# Foreword

This is a kit I have been tracking for some time now, and during that period have obtained dozens (if not hundreds) of copies, and detected thousands of deployments over the past few months.

This post will go in to detail on how the kit works from both the attacker and victim perspective and highlight some interesting findings. At the end I have also included some common IoC's for FreakzBrothers kits and Yara rules you can utilise when doing your own threat hunting.

You may notice some similarities if you read my recent post on 16Shop, as FreakzBrothers (despite being a different kit) shares some resources and techniques. As such, some chunks of this post are lifted straight from the other post.

# Background

# What is FreakzBrothers?

FreakzBrothers is a popular "Phishing-as-a-service" (PaaS) kit which targets several popular brands, designed for malicious actors to quickly and easily set up believable phishing pages targeting popular brands.

As these kits are provided as a service, the individuals buying and using FreakzBrothers do not need to be skilled, thus widening the net for potential customers.

FreakzBrothers appears to be sold and distributed via social media or private channels, as it a popular tactic for a lot of phishing kits originating from SE Asia.

# Cracked versions

Unsurprisingly, in the criminal realm of phishing not everyone wants to pay for a service like FreakzBrothers and instead simply "crack" the kit and remove any functions which serve as to try and prevent unauthorised use.

FreakzBrothers does employ some basic methods in order to try and ensure users are authenticated and approved by the author. However, there are versions where these controls have been removed and is re-sold and distributed across multiple channels. Many cracked versions have also been completely re-branded to remove association with FreakzBrothers, but the underlying code and functionality are the same.


# Analysis

We're going to be looking at a kit which is a few versions behind, however is still commonly seen being deployed. This particular kit targets Amazon, a popular "flavour" of FreakzBrothers. Other targets include Apple, PayPal, Netflix, and recently USAA.

