External Threat Management Labs

For Threat Actors, Shadow Z118 is the Kit That Keeps on Giving

For several years, researchers have tracked a phishing kit authored by an actor known as Shadow Z118. Unlike many traditional phishing kits designed only to steal credentials, a handful of the observed Shadow Z118 kits also steal victim identities, payment, and even verify the legitimacy of entered credit information under the false pretext of verifying a user for "security purposes." 

Shadow Z118 kits have been active since at least 2017, and Johannes B. Ullrich at SANS has analyzed it here. The kit's occasional focus on stealing a user's identity and credit information, known as 'Fullz,' sets it apart and has earned it a strong reputation as an effective solution for criminals. 

Since the kit initially appeared, there have been multiple iterations, with many actors copying the original version to create unique variants. RiskIQ's threat research team analyzed several of these variants. In most cases, the phishing pages are constructed well and have multiple steps to trick users into a false sense of security.

During our analysis of Shadow Z118 kits on the Internet, RiskIQ's Internet Intelligence Graph uncovered a kit .zip file containing a Shadow Z118 PayPal phishing kit. It had similar functionalities observed in an analysis by PhishingKitTracker in March 2020, and one noted facet was the use of PHP session variables to achieve false legitimacy. For example, the kit sets session variables for the victim's entered location information to display later when their account is updated.

The kit capturing email credentials

This PayPal kit was hosted on 000Webhost, a free, shared hosting provider. Free hosting providers are a common source of phish kit deployments due to their ability to continuously host content without the need to compromise a site or verify anyone's identity. The kit our researchers analyzed also contains code for blocking known research companies and widely used user agents. 

Aside from the kit taking measures to deny specific IP ranges and common user agents, it also performs additional user enumeration, identifying the user's browser and host operating system. 

The Shadow Z118 Kit is incredibly well-built, with meticulous detail to appearing credible. Outside of a sign-in phish, it has sections for the entire flow of data theft, moving on to pages for account billing update, card verification, and credit card update. Assuming that a user falls victim to entering their credentials and submitting their billing and credit card information, the attacker will receive a nicely formatted email. 

Rather than redirecting the victim to the authentic PayPal website, the kit's execution flow sends them to a page thanking them for updating their details and displays it back via previously set session variables. Once a victim lands on the congratulations page and their information is displayed back, the phishing kit then redirects the victim to the actual PayPal site after five seconds.

You can see our full analysis of the kit here

Evolution Over Time

While the Shadow Z118 PayPal kit we discovered is robust in capability and in the types of data it steals, it is essential to note that phishing kits change over time. The original authors produce new kits, and the longer each kit is available, the more likely source code is leaked and distributed amongst other attackers. 

This dynamic leads to more significant changes to the kit, such as features added or removed, obfuscation added, and kits re-branded and sold as new versions by different authors, which we cover in more detail here. The Shadow Z118 PayPal kit is no exception. RiskIQ has observed several variants deployed in the wild on compromised and likely attacker-controlled websites. 

Using our datasets and crawling infrastructure, RiskIQ observed 1,658 hosts using the same JavaScript file as some Shadow Z118 phish kits. However, many of these sites appeared to be associated with other kits. 

RiskIQ data allows us to fingerprint Shadow Z118 PayPal kits and highlight them and identify variants as they appear. Our Internet Intelligence Graph gives security teams a universal view of the internet and is now detecting Shadow Z118 and its variants on a global scale.

RiskIQ gives our customers a full-stack view of their organization's attack surface and crawls of our customers' web properties, giving them insight into what's happening on a web server at any given time.

Visit our Threat Intelligence Portal for the full technical analysis of LogoKit and the criminal enterprise that makes and sells it, as well as more information about how RiskIQ is detecting this highly successful breed of phishing kit. To find out how RiskIQ can defend your organization's digital attack surface, get started today

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor