Mandiant did not identify additional fake login pages outside of those formatted to appear as Microsoft 365 credential harvesting lures, which is consistent with the way this platform is advertised. However, Mandiant assesses with moderate confidence that additional login page formats will be introduced as Caffeine customer needs shift with technology trends.

Dispatching the Phishing Phleet

Once configuration of the campaign infrastructure is complete, the attacker has the option of using a Caffeine-provided email management utility (which is offered in both Python or PHP) to craft and send their phishing emails to potential victims.

Python Sender Module
Figure 14: Python Sender Module
XAMPP PHP Sender Module
Figure 15: XAMPP PHP Sender Module

By default, Caffeine provides configurable HTML files to embed in outgoing email used in conjunction with the aforementioned sender utilities. Several options are available for attackers to use for their phishing email templates, including webmail phishing lures targeting users of major Russian and Chinese services (see Figure 16 to Figure 19).

Default fake fax Caffeine phishing email template
Figure 16: Default fake fax Caffeine phishing email template
Default Microsoft file share Caffeine phishing email template
Figure 17: Default Microsoft file share Caffeine phishing email template
Default Chinese Caffeine phishing template
Figure 18: Default Chinese Caffeine phishing template
Default Mail[.]ru phishing template
Figure 19: Default Mail[.]ru phishing template

Phish in a Barrel: Detecting Caffeine Activity

While an extensive, comprehensive analysis of every utility and component within the Caffeine platform is well beyond the scope of this blog post, several key components of its operation can be used to generate a solid set of high efficacy threat detections when used in concert with one another.

Detecting Caffeine on the Endpoint

This rule set is intended to serve as a starting point for hunting efforts to identify phishing infrastructure and activity; however, they may need adjustment over time as the threat evolves. To leverage these detections effectively, run the associated Yara rules against copies of deployed web site files.

Table 1: Caffeine platform sample information and corresponding YARA rules details

Rule

Filename

MD5

Detection Notes

M_Hunting_PHP_Caffeine_Toolmarks_1

index.php

ce9a17f9aec9bd2d9eca70f82e5e048b

Though the Caffeine platform has many pages named “index.php” across its various components, this particular “index.php” is the central one that is served up by default when accessing a deployed kit. The strings within the matching detection are toolmarks from the output of Caffeine obfuscation tooling.

M_Hunting_PHP_Caffeine_Obfuscation_1

index.php

ce9a17f9aec9bd2d9eca70f82e5e048b

This detection casts a wider phishing net than the previous rule, looking for PHP files that have a “Caffeine-style” obfuscation mechanism but may not necessarily be Caffeine-specific. Mandiant has uncovered some evidence to suggest the obfuscation mechanism used by Caffeine may be in use by other PhaaS vendors as well.

M_Hunting_JSON_Caffeine_Config_1

config.json

684b524cef81a9ef802ed3422700ab69

This is the main configuration file used by deployed Caffeine phishing kits. The strings within the matching detection are configuration artifacts Caffeine leverages by default.

M_Hunting_JS_Caffeine_Redirect_1

file.htm

60cae932b80378110d74fe447fa518d6

This is a typical Caffeine redirect page. The strings within the matching detection are configuration artifacts Caffeine leverages by default.

M_Hunting_ICO_Caffeine_Favicon_1

favicon.ico

12e3dac858061d088023b2bd48e2fa96

This rule detects the version of the legitimate Microsoft logo favicon included within Caffeine’s kits by default. It may detect some legitimate versions of the favicon, too, but a Microsoft favicon found alongside rouge PHP, HTA, or Javascript files should be investigated closely for the presence of malicious activity.

Detecting Caffeine on the Wire

The following domains are core components of Caffeine’s architecture for deployed phishing kits. To leverage these detections effectively, look for anomalous network traffic to a cluster of these domains within web logs or in network traffic within the timeframe of several minutes.

Table 2: Domains leveraged by various components of Caffeine’s architecture

Domain/URL

IP Address Resolution

Contextual Notes

caffeinefiles[.]click

104.21.6[.]210

An active hosting location for Caffeine platform files. Currently behind Cloudflare.

caffeines[.]space

185.163.46[.]131

An inactive hosting location for Caffeine platform files.

caffeines[.]store

104.26.7[.]11

The main Caffeine store domain. Currently behind Cloudflare.

ip-api[.]io

192.99.71[.]107

This is a seemingly legitimate service Caffeine uses for IP address geolocation. On its own it is not inherently malicious, but when activity for this domain appears alongside other Caffeine indicators, it provides immense contextual value.

telegram[.]org

149.154.167[.]99

A legitimate encrypted messaging service used heavily by Caffeine.

Conclusion

While the detections listed in this post can certainly assist in detecting the presence of malicious activity, it is also important to keep in mind that defensive measures against PhaaS attacks can be a game of cat and mouse. As quickly as threat actor infrastructure gets taken down, new infrastructure can be spun up. To that end, in addition to leveraging the detections provided in this post, there are a few ways organizations can reduce impact of phishing attacks and compromised domains on a strategic level. These include:

  • Periodically evaluating any public-facing web infrastructure and files against known-good versions of the content.
  • Utilizing behavioral analytics for web logs analysis to include initial URL structure, form submission and redirections.
  • Occasionally re-assessing security policies regarding passwords and credential resets.
  • Implementing two-factor authentication on, at a minimum, any user account used to access an enterprise environment from an external source.

