Ngrok Platform Abused by Hackers to Deliver a New Wave of Phishing Attacks

Cyble’s research team has found an uptick in phishing campaigns targeting multiple organizations, including financial institutes, by abusing the ngrok platform, a secure and introspectable tunnel to the localhost.

About ngrok: ngrok is a cross-platform application used to expose a local development server to the internet, and it makes the locally hosted server appear to be hosted on a subdomain of ngrok(e.g., 4f421deb219c[.]ngrok[.]io) by creating a long-lived TCP tunnel to the localhost. The ngrok server software is self-hosted on a VPS or a dedicated server. It has the ability to bypass NAT mapping and Firewall restriction.

Multiple threat actors have abused the ngrok platform to gain unauthorized access to the target for delivering the additional payload, exfiltrating financial data such as credit/debit card information, and carrying out targeted phishing attacks.

The ngrok-based cyberattacks are harder to detect since they use random subdomains of ngrok.com, besides bypassing security devices like Firewall, thereby making it an active target for cybercriminals.

Sample phishing page –

History of ngrok-based attacks:

• In 2019, cybercriminals abused ngrok tunnelling hosted on AWS to deliver Lokibot.
• Last year, the Fox Kitten APT group targeted the private and government sector in the U.S. The threat group was known for using ngrok to intrude on-premises BIG-IP devices.
• In September 2020, researchers identified the Pioneer kitten APT group, an Iran-based Threat group abusing the ngrok platform. The group was selling compromised corporate credentials on cybercrime forums.

Investigation:

Some of the new strains of malware / phishing campaign using ngrok tunnelling are:

• Njrat
• DarkComet
• Quasar RAT
• asynrat
• Nanocore RAT

Recently, Cyble found that cybercriminals are abusing ngrok.io to deliver phishing attacks. The image below showcases one of the phishing links captured in Cyble’s Intelligence repository.

Interestingly, we found multiple ngrok.io links used in darkweb markets/leaks and cybercrime forums by different threat actors such as BIN CARDERS, Telegram- carder data, and linlogpass. The leaks were captured by Cyble’s Threat Intelligence platform, as shown in the below image.

Cyble research team also came across a post in a cybercrime forum about a phishing tool kit, “KingFish3 (Social master). The image below showcases the threat actor’s post about the phishing tool in the cybercrime forum. The threat actor also shared the Github link to the phishing tool, which abuses ngrok.

The actor described the usage of tools as shown in the following image, thereby showcasing more information about how the ngrok tunnel is being used to carry out successful phishing attacks.

The post contains step-by-step instructions on how to use the publicly available GitHub code. The image below shows the output of the phishing tools along with the applications targeted.

Based on further investigation and analysis of the phishing tool, we were able to identify precisely how the cybercriminals abuse the ngrok tunnels to carry out phishing attacks towards multiple organizations. Here are the steps based on our analysis.

1. The tool creates a tunnel using ngrok to the chosen phishing URL with the specified port.
2. The hacker tracks real-time logs in the first session and waits for the victims to enter their phone number.
3. The hacker then logs into the affected application’s official site with the harvested credentials and generates an OTP (2FA).
4. Victims then enter the received OTP in the phishing site, which the hacker captures.
5. Finally, the hacker gains access to the victims’ official account using the OTP(2FA).

The following are some of the ngrok based phishing Indicators of Compromise (IOCs) – this list is not exhaustive:

4f421deb219c[.]ngrok[.]io	64bdaf63996c[.]ngrok[.]io
fd4a5b0113b7[.]ngrok[.]io	7f37e07fc0f9[.]ngrok[.]io
8c8a73773aef[.]ngrok[.]io	ed23321e00e2[.]ngrok[.]io
9be055fae612[.]ngrok[.]io	232fa25e1abe[.]ngrok[.]io
b36a3cf2dc0f[.]ngrok[.]io	1b96bd67151a[.]ngrok[.]io
2106ef42b27b[.]ngrok[.]io	98de9202cf1d[.]ngrok[.]io
c1df5c5c340e[.]ngrok[.]io	8e3d3f5d9ca3[.]ngrok[.]io
fc6cbeaa8cbb[.]ngrok[.]io	9d448ee31851[.]ngrok[.]io
fe7544eeda51[.]ngrok[.]io	3b6859c00864[.]ngrok[.]io
dcf4820d88b8[.]ngrok[.]io	4a826717681a[.]ngrok[.]io
f7e82c8b73a6[.]ngrok[.]io	bd69091[.]ngrok[.]io

How to report these malicious URLs for takedowns: It’s quite straightforward, just drop a note at contact@ngrok.com.

Our Recommendations:   

• Users of ngrok and other tunnelling services are advised to obtain authorization from their information security teams.
• It is advised to password-protect their tunnel access and enable IP whitelisting to restrict access to only trusted IP addresses.
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
• Regularly monitor your financial transactions, and if you notice any suspicious activity, contact your bank immediately.
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
• People concerned about their exposure to the Dark web can register at AmiBreached.com to ascertain their exposure.
• Refrain from opening untrusted links and email attachments without verifying their authenticity.

About Cyble

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.