# Directory structure

tree output (long!)
|   .htaccess
|   additional.php
|   antibot.ini
|   blacklist.php
|   blocker.php
|   blocker2.php
|   crawlerdetect.php
|   index.php
|   killbot.ini
|   killbot.php
|   lang.php
|   main.php
|   onetime.php
|   proxyblock.php
|   session.php
|   |   .htaccess
|   |   antibot.php
|   |   index.js
|   |   index.php
|   |   login.php
|   |   logout.php
|   |   reset.php
|   |   setting.php
|   |
|   +---css
|   |       bootstrap.min.css
|   |       bootstrap.min.css.map
|   |       paper-dashboard.css
|   |       paper-dashboard.css.map
|   |       paper-dashboard.min.css
|   |
|   +---demo
|   |       demo.css
|   |       demo.js
|   |
|   +---fonts
|   |       nucleo-icons.eot
|   |       nucleo-icons.ttf
|   |       nucleo-icons.woff
|   |       nucleo-icons.woff2
|   |
|   +---img
|   |   |   apple-icon.png
|   |   |   bg5.jpg
|   |   |   damir-bosnjak.jpg
|   |   |   default-avatar.png
|   |   |   favicon.png
|   |   |   header.jpg
|   |   |   jan-sendereks.jpg
|   |   |   logo-small.png
|   |   |   mike.jpg
|   |   |
|   |   \---faces
|   |           ayo-ogunseinde-1.jpg
|   |           ayo-ogunseinde-2.jpg
|   |           clem-onojeghuo-1.jpg
|   |           clem-onojeghuo-2.jpg
|   |           clem-onojeghuo-3.jpg
|   |           clem-onojeghuo-4.jpg
|   |           erik-lucatero-1.jpg
|   |           erik-lucatero-2.jpg
|   |           joe-gardner-1.jpg
|   |           joe-gardner-2.jpg
|   |           kaci-baum-1.jpg
|   |           kaci-baum-2.jpg
|   |
|   +---js
|   |   |   paper-dashboard.js
|   |   |   paper-dashboard.js.map
|   |   |   paper-dashboard.min.js
|   |   |
|   |   +---core
|   |   |       bootstrap.min.js
|   |   |       jquery.min.js
|   |   |       popper.min.js
|   |   |
|   |   \---plugins
|   |           bootstrap-notify.js
|   |           chartjs.min.js
|   |           perfect-scrollbar.jquery.min.js
|   |
|   +---scss
|   |   |   paper-dashboard.scss
|   |   |
|   |   \---paper-dashboard
|   |       |   _alerts.scss
|   |       |   _animated-buttons.scss
|   |       |   _buttons.scss
|   |       |   _cards.scss
|   |       |   _checkboxes-radio.scss
|   |       |   _dropdown.scss
|   |       |   _fixed-plugin.scss
|   |       |   _footers.scss
|   |       |   _images.scss
|   |       |   _inputs.scss
|   |       |   _misc.scss
|   |       |   _mixins.scss
|   |       |   _navbar.scss
|   |       |   _nucleo-outline.scss
|   |       |   _page-header.scss
|   |       |   _responsive.scss
|   |       |   _sidebar-and-main-panel.scss
|   |       |   _tables.scss
|   |       |   _typography.scss
|   |       |   _variables.scss
|   |       |
|   |       +---cards
|   |       |       _card-chart.scss
|   |       |       _card-map.scss
|   |       |       _card-plain.scss
|   |       |       _card-stats.scss
|   |       |       _card-user.scss
|   |       |
|   |       +---mixins
|   |       |       _buttons.scss
|   |       |       _cards.scss
|   |       |       _dropdown.scss
|   |       |       _inputs.scss
|   |       |       _page-header.scss
|   |       |       _transparency.scss
|   |       |       _vendor-prefixes.scss
|   |       |
|   |       \---plugins
|   |               _plugin-animate-bootstrap-notify.scss
|   |               _plugin-perfect-scrollbar.scss
|   |
|   \---vendor
|           config.php
|   |   .DS_Store
|   |   .htaccess
|   |   authenticationContext.php
|   |   bank.php
|   |   bank_acc.php
|   |   billing.php
|   |   blacklist.php
|   |   done.php
|   |   email.php
|   |   index.php
|   |   login.php
|   |   login_email.php
|   |   payment.php
|   |   signin.php
|   |   submit_email.php
|   |   submit_upload_cc.php
|   |   updateBilling.php
|   |   update_billing.php
|   |   verify_credit.php
|   |
|   +---files
|   |   |   bank.php
|   |   |   billing.php
|   |   |   card.php
|   |   |   done.php
|   |   |   email.php
|   |   |   index.php
|   |   |   locked.php
|   |   |   login-aol.php
|   |   |   login-gmail.php
|   |   |   login-hotmail.php
|   |   |   login-hotmailjp.php
|   |   |   login-yahoo.php
|   |   |   login-yahoojp-mobile.php
|   |   |   login-yahoojp.php
|   |   |   signin.php
|   |   |   signin_mobile.php
|   |   |   upload-cc.php
|   |   |
|   |   \---comcast
|   |       |   index.php
|   |       |
|   |       \---Assets
|   |           +---css
|   |           |       fonts-remote.min.css
|   |           |       styles-light.min.css
|   |           |
|   |           +---img
|   |           |       favicon.ico
|   |           |
|   |           \---js
|   |                   com.js
|   |                   coms2.js
|   |
|   \---google
|           2googlelogo_color_112x36dp.png
|           arrow_back_grey600_24dp.png
|           avatar_2x.png
|           checkmark.png
|           cJZKeOuBrn4kERxqtaUH3T8E0i7KZn-EPnyo3HZu7kw.woff
|           DXI1ORHCpsQm3Vp6mXoaTXhCUOGz7vYGh680lGh-uXM.woff
|           googleg_lodp.ico
|           googlelogo_color_112x36dp.png
|           index.php
|           logo_1x.png
|           logo_2x.png
|           universal_language_settings-21.png
|           wlogostrip_230x17_1x.png
|           wlogostrip_230x17_2x.png
|           x_8px.png
|   |   .DS_Store
|   |   index.php
|   |
|   +---css
|   |       billing.css
|   |       hotmail.css
|   |       main.css
|   |       mobile_login.css
|   |       yahoo-grid.css
|   |       yahoo-main.css
|   |       yahoojp-mob.css
|   |       yahoojp-mobile.css
|   |       yahoojp.css
|   |
|   +---img
|   |       .DS_Store
|   |       0.jpg
|   |       amazon.png
|   |       AmazonUIBaseCSS-sprite_1x-c4a765aedd886dc04d89e7e93b6a02c59ecb7013._V2_.png
|   |       favicon.ico
|   |       logo.png
|   |       logo_pc.png
|   |       uploadcc.png
|   |
|   \---js
|           .DS_Store
|           additional-methods.min.js
|           index.php
|           jquery-1.9.1.js
|           jquery.js
|           jquery.masked.js
|           jquery.maskedinput.js
|           jquery.payment.js
|           jquery.validate.min.js
|           validate.php
|           validation.js
|   |   .DS_Store
|   |   CrawlerDetect.php
|   |   ReferralSpamDetect.php
|   |
|   \---Fixtures
|           AbstractProvider.php
|           AbstractReff.php
|           Crawlers.php
|           Exclusions.php
|           Headers.php
|           Headerspam.php
|           SpamReferrers.php
|       index.php
|       blacklist.dat
|       index.php
|       onetime.dat
|       user.dat
|       whitelist.dat

