Analysing a Phishing C&C server


I recently uncovered a phishing command and control (C&C) Simple Mail Transer Protocol (SMTP) server hosted on the same page that the kit was deployed on. Surprise surprise, they were targeting PayPal.

The Leaf PHP Mailer:

The phishing page has all the features you would largely expect to see of a phishing C&C. The main features the attackers require is a way to send out hundreds, if not thousands, of fake emails maquerading as a service such as PayPal to a long list of target email address. Other features the Leaf PHP mailer also offers includes adding HTML code to the phishing email. 

Blacklist checker:

The blacklist checker enables the phisher to check whether their host is blocked by spam lists and to maintain a record of how likely their phishing emails are likely to land in inboxes. Once an IP address appears on too many list, the operator can transfer to a new host and start the process again. 


Nowadays, a large number of credential harvesting phishing pages leverage challenge–response tests - such as reCAPTCHA - to to determine if the user is human or a bot. The original purpose of CAPTCHA tests is to prevent abuse and are typically found on registration pages to prevent automated sign up action. However, they can also be abused to bypass automated security tools to hide the fake login pages from secure email gateways (SEGs). The risk for the phisher is that by adding more steps you risk losing a user's credentials as they spend longer checking whether it is a scam. On ther other hand, the phisher may be able to land in more inboxes, bypassing the aforementioned security controls.

The Fake Login Page:

Example email:

Everything in the example email is customiseable. Although this is a rudimentary phishing email, a lot of aspects can be modified to make it more convincing to the unsuspecting users. Examples of PayPal phishing emails I have personally received are available here, here, and here if you are wondering.

C99 WebShell:

While investigating the phishing C&C, the presence of a C99 webshell was also revealed. Webshells are considered post-exploitation tools. One way to get produce a webshell is by first uploading the it through a file upload page (e.g., a submission form on a company website) and then using a Local File Inclusion (LFI) weakness in the application to include the webshell in one of the pages.The webshell can then be used to perform actions on the server, such as creating a user, reading system logs and restarting a service. The key features of the C99 webshell include self removal, brute forcing targets, SQLi, and that it can act as a remote console. 


Phishing continues to be one of the longest persistent threats to individuals' personal security and employees in organisations. The aim of this phishing C&C analysis is to highlight how these attacks work and the standard operating procedures (SOP) of these cybercriminals. Their tactics, techniques, and procedures (TTPs) continue to evolve, although, many of these tools - phishing kits and webshells - that are freely available on GitHub for anyone to begin their own phishing campaigns. Whilst they may be trivial for attackers, it can potentially lead to hefty financial damages for users and enterprises.

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks