Understanding RaccoonO365 Phishing-as-a-Service

November 21, 2024

RaccoonO365 is a lesser-known threat group that operates a Phishing-as-a-Service (PaaS) model, offering phishing assets, links, and related tools. Often confused with Tycoon2FA, RaccoonO365 is not an evolution of this group, despite common misreporting. This misinformation can complicate efforts for security professionals working to detect or mitigate the group’s threats. Their name is a reference to Microsoft Office 365 as the group specializes in stealing Microsoft 365 logins and bypassing Microsoft’s multi-factor authentication. RaccoonO365 sells its services through a private Telegram channel with over 400 members, and in recent months, the group has expanded its range of offerings to grow its operation, creating new departments and products. Even so, we discovered that members of the group have made some mistakes in their development process that can give us a valuable glimpse into their operations, giving security professionals a potential advantage in counteracting their tactics.

Analysis

RaccoonO365 offers a variety of tools and services that can help threat actors in their phishing campaigns. This PaaS group targets Office 365 credentials by tricking users into filling out their fake login forms that mimic the legitimate service. All user input is redirected to a real Microsoft login page, including any prompts for additional authentication. In this, they are able to bypass Microsoft’s two-factor and multi-factor authentications, gaining unauthorized access to victim accounts. They exfiltrate credentials, user cookies, Office 365 data, and additional machine information, which is then sent to the threat actor over email. The fake pages are fairly convincing and can easily trick an inattentive user. Additionally, they have protections to redirect unwanted users.

These phishing pages are protected from bots, crawlers, and automation tooling using a script written in JavaScript. This script, initially obfuscated using hexadecimal encoding, is decoded and dynamically added to the page as multiple HTML script elements. It conducts a series of checks to detect automation tools and identify bots, ensuring that only legitimate human users proceed. If users pass these checks, a new link is constructed for the phishing page. They are then presented with a blurred PDF and a deceptive download button, which redirects them to a fake Microsoft 365 login page using the new URL. ****Still, there is more protection for the page if the user passes all of the automation and bot checks.

The threat actors make use of the Cloudflare Turnstile as a CAPTCHA to further protect their sites. The use of this technique has been gaining prominence in PaaS operations. Not only does it prevent bots and automated web scans, but it gives the page a sense of legitimacy as Cloudflare and its services are trusted by most users. This malicious page is only served to the user if they complete the Cloudflare Turnstile CAPTCHA, ensuring only human victims can access the phishing page. If you were to visit the final phishing page without going through the site that serves the CAPTCHA, you would be redirected by their URL redirection scripts embedded in the page. An example of the turnstile can be seen protecting the RaccoonO365-owned domain office365filesuite[.]com.

It has been reported that the group’s methodology allows them to bypass DKIM, DMARC, SPF and Anti-Phishing technologies. The emails have been reported to contain phony OneDrive links that ultimately takes users to  a Cloudflare Turnstile for human verification, disrupting the investigative tracking process. Once they pass this verification, they are presented with the previously blurred PDF and download button that, when clicked, directs the user to a M365 password prompt, which, if completed, grants the attackers access to their account. From there, the threat actors immediately begins exfiltrating data from OneDrive, SharePoint, Email, and Teams, which is then used for extortion or initial access for larger attacks.

Subscriptions to the “RaccoonO365 Suite” provide threat actors with a set of links that have fake logins to use for phishing, bot protection as described, a lead checker to easily find potential victims, and the ability to have stolen information sent to the threat actors email address. The subscriptions offered cost $200 and $300 for 30 and 50 business days, respectively.

To add more value to their subscriptions, the group has begun to expand its offerings. RaccoonO365 announced it will be creating new departments within their operation. These departments include penetration testing, UI design development, and developer oversight. This expansion brings the group to six employees in total. The existing departments are responsible for the phishing page behavior including user redirects, a cookie link maker (allows threat actors to access accounts after compromising their cookies), and a new control panel for subscribers.

The new control panel, still in development, will allow subscribers to easily manage their phishing pages. This panel allows users to perform a variety of actions including changing the appearance of their pages, viewing valid stolen accounts, receiving notifications about successful attacks, and more. This panel was first teased in a video shared in the RaccoonO365 telegram channel. However, the group made the mistake of including the URL of the panel in their recording. This mistake allowed us to investigate the new panel. The URL can be seen in the top of this screenshot from the video:

Screenshot from a video of the panel shared in the RaccoonO365 Telegram channel

The link directs you to a login page for the RaccoonO365 panel. Unsurprisingly, there is not a lot of information on the login page, but digging into the source of the page, we found a reference to a file named php_files/login.php inside of an Ajax request. Navigating to this file provided no response as it appears to be an API endpoint that handles a login request on the server side of the application. However, navigating to /php_files we see an index of the directory, revealing numerous API endpoints. At the bottom of the screenshot, we can also see that this application is hosted on a LiteSpeed web server using port 443.