# Evasion

FreakzBrothers utilises several methods to attempt to evade detection or being scanned by bots. These methods include;

# .htaccess

Within several directories a specially made Apache .htaccess file redirects or blocks visitors based on attributes of the request. If the request appears to come from a known crawler, scanner or what would appear to not be a potential victim, it will redirect the browser to a legitimate URL.

# CrawlerDetect

CrawlerDetect (opens new window) is an open source tool written in PHP which aims to identify and stop known bots/crawlers/spiders based on the user_agent and http_from headers.

# Antibot

Antibot is a popular service for many PaaS kits that deserves a deep-dive all of it's own. The service provides an api which can be queried along with an ip. If the ip has been associated with a bot or service which crawls for malicious sites it will block the request and present the requester with a 403 http response.

As you can see from the below code taken from blocker2.php it will check for the existence of an antibot.ini file which should (if the user has paid for the service) contain an API key. If it exists, it allows the function getUserIPszz() to be called which checks the IP against antibot and logs the details if it is blocked.


# Killbot

Killbot is a recent addition to some versions of FreakzBrothers and is running as a direct competitor to antibot, touting additional functionality and cheaper costs. Killbot is present within the kit we are looking at, however I will be producing a separate write-up on this soon.

# Proxyblock

FreakzBrothers also utilises some PHP code alongside a third-party api hosted by mind-media.com which will check the visitor's IP against a list of known proxy and VPN IP ranges. If there's a match, the visitor is presented with a 403 http response and details are logged.

# Parameters

FreakzBrothers can utilise required arguments/parameters as part of a GET request when navigating to the phishing URL. This means that unless you know the param which is specified by the kit owner you will be unable to even reach the phishing page.

This is covered in more detail below.

# Attack phase

Attacks generally originate from an email purporting to be from Amazon asking the potential victim to check their account. Within these messages there will be a link to the malicious site which will be generally structured like https://fakeamazon.domain.com/?param with the param being specified within the configuration of the kit if this is enabled.

When clicking the URL and connecting to the site, the landing page (index.php) performs several checks depending on the kit configuration.

First of all, several other PHP files are included which are responsible for importing various functions and configuration options, then a check is performed to see if there are existing API keys present for antibot or killbot. Additional PHP scripts are also included to check the visitors IP against block lists, as well as the use of a "one time" function.


The file onetime.php includes several functions which if enabled, are there to ensure victims cannot visit the site again after entering their credentials.

Next the user agent and ISP of the requesting IP address are checked against address a word list, which returns a 403 response or redirect to amazon.com if there is a match.


The user agents and ISP's being blocked are commonly associated with web crawlers and VPS providers such as AWS and DigitalOcean. Any blocked request is then logged to block_bot.txt and total_bot.txt

Access to the site can further be restricted via a "site password" or requiring a specific GET parameter.


If either of these options are enabled and the password/parameter is not correct, the visitor is redirected to amazon.com and the request logged within block_bot.txt and total_bot.txt.

If the request has provided the correct password or parameter, the visit is logged to log_visitor.txt and total_click.txt and the potential victim is then forwarded on to the first stage of the phishing attack.

