Full Report
Polish developer Kuba Gretzky wanted to prove that multi-factor authentication wasn’t foolproof. He succeeded — maybe too well. What happens when a cybersecurity warning becomes the threat itself?
Analysis Summary
# Tool/Technique: Evilginx
## Overview
Evilginx is an open-source phishing tool, originally developed by Kuba Gretzky as a program to help cybersecurity teams test and improve their defenses against phishing attacks, particularly those leveraging Multi-Factor Authentication (MFA). After its public release, it was weaponized by criminal and nation-state actors for credential and session token theft.
## Technical Details
- Type: Tool (Phishing Framework)
- Platform: Not explicitly mentioned, but designed to intercept web traffic, implying functionality across environments where proxying is possible (likely HTTP/S environments).
- Capabilities: Acts as a reverse proxy to intercept user credentials and bypass MFA by capturing session tokens mid-flight.
- First Seen: 2017
## MITRE ATT&CK Mapping
Based on capabilities (intercepting credentials/session tokens during phishing):
- **TA0001 - Initial Access**
- **T1566 - Phishing**
- T1566.001 - Spearphishing Attachment (Less direct, but related vector)
- T1566.002 - Spearphishing Link (Primary use case via tailored landing pages)
- **TA0006 - Credential Access**
- **T1555 - Credentials from Password Stores** (Session token capture is analogous to stealing stored credentials)
## Functionality
### Core Capabilities
- **Reverse Proxy Phishing:** Evilginx sets up a proxy server to impersonate legitimate login pages.
- **MFA Bypass:** It captures the authentication data passed between the victim and the legitimate service during the login process. Crucially, it intercepts the resulting session token, allowing the attacker to bypass subsequent checks.
- **Session Hijacking:** By acquiring the valid session token, the attacker can take over the user's session without needing the password or MFA code again.
### Advanced Features
- **Evilginx Pro:** A more advanced or complete version of the tool mentioned by the creator, suggesting enhanced or refined capabilities compared to the publicly released/scaled-back version.
- **Digital "Easter Eggs":** The creator inserted specific code into the later public release to allow researchers to spot its usage in the wild.
## Indicators of Compromise
*(Note: The context provides the existence of the tool but does not list specific IoCs like hashes or C2s. The following are placeholder categories based on the tool type.)*
- File Hashes: [Not provided in context]
- File Names: [Not provided in context]
- Registry Keys: [Not typically a focus for proxy/framework tools unless being installed persistently]
- Network Indicators: [Attackers using Evilginx would utilize custom domains impersonating genuine sites (defanged for summary)]
- Behavioral Indicators: Hosting of high-reputation, trusted domains configured to immediately redirect traffic through the proxy server; unusually frequent SSL certificate issuance for imposter domains.
## Associated Threat Actors
- Scattered Spider (Known for breaching MGM Resorts)
- Void Blizzard (Also known as Laundry Bear, a Russian espionage gang)
- Nation-state actors (General description of users)
## Detection Methods
*(Detection methods are inferred based on the tool's function as a reverse proxy framework)*
- Signature-based detection: Signature coverage on publicly known Evilginx payloads or configuration files (less effective against customized deployments).
- Behavioral detection: Monitoring for suspicious outbound traffic patterns originating from internal security controls designed to proxy or relay credentials/tokens to arbitrary external hosts, especially lookalike domains.
- YARA rules: Rules targeting specific strings or structural elements known to reside within Evilginx source code or binary artifacts.
## Mitigation Strategies
- Prevention measures: Implementing strong phishing defense training; utilizing hardware security keys (FIDO2/WebAuthn) which are generally resistant to phishing/token-theft techniques like Evilginx.
- Hardening recommendations: Strict application of network egress filtering to limit unauthorized outbound proxy connections; implementation of Certificate Transparency monitoring for unexpected SSL certificates associated with internal domains.
## Related Tools/Techniques
- Other MFA bypass phishing toolkits (e.g., Modlishka, EvilProxy, Muraena).