File listing of the /php_files directory

These endpoints give us a sense of what the application can accomplish. As seen in the screenshot, users will be able to manage their subscriptions and payments through the panel, configure telegram bots for their operation, and even donate to the RaccoonO365 group. To fully understand the capabilities of the application, we needed more access to the panel than just the login page and open directories. So, we decided to check it out in ZAP which is a dynamic application security testing tool often used to test the security of web applications.

Loading the page in ZAP, we immediately noticed some strange behavior in the responses from the website. When accessing the login page, we get two responses instead of one. The second response is what we would expect, a login page. However, the first response is actually the panel dashboard itself!

Responses in ZAP from requesting hxxps[:]//walkingdead0365[.]com

The developer made a mistake in the site's access control logic: when you try to access any page, the page is first loaded and served to you. Only after this initial load does the system check whether you have permission to view the page. If you don't have access, you're then redirected to the login page. Obviously, this is not how this should work as the application is now completely available to anyone who visits the URL. This process happens faster than human action so we would not be able to identify this without going through the requests. Using this method of requesting a page and creating a local file from its source, we were able to incrementally retrieve every page of the panel and rebuild an offline version of it. We also found that two sections of the panel are directly accessible without being redirected to the login page—Telegram Bot Settings and Anti-Bot Settings.

Dashboard of the RaccoonO365 Panel

One interesting feature we found was the anti-bot settings. Much like the script mentioned before, these settings allow users to protect their pages from bots and crawlers, block VPN and TOR traffic, and even implement a maximum number of visits for unique users. These features allow their subscribers to protect their phishing pages beyond what is already in place. This panel will likely increase the success of RaccoonO365 phishing attacks as users will have more options for protecting their phishing pages and more control in the customization of their pages to perform more targeted attacks against potential victims.

Anti-Bot Settings Section of the RaccoonO365 Panel

The panel uses Ajax to make requests to different endpoints for user actions. The requests are viewable in the page source. If you open the developer tools while viewing the panel, you can use the console to make these requests yourself since you are within the context of the application. We used a simple for loop in the console to fuzz the endpoint responsible for getting the stolen cookies a user has gathered.

Screenshot of the DevTools console to make Ajax requests

The endpoint lacks proper authorization checks, allowing us to probe for information from any subscribed user in the panel. By assuming user IDs were integers, we fuzzed the AJAX request with IDs up to 100,000. Only one unique response appeared when using user_id=7, which we identified through a noticeable difference in response size. This response gave us the email of a person who was seemingly the victim of a RaccoonO365 phishing page and cookies associated with their Microsoft 365 login. A file was also downloaded in the browser named cookie.txt containing the response information. The endpoint for deleting users is insecure in the same way, meaning it could be used to delete all registered accounts.

OWASP ZAP output when attacking the get user cookies Ajax request

Cycling back to open directories found for the application, we used Gobuster, a software tool for brute forcing directories on web servers. We ran the tool on the panel’s URL using the common.txt word list. The full output can be seen in the provided screenshots but three directories caught our attention; /uploads, /database, and /php_files/admin/bg.

Output from the Gobuster command

First, there is an open directory named /uploads. This directory is where files are uploaded when a user uploads a custom image to be used or their phishing page. We discovered this when messing around with different features of the panel. We tried uploading the cookie.txt file we obtained earlier appended with the  .png extension named cookie.txt.png as our custom image. The .png extension is necessary as the upload form for pictures only accepts image files. On a second look at the directory, we noticed the uploads had been successful and the destination directory remained open. This can be seen in the screenshot as our files appear in the /uploads directory prepended by a string of hex characters. This behavior could be exploited to hinder or destroy RaccoonO365 panel operations through resource exhaustion or even a web shell.

File listing of the /uploads directory

The /database directory contains the schema for their SQL database. This gives insight into what type of data is being collected by RaccoonO365 when users sign up for their service. They keep the user’s email, IP address, user agent string, and location.  They also store data using three other tables; user_profiles, telegram_settings, and user_credentials. The user referenced by the user_id is likely for the threat actor who subscribed to the service. This is concluded from the user_profiles table where fields like bio, profile_picture, and background_image all correspond to the content available in the profile section of the panel. However, the user_credentials table is likely storing stolen credentials and cookies belonging to phishing victims. It stores the same cookie_data that we received when exploiting one of their Ajax requests earlier to obtain cookies for a victim of a RaccoonO365 phishing page.

Data diagram of the RaccoonO365 Panel database

Finally, the /php_files/admin/bg directory contains all of the preloaded backgrounds that come with the panel. The backgrounds contain branding and identical backgrounds to services like OneDrive, Microsoft Outlook, an Excel sheet, etc. and new backgrounds are being uploaded every few days. We were able to download every background currently hosted on the server using a wget command:

wget -r -np -R "index.html*" <https://walkingdead0365.com/php_files/admin/bg>

These backgrounds can be used to detect phishing pages by using the file name or even the hash of the files. Use a web filtering tool to scan HTTP(S) requests for known phishing indicators, such as specific filenames or hashes, and block or flag suspicious requests. Additionally, custom IDS rules or a browser extension can help detect these phishing backgrounds when they load onto a page.