$key is a SHA1 hash of a base64 encoded string consisting of the victims IP and user agent

At this point in the phish, if the visitor has been identified as:

  • Not a bot
  • Not coming from a blacklisted IP
  • Not using a proxy/VPN service
  • Provided the correct "key"/parameter (generally from clicking on the URL from within a phishing email)

They will be forwarded on to the phishing page.

# Amazon credentials

The first stage phishing page presented to the user is an exact clone of Amazon's own "sign in" page.


Depending on the OS of the device connecting to the page, the potential victim may instead be presented with a mobile view of the page. We will be following these steps from a desktop OS however.


After supplying credentials and clicking submit, the information is posted to login.php where several checks are made before proceeding.


These functions check that the provided email address and password are of sufficient length, and if the email provided is empty or belongs to a temporary mail service, the visitors IP is added to onetime.dat, where from then on onetime.php will prevent them from visiting the site again.

If the information provided by the victim passes these checks, the information is collated and submitted to the exfil email address set by the owner of the deployment. The message would appear as below;

++++++++++++++++++++++++[ FREAKZBROTHERS V2.0 ]+++++++++++++++++++++++++++
+--------------------------[ AMAZON ACCOUNT ]-------------------------+
# ACCOUNT        : ".$_POST['emailLogin']."
# PASSWORD   : ".$_POST['passwordLogin']."
+--------------------------[ PC INFORMATION ]-------------------------+
# IP ADDRESS     : ".$ip."
# ISP                    : ".$ispuser."
# REGION            : ".$regioncity."
# CITY                 : ".$citykota."
# CONTINENT      : ".$continent."
# TIMEZONE        : ".$timezone."
# DATE                : ".$date."
# USER AGENT    : ".$user_agent."
++++++++++++++++++++++++[ FREAKZBROTHERS V2.0 ]+++++++++++++++++++++++++++

The IP of the victim is also logged to total_login.txt before then being directed to locked.php.

At this stage depending on configuration, the victim is informed their account has been locked, is suspended or needs to confirm an invoice, and that they are required to enter further information in order to resolve the issue.

Account locked message, one of multiple potential warnings the victim will get

At this stage, when clicking "continue" the victim will either be directed straight to entering billing information, or if enabled, prompted to confirm their email credentials.


In this instance, get_email is set to IYA so we are directed to a copy of our mail providers login portal.

# Email Credentials

The login_email.php file called determines what resources to load depending on the results of a regex match against the provided email address.

Code which determines which fake email sign-in portal to present

If there is no match (as in someone entered an email address associated with a domain not listed above), they are directed straight to the billing information stage.

In this example I entered a fake Gmail address, as such I have been directed to a fake Google account sign in page.


After the victim enters their email credentials, the password is stored within the $_SESSION variable for later retrieval. The victim is then redirected back to an Amazon themed page and prompted for further information.

# Billing Information

The PHP file billing.php is called and presented to the victim. This form requests for their billing information in order to "verify" their account. This form supports auto fill as well as providing drop down options for the country.


Once all the fields have been populated this information is submitted via POST to card.php and the victim is taken to the next stage.

# Credit Card Information

All the information provided so far is POST'ed to this PHP file, and all information is saved to the $_SESSION variable.


Note there are some fields we have not encountered in this process (e.g. Passport information, citizen ID etc), this appears to be version/region specific.

This next page asks the victim to enter their credit card information to continue verification. Again, these forms support auto fill.


Once the victim has entered their card information, they may be asked to enter it for a second time depending on the configuration the threat actor has set. If double_cc is enabled, they will receive the below prompt and have to re-enter their details.


This information is then sent via POST to updateBilling.php where several checks are then performed to validate the input from the victim.


In this block of code, the entered information is checked and the following outcomes may occur:

  1. If the credit card number was blank, add the user to onetime.dat and respond with 403
  2. If a credit card number is present call validate_card() which performs a simple regex check to validate card type (VISA, Mastercard etc)
  3. If the expiry year is less than 2019, add the user to onetime.dat and respond with 403
  4. If the expiry month is greater than "12", add the user to onetime.dat and respond with 403

All data entered so far is then collated in to another email which is sent to the exfil email address set within the kit configuration.

