Researchers have found that China-based Fangxiao group that created over 42,000 web domains laced with Triada trojan, which are exclusively used for phishing. The sophisticated, large-scale phishing campaign exploits the reputation of international, trusted brands, and targets businesses in multiple verticals including retail, banking, travel, pharmaceuticals, travel and energy, said a Cyjax whitepaper on the threat actor.
“We are tracking the threat actors behind this campaign as Fangxiao. We have assessed with high confidence that this group is based in China, and we have identified activity dating back to 2017 over more than 42,0000 domains, allowing us to observe its development,” said the whitepaper.
Mode of operation of the phishing gang
Users are baited using WhatsApp messages that contain phishing links. The messages speak about a special offer or an announcement that the user has won a prize. They are then asked to answer a survey that features a timer to further rush them into acting fast.
After completing the survey, users are asked to download an application that they need to leave open for nearly 30 seconds. In these 30 seconds, it is suspected that the user is registered by Fangxiao marking them as referrals. The fake domains impersonate well-known brands to cheat users such as Coca-cola, McDonald’s, Knorr, Unilever, Emirates, and so on. This phishing campaign also updates its maneuvers by using relatable events or happenings such as COVID-19 to create fake websites in the name of relief funds.
“Fanxgiao uses various strategies to maintain anonymity: most of its infrastructure is protected behind CloudFlare, and domain names are changed regularly and quickly: on one day in October 2022 alone, the group used over 300 new unique domains,” wrote Cyjax researchers Emily Dennison and Alana Witten in a briefing of the threat.
Origins of the cybercrime group
Fangxiao means ‘imitate’ in Chinese. A page that users end up being directed to also features advertisements from ylliX which is marked as suspicious by Google. Clicking on the ylliX page also creates a series of redirects. These redirects alter themselves depending on the location of the user. At this stage, the Triada trojan can steal login data, banking credentials, and browser history among others.
Our study included searches on Shodan to deanonymize some of the domains, finding IPs and allowing us to bypass some of Cloudflare’s restrictions; we were then able to identify the IP address hosting a Fangxiao site that had been online since at least 2020. Browsing to this service showed us a page written in Mandarinm,” the researchers wrote in the threat briefing.
“In addition, analysis of the Fangxiao TLS certificates provided an interesting insight into the behaviour of the group, further backing up our conviction that it is based in China. However, its use of WhatsApp implies targeting outside of China as the messaging service is banned by China’s Communist Party.
However, is not confirmed if the campaign is run entirely by Fangxiao or if it is merely acting as a collaborator with other sites for generating profit and traffic, added the whitepaper.