Outside of the panel, our Open Source Intelligence (OSINT) investigations revealed multiple domains belonging to RacconO365, expired license pages, and HTTP response headers containing characteristic values for their phishing pages. Additionally, we were able to obtain intel through community collaboration revealing URIs for authentication on their phishing pages and a user agent string they have been seen to use in the wild.

The authentication on the phishing pages primarily uses the following URIs on the malicious domains:

  • POST “/Me.htm?v=3”
  • POST “/common/SAS/BeginAuth”
  • POST “/common/login”
  • POST “/common/SAS/BeginAuth”
  • GET “/common/SAS/EndAuth?authMethodId=$2FA_METHOD&pollCount=1”
  • POST “/common/SAS/ProcessAuth”
  • POST “/kmsi”
  • POST “/?wa=wsignin1.0” (for redirection)

RaccoonO365 phishing domains can be distinguished by specific HTTP response headers that reveal identifiers such as “RaccoonO365 2FA/MFA Service” or simply “RaccoonO365.” Additionally, when unauthorized visitors access these domains, they often encounter a peculiar message stating, “The gods are wise, but they do not know what you seeks!”

RaccoonO365 phishing kits make use of the User-Agent identifier *RaccoonO365/9.0 (RaccoonO365; Intel Raccoon O365 2FA/MFA 10_15_7)*, the Office 365 ApplicationID 72782ba9-4490-4f03-8d82-562370ea3566, and Cloudflare IPs for authentication attempts on the Microsoft API. These characteristics collectively make it easier to identify and distinguish RaccoonO365 from other phishing kits on the market. However, the User-Agent may not be valid as the string was added to a list of suspicious User-Agents hosted on Github that RaccoonO365 was monitoring. They made a post in their Telegram channel acknowledging the User-Agent had been identified and likely created a new one. Still, there are more characteristics we used to identify additional domains owned by the group.

By performing an exact keyword search for “RaccoonO365”, we were able to identify a domain displaying an expired license message indicating that the subscriber this link belonged to has not paid their subscription.

Screenshot of expired RaccoonO365 API link

The page title “API Subscription License Renewal” helped us trace multiple domains linked to RaccoonO365. By searching for sites with this exact title, we uncovered several similar pages, indicating a network of phishing domains under the RaccoonO365 campaign. These domains are typically named to resemble legitimate Office 365 services, aiming to reduce suspicion among potential victims and increase the likelihood of successful phishing attempts. Yet, some are still named at random such as lsfldke[.]com.

The identified domains are associated with IP address ranges beginning with 104.21 and 172.67, while the specific host portion (X.X) varies across domains. The recurring IP prefixes suggest that RaccoonO365 leverages two specific network blocks, potentially indicating a shared infrastructure used to host their phishing domains. This IP pattern may indicate the actor’s reliance on a particular hosting provider or IP space to conduct operations.

However, there is a high chance that the group will move to a different domain registrar. In an announcement in their Telegram channel, the group mentioned issues with their current hosting solution as their domains have been suspended due to abuse reports. They claim to be seeking a new registrar that takes cryptocurrency as their card payment provider is also causing delays in their domain registrations. These issues have hindered their ability to serve subscribers and it is unclear if any of their phishing pages are even functional at the moment.

Message from the RaccoonO365 operators discussing hosting issues

Conclusion

The RaccoonO365 PaaS operation provides its subscribers with a plethora of tools and services that enable them to conduct successful phishing attacks to obtain valid Office 365 credentials and cookies. By protecting their phishing pages using legitimate tools like the Cloudflare Turnstile as a CAPTCHA and implementing bot and automation detection, RaccoonO365 increases the chances of successful phishing attacks while ensuring only intended users can interact with them. RaccoonO365 shows the evolution of PaaS operations that are becoming more sophisticated and harder to detect. Adding more to the plates of security researchers, these operations offer their services for relatively low prices and do most of the work for their subscribers which lowers the level of knowledge and resources needed to conduct and successful phishing attack. Even so, these operators are not perfect and often make mistakes that give security researchers an advantage and the potential to hinder PaaS operations. By maintaining an adversarial mindset we are able to find cracks in the armor that can give us valuable insight into how to mitigate the risks posed by phishing attacks.

Recommendations

  • Use the IOCs provided to detect and prevent this threat in your environment.
  • Train employees on how to recognize phishing attempts, especially those mimicking Microsoft 365 logins and using CAPTCHA to appear legitimate.
  • Encourage users to scrutinize URLs and avoid clicking on unfamiliar links.
  • Watch for HTTP response headers with the specified identifiers.
  • Use access control and role-based restrictions to limit access to sensitive data or accounts, particularly on Microsoft 365.

Tags