++++++++++++++++++++++++++++[ FREAKZBROTHERS ]+++++++++++++++++++++++++++
++-------------------------[ AMAZON ACCOUNT ]------------------------++
# Email 			:	".`$_SESSION`['email']."
# Password 		:	".`$_SESSION`['password']."
++--------------------------[ CREDIT CARD ]--------------------------++
# Bank 			:	".$bin["bank"]["name"]."
# Type 			:	".strtoupper($bin["scheme"])." - ".strtoupper($bin["type"])."
# Level 			:	".strtoupper($bin["brand"])."
# Card Holder 		:	".$_POST['ccname']."
# Card Number 	:	".$_POST['ccno']."
# Expire Date 		:	".$_POST['exp_bulan']."/".$_POST['exp_tahun']."
# Cvv 			:	".$_POST['cvv']."
# Amex CID 		:	".$_POST['cid']."
# Account Number 	:	".$_POST['acno']."
# Sort Code 		:	".$_POST['sortcode']."
# Credit Limit 		:	".$_POST['climit']."
# For Check 		:	".$_POST['ccno']."|".$_POST['exp_bulan']."|".$_POST['exp_tahun']."|".$_POST['cvv']."
++-----------------------------[ VBV JP ]---------------------------++
# Card Password 	:	".$_POST['passjp']."
# Web ID 			:	".$_POST['cardid']."
++-----------------------------[ BILLING ]--------------------------++
# Full Name 		:	".`$_SESSION`['fullname']."
# Address 		:	".`$_SESSION`['address']."
# City 			:	".`$_SESSION`['city']."
# State 			:	".`$_SESSION`['state']."
# Zip 			:	".`$_SESSION`['zipcode']."
# Country 		:	".`$_SESSION`['country']."
# DOB 			:	".`$_SESSION`['dob']."
# Phone Number 	:	".`$_SESSION`['phone']."
# Phone Carrier 	:	".$phone['carrier']."
++----------------------------[ OTHER INFO ]-----------------------++
# ID Number 				:	".`$_SESSION`['numbid']."
# Civil ID 					:	".`$_SESSION`['civilid']."
# Qatar ID 				:	".`$_SESSION`['qatarid']."
# National ID 				:	".`$_SESSION`['naid']."
# Citizen ID 				:	".`$_SESSION`['naid']."
# Passport Number 			:	".`$_SESSION`['passport']."
# Bank Access Number 		:	".`$_SESSION`['bans']."
# Social Insurance Number 	:	".`$_SESSION`['sin']."
# Social Security Number 	:	".`$_SESSION`['ssn']."
# OSID Number 			:	".`$_SESSION`['osidnumber']."
++----------------------------[ DEVICE INFO ]----------------------++
# IP Address 		:	".$ip."
# ISP 			:	".$ispuser."
# Region 			:	".$regioncity."
# City 			:	".$citykota."
# Continent 		:	".$continent."
# Time Zone 		:	".$timezone."
# OS/Browser 		:	".$os." / ".$br."
# Date 			:	".$date."
# User Agent 		:	".$user_agent."
++++++++++++++++++++++++++++[ FREAKZBROTHERS ]+++++++++++++++++++++++++++

At this point the victims IP is then also logged to total_cc.txt and total_bin.txt.

The final step of this PHP script is to determine the next stage for the victim depending on the configuration.


In our example, get_bank is set to "Yups" so we are directed to bank.php.

# Bank Account Information

The next stage of the attack asks the victim to verify their bank account information by populating the below form.


This information is then submitted via POST to bank_acc.php and some code is executed based on the inputted data.


This code checks if any of the form fields were empty, and if they were it adds the IP of the victim to onetime.dat and responds with a 403, meaning the victim will then be unable to visit the site again.

The victims information is then collated in to another email message to the exfil email address:

+++++++++++++++++++++++++[ FREAKZBROTHERS ]+++++++++++++++++++++++
++-----------------------[ BANK ACCOUNT ]----------------------++
# Bank Account Name 		:	".$_POST['bankname']."
# Bank Account Username 	:	".$_POST['bankuser']."
# Bank Account Password 	:	".$_POST['bankpass']."
# Bank Routing Number 		:	".$_POST['routing']."
# Bank Account Number 		:	".$_POST['accountnumber']."
# PIN Number 				:	".$_POST['pin']."
++------------------------[ DEVICE INFO ]----------------------++
# IP Address 		:	".$ip."
# ISP 				:	".$ispuser."
# Region 			:	".$regioncity."
# City 			:	".$citykota."
# Continent 		:	".$continent."
# Time Zone 		:	".$timezone."
# OS / Browser 	:	".$os." / ".$br."
# Date 			:	".$date."
# User Agent 		:	".$user_agent."
++++++++++++++++++++++++++[ FREAKZBROTHERS ]++++++++++++++++++++++

The victims IP is then logged to total_bank.txt and directed to either verify_credit.php or done.php depending on configuration.


