CyberDefenders — GrabThePhisher Blue Team Lab Walkthrough
Investigation of a Phishing Kit using Google, PHP, & the Telegram API
Introduction:
Have you ever come across a phishing website spoofing a familiar service and wanted to understand how it works? If so, welcome to another weekly walkthrough — you’ve stumbled on the right blog! This week, we’re tackling the GrabThePhisher Blue Team Lab from CyberDefenders.
Our mission this week is a Threat Intelligence exercise that has us defenders diving into a phishing kit used to impersonate a popular cryptocurrency exchange website and trick unsuspecting victims into providing their crypto wallet seed phrases. That’s not great!
Throughout this walkthrough, we’ll explore the inner workings of this phishing kit, uncovering how it operates, the methods it uses to harvest victim data, and ultimately, who is behind this campaign. Sounds like a fun time!
What are we waiting for? Let’s get started — thanks for reading along!
Challenge Link:
Challenge Scenario:
Scenario:
An attacker compromised a server and impersonated https://pancakeswap.finance/, a decentralized exchange native to BNB Chain, to host a phishing kit at https://apankewk.soup.xyz/mainpage.php. The attacker set it as an open directory with the file name “pankewk.zip”.
Provided the phishing kit, you as a soc analyst are requested to analyze it and do your threat intel homework.
Question 1: Which wallet is used for asking the seed phrase?
Let’s jump right into analyzing the phishing kit! We’ll start by unzipping the challenge file and getting an overview of the contents. We already know from the scenario that the phishing kit is impersonating the PancakeSwap cryptocurrency exchange, and we’ll see plenty of assets spoofing this service used in the kit.
But the first file that we’ll start analyzing is the index.html, the default landing page for the website. When we open the file, we’ll see several wallet types listed for connection:
Yikes! Does the phishing kit attempt to harvest credentials from all these wallet types? Let’s check into this by navigating back to the pankewk directory and checking for other references to any of these services.
We’ll find only one of these wallets has its own folder — MetaMask.
Let’s explore this folder and focus on the file metamask.php and examine the code to see if we can find any requests for a seed phrase:
This looks promising! Just below the wallet name, we can see a field asking for a Phrase with some additional code. This confirms that we’ve found the correct wallet soliciting the seed phrase, which answers Question 1!
Question 2, 3, & 4:
What is the file name that has the code for the phishing kit?
In which language was the kit written?
What service does the kit use to retrieve the victim’s machine information?
Now that we have discovered the correct wallet let’s take a closer look at some of the other functions in the code to answer Questions 2, 3, & 4.
We already discovered that metamask.php contains the prompt to collect seed phrases, and can probably conclude that this is the file hosting the rest of the phishing code. To double-confirm this theory, we can look further down the code, and we’ll see some functions using the Telegram API. The use of an external chat application is a red flag and confirms that we are looking at the correct file that contains the phishing functions. This answers Question 2.
Next, we need to determine which language the kit was written in. Fortunately, we have determined this already. The file has the .php extension and it contains PHP tags which identify PHP code — so, we are looking at a kit written in PHP.
Finally, we also need to discover what service is being used to find the victim’s device information. Let’s turn our attention to the $request variable. Do you see the API request to a sypexgeo endpoint? Let’s do a Google search to gather more intelligence about this service.
According to their website:
Interesting! It seems that the phishing kit leverages this service to gather geolocation data about its victims. This also confirms that this is the service we are looking for to answer Question 4.
Questions 5 & 6:
How many seed phrases were already collected?
Write down the seed phrase of the most recent phishing incident?
Remember in Question 2 that we located a potential exfiltration function using Telegram? Let’s take another look at this function to see if it performs any other actions:
Notice at the bottom of the function, after the victim inputs the content, it is also appended to a log file on the web server — log.txt. Let’s follow the bread crumb trail and navigate to pankewk/log/log.txt
Inside the file, we’ll see three seed phrases were already collected — not good news! But now we also have the answers to Question 5 & 6.
Questions 7, 8, 9, 10:
Which medium had been used for credential dumping?
What is the token for the channel?
What is the chat ID of the phisher’s channel?
What are the allies of the phish kit developer?
Okay, let’s return to metamask.php and search for evidence to answer the next several questions!
We can answer Question 7 already as we discovered the application/medium back in Question 2. Remember that in addition to being appended to the log.txt, the seed phrase credentials are also dumped to Telegram.
The answers to Questions 8 & 9 are straightforward and listed as the $token and $id variables within the same function!
To answer Question 10, we’ll look to the comments in the code (enclosed by the /* */ ) where we see a message with a username/signature in the closing. We can assume this the “ally” username of the attacker that deployed the phishing kit.
Question 11 & 12: What is the full name of the Phish Actor?
Now that we have thoroughly analyzed the code of the phishing kit, let’s put all the information together, gather about the Telegram channel itself, and apply some threat intelligence to get there. This should all be possible through the Telegram API since we found the channel ID and a bot token exposed in the phishing kit code.
Let’s refer to the Telgram API documentation to determine how to call the API and what methods we can try.
First, we will stumble across the proper format to make the query — awesome!
All queries to the Telegram Bot API must be served over HTTPS and need to be presented in this form:
https://api.telegram.org/bot<token>/METHOD_NAME
Then, after reviewing the methods, we will find the getChat option which can be used to retrieve full information about the chat (ChatFullInfo.)
So, putting all the pieces together we need to specify our bot token, getChat method, and chat ID parameter. Let’s try this in a web browser first by making a GET request using the URL below. This URL takes the information we located in Questions 8 & 9 and puts it into the format we discovered in the Telegram docs.
https://api.telegram.org/bot5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10/getChat?chat_id=5442785564
For comparison, let’s also try this same request using Curl from the terminal and then use JQ to parse the JSON output and make it pretty.
curl "https://api.telegram.org/bot5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10/getChat?chat_id=5442785564" | jq
With either method, we’ve uncovered new information from the API including the first_name, last_name, and username fields for the members within the chat!
This is the final piece of information we needed to answer the last two questions of this investigation and get us one step closer to finding the threat actor who deployed the phishing kit.
Conclusion:
And there we have it — mission accomplished! We’ve successfully completed our analysis of the phishing kit, determined how it harvests seed phrases, where they are sent, and how many victims have been compromised. But that’s not all! With the help of the Telegram API and some exposed secrets in the phishing kit, we also uncovered more details about the threat actors themselves.
With the objectives completed, let’s close out this walkthrough of the GrabThePhisher Blue Team Lab. A big thank you to CyberDefenders for hosting another great challenge! I found this exercise particularly insightful, as I’ve often wondered how these types of phishing kits work. It was a fantastic opportunity to go hands-on and explore it myself.
My personal highlight was using the Telegram API to pivot and gather more information than was available in the kit. This unique objective provided a great learning opportunity to explore the documentation and understand what information can be found with an exposed token.
If you found this walkthrough helpful in leveling up your skills or getting you through a tricky question, please give it a clap! Your feedback lets me know that I helped you out on your security journey. We’re in this together! Thanks for the support!
Until next week’s challenge — stay curious and be safe out there!
Tools & References:
Wikipedia MetaMask: https://en.wikipedia.org/wiki/MetaMask
Telegram API: https://core.telegram.org/bots/api
REQBIN (Curl): https://reqbin.com/req/c-1n4ljxb9/curl-get-request-example