Though these strategic elements may seem somewhat self-evident, they are far from being overstated in their importance. Traditional phishing techniques continue to be a reliable Initial Intrusion Vector (IIV) for cyberattacks, and, as demonstrated by the Caffeine PhaaS platform, the tools to conduct full-fledged enterprise-level phishing campaigns are cheap to acquire, simple to use, and readily available to adversaries.

Acknowledgments

The authors would like to thank Jeremy Kennelly for his threat expertise and investigative guidance, Evan Reese for his assistance in detection review, and The Managed Defense Security Operations Center for their continued vigilance.

Comprehensive Detection List

These YARA rules are not intended to be used for real time monitoring or to inform blocking rules without first being validated through an organization's own internal testing processes to ensure appropriate performance and limit the risk of false positives.

YARA Rules

rule M_Hunting_JS_Caffeine_Redirect_1

{

    meta:

        author = "adrian.mccabe"

        md5 = "60cae932b80378110d74fe447fa518d6"

        date_created = "2022-09-22"

        rev = "1"

        context = “Searches for string artifacts on Caffeine Javascript redirect pages. Intentionally wide.”

    strings:

        $cf1 = "Don't Play Here Kid" ascii wide

        $cf2 = "mrxc0der" ascii wide

    condition:

        all of them

}

rule M_Hunting_PHP_Caffeine_Toolmarks_1

{

    meta:

        author = "adrian.mccabe"

        md5 = " ce9a17f9aec9bd2d9eca70f82e5e048b"

        date_created = "2022-09-22"

        rev = "1"

        context = “Searches for generic Caffeine obfuscation toolmark strings. Intentionally wide.”

    strings:

        $attacker_brand = " - WWW.CAFFEINES.STORE" ascii wide

        $obfuscation_tagline = "CODED By MRxC0DER" ascii wide

    condition:

        all of them

}

rule M_Hunting_PHP_Caffeine_Obfuscation_1

{

    meta:

        author = "adrian.mccabe"

        md5 = "ce9a17f9aec9bd2d9eca70f82e5e048b"

        date_created = "2022-09-22"

        rev = "1"

        context = “Searches for obfuscated PHP scripts.”

    strings:

        $f1 = {3C 3F 70 68 70 }

        $a1 = "__FILE__));" ascii wide

        $a2 = "=NULL;@eval" ascii wide

        $a3 = "))));unset" ascii wide

    condition:

        uint16(0) == 0x3F3C and

            all of them

}

rule M_Hunting_JSON_Caffeine_Config_1

{

    meta:

        author = "adrian.mccabe"

        md5 = "684b524cef81a9ef802ed3422700ab69"

        date_created = "2022-09-22"

        rev = "1"

        context = “Searches for default Caffeine configuration syntax. Intentionally wide.”

    strings:

        $cf1 = "token" ascii wide

        $cf2 = "ip-api.io" ascii wide

        $cf3 = "ff57341d-6fb8-4bdb-a6b9-a49f94cbf239" ascii wide

        $cf4 = "send_to_telegram" ascii wide

        $cf5 = "telegram_user_id" ascii wide

    condition:

        all of them

}

rule M_Hunting_ICO_Caffeine_Favicon_1

{

    meta:

        author = "adrian.mccabe"

        md5 = "12e3dac858061d088023b2bd48e2fa96"

        date_created = "2022-09-22"

        rev = "1"

        context = “Searches for legitimate Microsoft favicon used by Caffeine. VALIDATION REQUIRED.”

    strings:

        $a1 = { 01 00 06 00 80 }

        $a2 = "fffffff" ascii wide

        $a3 = "3333333" ascii wide

        $a4 = "DDDDDDDDDDDUUUUUUUUUUUP" ascii wide

        $a5 = "UUUPDDD@" ascii wide

    condition:

        uint16(1) == 0x0100 and

            all of them

}

Domains/URLs

Table 3: Comprehensive domain list for Caffeine-associated activity in this blog post

Domain/URL

IP Address Resolution

Contextual Notes

eduardorodiguez9584[.]ongraphy[.]com

134.209.156[.]27

Phishing campaign redirect site.

oculisticaspizzirri[.]it/fill/

136.243.82[.]137

Misconfigured second-stage credential harvesting url.

caffeinefiles[.]click

104.21.6[.]210

An active hosting location for Caffeine platform files. Currently behind Cloudflare.

caffeines[.]space

185.163.46[.]131

An inactive hosting location for Caffeine platform files.

caffeines[.]store

104.26.7[.]11

The main Caffeine store platform URL. Currently behind Cloudflare.

ip-api[.]io

192.99.71[.]107

This is a seemingly legitimate service Caffeine uses for IP address geolocation. On its own it is not inherently malicious, but when activity for this domain appears alongside other Caffeine indicators, it provides immense contextual value.

telegram[.]org

149.154.167[.]99

A legitimate encrypted messaging service used heavily by Caffeine.