# Photos

If get_photo is set to "Oks" then the victim is prompted to upload a photo of their card as another form of verification. This process exists is all known kits but the design is different depending on that targeted brand.


Once the images are selected and the victim clicks update, they are processed by submit_upload_cc.php where the content-type is checked and stored within a directory called upload or uploads. Copies of these images are also sent to the threat actor via email as attachments.

# Completion

At this point each phase of the phish has been completed and the victim is directed to done.php, informing them that their "account has been recovered".


Then the victim is redirected to a legitimate Amazon sign in page.

# Admin Panel

# Logging in

Over time the admin panel for FreakzBrothers has had a few iterations, with the "nerdface" (thanks @dave_daves (opens new window)) design being replaced for some time. Recently however it seems the majority of kits have this login panel design instead, opting for the cartoon image which appears to originate from creative-tim.com.
Likely explanation is simply that the kit author took a template design from the source, leaving default images and icons in place.

"FreakzBrothers X Amazon" panel (left), "Nerdface" panel (right)

The panel is generally located at /admin/login.php. All panels prompt the user for an email address and password, which upon entry are checked against a Firebase instance under the control of the of author of FreakzBrothers.

Firebase config viewable within source of page

Request made to Firebase instance (left), Error when entering incorrect details (right) If the credentials are valid the user is then taken to the dashboard where they can administer the deployment or check recent activity.

This authentication also serves as a form of ensuring the user is "licensed" to use the kit, in an effort to keep distribution and use under the control of the original author.

# Obfuscation

The kit in of itself does not contain much in the way of obfuscation apart from the script under /admin/login.php. The code within this file has been altered by the now defunct MessPHP in order to try and dissuade alteration, however it is fairly trivial to get around this.

Obfuscated (left), Deobfuscated (right) Deobfuscating the PHP code of the login page reveals there is a hidden token form which allows bypassing of the username/password field by entering a key which is defined in /admin/vendor/config.php

Hidden token form

# Dashboard

Once authenticated the dashboard provides an overview of recent activity, statistics of victims and access to configuration data, antibot/killbot settings and the ability to reset local logs.


The statistic widgets contain a total count of entries from the appropriate logs. The visitor log section also contains an output of recent visits including timestamps, IP, country and OS information.

These log files (similarly to 16Shop) are also exposed, allowing anyone to view the contents.

  • log_visitor.txt Contains IP and OS info of the victim, as well as a timestamp for each stage of the phish they reached
  • total_bank.txt IP of victims who enter bank account credentials
  • total_bin.txt BIN number and OS of victims which entered bank details
  • total_bot.txt IP of any suspected bots which have been blocked
  • total_cc.txt IP of each victim which entered CC info
  • total_click.txt IP of anyone who accessed the phishing page with the correct GET parameter
  • total_email.txt IP of each victim which entered email credentials
  • total_login.txt IP of each victim which submitted credentials
  • total_photocc.txt IP of victims which uploaded CC photos
  • total_photoid.txt IP of victims which uploaded photo ID
  • total_vbv.txt IP of victims which passed "3D Secure" process

An exposed log_visitor.txt file

# Settings

This page contains the configuration data for the deployment, which is pulled from main.php as well as giving the capability to change it on the fly. Entering or selecting the new option and clicking on save updates the config, with these changes also reflected in main.php.


# Antibot

This page allows for entry of antibot/killbot API keys. Pasting keys in to the appropriate input and clicking update will test the key and then enable functionality of antibot or killbot checks against IP addresses accessing the site.


# Vulnerabilities

FreakzBrothers kits (in all versions I have looked at) contain the same set of vulnerabilities which allows full access to the panel and settings page with no authorisation. As such, any unauthenticated individual could theoretically "take over" the deployment and divert credentials to a mailbox under their control.

It would also be possible for someone to simply script this process, and delete the exfil email address every time it is updated so no credentials are ever sent to the attacker. Or even change the parameter whenever it's corrected so potential victims clicking on the phishing URL won't even be able to reach the phish.

I don't know who would do that though. 🙃

There are also other vulnerabilities which exist in some versions of FreakzBrothers (including cracked versions) which are much more serious, however I will not be sharing details of these.

# Indicators

Below are some IoC's commonly associated with FreakzBrothers along with some Yara rules I have written which can be utilised to scan any kits you may have for identification.

# Hashes

Below are some common hashes for FreakzBrothers kit zip files in their various forms and versions. This also includes commonly found cracked kits which have been re-branded. (SHA-256)


# IP Addresses

These IP's have been commonly associated with FreakzBrothers deployments and should be treated with suspicion. Some are also associated with dynamic DNS providers.

# YARA Rules

These rules can be ran against zip files or any repository of phishing kit zips to identify if they contain common artefacts of FreakzBrothers kits. The generic rule aims to capture any FreakzBrothers kit including cracked versions, whereas the specific rules will identify FreakzBrothers kits based on their targeted brand.

rule PhishKit_FreakzBrothers
        description = "Generic rule for FreakzBrothers kits"
        author = "@sysgoblin"
        date = "2020-07-18"
        reference = ""

        $zip = { 50 4b 03 04 }
        $dir1 = "admin"
        $dir2 = "result"
        $conf_file1 = "conf.php"
        $conf_file2 = "config.php"
        $file1 = "setting.php"
        $file2 = "antibot.php"
        $file3 = "paper-dashboard.scss"

        uint32(0) == 0x04034b50 and
        $zip and 
        all of ($dir*) and
        1 of ($conf_file*) and
        all of ($file*)

rule PhishKit_FreakzBrothers_Amazon
        description = "Rule for FreakzBrothers kits targeting Amazon"
        author = "@sysgoblin"
        date = "2020-07-18"

        $zip = { 50 4b 03 04 }
        $dir1 = "admin"
        $dir2 = "result"
        $conf_file1 = "conf.php"
        $conf_file2 = "config.php"
        $file1 = "setting.php"
        $file2 = "antibot.php"
        $file3 = "paper-dashboard.scss"
        $file4 = "amazon.png"

        uint32(0) == 0x04034b50 and
        $zip and 
        all of ($dir*) and
        1 of ($conf_file*) and
        all of ($file*)

rule PhishKit_FreakzBrothers_Apple
        description = "Rule for FreakzBrothers kits targeting Apple"
        author = "@sysgoblin"
        date = "2020-07-18"

        $zip = { 50 4b 03 04 }
        $dir1 = "admin"
        $dir2 = "result"
        $conf_file1 = "conf.php"
        $conf_file2 = "config.php"
        $file1 = "setting.php"
        $file2 = "antibot.php"
        $file3 = "paper-dashboard.scss"
        $icon1 = "icloud_icon.png"
        $icon2 = "app-small.svg"

        uint32(0) == 0x04034b50 and
        $zip and 
        all of ($dir*) and
        1 of ($conf_file*) and
        all of ($file*) and
        ($icon1 or $icon2)

rule PhishKit_FreakzBrothers_PayPal
        description = "Rule for FreakzBrothers kits targeting PayPal"
        author = "@sysgoblin"
        date = "2020-07-18"

        $zip = { 50 4b 03 04 }
        $dir1 = "admin"
        $dir2 = "result"
        $dir3 = "security"
        $dir4 = "myaccount"
        $conf_file1 = "conf.php"
        $conf_file2 = "config.php"
        $file1 = "setting.php"
        $file2 = "antibot.php"
        $file3 = "paper-dashboard.scss"
        $file4 = "user.dat"

        uint32(0) == 0x04034b50 and
        $zip and 
        all of ($dir*) and
        1 of ($conf_file*) and
        all of ($file*)

# Feeds

For a feed of recent FreakzBrothers detections and exfil emails, check out the api over at phishingreel.io (opens new window)

# Credits

Shout out to the legends below for keeping up the good fight!