NPD4n6: Nicks DFIR blog

Evilginx and Evilginx pro

Working on a BEC with a MFA bypass looking likely, and stumbled upon a common framework utilised for this attack – Evilginx

The creator of EvilGinx shared an interesting demo of how you can be easily Phished on LinkedIn and it even bypasses MFA. These types of attacks are becoming increasingly popular. https://twitter.com/mrgretzky/status/1706735382698582026?s=56&t=-dkNDSDHEzyAagaVN0SDgA

This morning their updated twitter post published the Pro version upcoming. One of the features offering the ability to bypass secret tokens – the secret token is an encrypted buffer holding telemetry data gathered from the client’s web browser. The telemetry data often holds the URL of the visited website, which in the case of the phishing website, would hold the name of the attacker’s phishing domain. Once retrieved by the server, the token is decrypted and its content is analyzed, in search for anomalies, which could indicate that sign-in originated from a reverse proxy server, hosted on a different domain than the legitimate website. Read more about it here: https://breakdev.org/evilginx-pro-reveal/

Looking like a very cool tool for redteamers

One response to “Evilginx and Evilginx pro”

  1. MFA Bypass – how frameworks like Evilginx are giving threat actors the tools to succeed. – NPD4n6: Nicks DFIR blog Avatar
    MFA Bypass – how frameworks like Evilginx are giving threat actors the tools to succeed. – NPD4n6: Nicks DFIR blog

    […] previously wrote about Evilginx and how we are starting to see it more and more, even though the original tool was […]

    Like

    Reply

Leave a reply to MFA Bypass – how frameworks like Evilginx are giving threat actors the tools to succeed. – NPD4n6: Nicks DFIR blog Cancel reply