My First Phish: The SAIGA Saga

Today we have with us Justin Suka and uh he's going to be presenting my first fish, the Saga Saga. >> Thank you. Um it's good to see so many people turned out after last night's party and I'll try and make this quick so we can get out to lunch or based on how everyone looks back to the room to have a nap. So my name is Justin Soya and I currently work as a security engineer at Red Piranha. It's a bit of a gener generic title, but simply put, I get to do some pretty cool stuff. Everything from hacking to defending to the more boring stuff like uh writing reports or attending meetings. So, I have a bachelor's degree in IT and

network security. Uh I don't have any searchs. Cyber security has been a bit of a passion for mine for the last 15 years. I might say passion, but at this point, it's definitely more like a healthy addiction. Outside of work, I spend far too much time participating in CTF competitions as solo of course cuz I'm not a team player. I've just been doing them for 4 years now. So at this point it doesn't make sense to do it someone else. So this talk will be coming from the context of the first fishing investigation I had been a part of since working in security. But this does not necessarily mean the actual content of the talk will

be beginner friendly. So there'll be a bit of assumed knowledge. So if there's anything you don't understand, feel free to ask me at the end. Uh so in this talk I'll be speaking to you about a fishing investigation we conducted at Red Pana into a previously unknown fishing as a service group which upon publishing our research. They been in their entire operation within a couple days of publishing our research. So I'll be going through some of their code some offset failures and a bit of a dive into who they are and how they operated. They unfortunately spun up a new group about 2 months later but I'll go into this a bit later. Before getting into the investigation,

I'll be starting off with some discussions about fishing and some annoyances I've had with the cyber threat marketing. Oops. Uh, I mean intelligence industries. I kind of get those mixed up a bit. Then I'll go into the main topic which is of course a group known as Saiger. And then I'll finish things off with key takeaways. Uh, so I don't have a dedicated section for tips, advice, and most of these will be random and unorganized. Uh, kind of like my ADHD brain, but and a bit of a disclaimer, uh, if you're investigating some kind of threat, whether it be fishing, malware, or other threat actors, ensure that your OPSE is in check and be safe. And remember, hacking

is still hacking, so don't take your investigation too far. So this is a schedule.

So this section will be split into two parts. First up will be fishing and then I'll go through CTR a little bit. It's mostly just a bunch of random for and I won't be explaining what fishing is. And uh if you don't know what this is, you are at Bside. I don't know how you slip past security. But uh so you might be thinking, I know how to spot a fish. There's no way I've watered some silly fishing campaign. I know everything I need to know to look out for. So typos and badge spellings are a thing of the past. Welcome to the future of AI. Maybe you know greeting. If you got an email like this, chances are you're not

the only target and you're one of the tens or hundreds of thousands of people who got the same email. These types of campaigns are often low skill with a low success rate. Some groups are using somewhat of a partial automated spear fishing which can automatically generate content of the emails based on like a list of emails or information from like lead generation services and can automatically add like company logos and stuff. So same minimal effort but with much higher success rate. Uh so this email is safe. I always check with virus total. So it's easy to get zero detections with a bit of encoding mix of crypto and a sprinkle of exhor. Static testing will almost always fail

when it comes to these type of uh code. Dynamic or behavior testing has a little bit higher success rate, but it's still not a guarantee. So for example, maybe the initial email is safe, but it just has a link or a QR code. How many redirections are there? and how many of these redirectction domains or services are trusted. The actual fishing page could be several redirections deep. And if there's a capture anywhere along the way, that's going to make it a lot harder for automated tools. Speaking of virus total or public submission sites, I hope you stripped out your email headers before uploading cuz if not, congrats. You've just made your email and potentially sensitive

information public. And if you're investigating some kind of threat, you've likely just tipped off their adversary. If there's no public information about a threat, you need to take extra precautions to ensure that they don't know that you're investigating them. Pretty much threat actors Google themselves just as much as you do. So if it's public, there's a pretty good chance they'll know about it. Adversary in the middle is so old. I use fishing resistant email. uh fishing resistant MFA. So even if I click the link, there's no way they can get into my account. It's been around for a while, but considering almost all modern fish kits use some form of this, it kind of shows

how effective it is. But congrats for setting up this good MFA. Did you disable the bad MFA and enforce a good MFA or can you simply use your password instead of the pass key? And more importantly, did you test it? Conditional access policies are kind of complicated, so ensure that you set these up properly. But don't ask me, that's not my job.

So when it comes to CTR as when it comes to investigation, how deep is too deep? I grew up I someone else can investigate. by who? If everyone's simply posting their IC's without some kind of investigation, then what are we really uh what is this really helping with? [clears throat] Domain and infrastructure can be spun up in minutes. So, this does not really slow them down. Who cares about providing useful intelligence? It's not important. writing an article about an emergence threat with no information about that threat and instead added a message IOC's are on our platform sign up now. Is that threat intelligence? No, that's marketing. That doesn't help anyone but yourself. If all the big players in this space can

do proper threat reports for IOC's, then why can't you? So, is a screenshot of a hack forum's post CTR? No. As someone defending, what are we supposed to do with a screenshot? Especially when that screenshot's redacted. So, we have to try and find that initial post just to find out that this group hasn't even started this operation yet. They're just looking for beta testers. So, that's not useful. Get AI swap out of here. This is directed at you, vendors, students, or anyone else. This makes our job harder because we're pretty much forced to see through this nonsense that's often filled with hallucinations or false information. That's not to say AI can't be useful with CTR. It can be. It can help a bit,

but just not in the throat reports. AI swap is good for product reviews, recipes, or summarizing AI summarized articles. But throat intelligence is not one of those places. Going deep never results in anything good. But how do you know unless you try? If every company you spend that extra 30 minutes just going a little bit deeper, it would make quite a bit of a difference. You don't need to be a security company or threat intel company. Anyone can do it. And you never know, maybe what you provide will be the missing piece of the puzzle. Maybe it's their first instance of a new campaign starting up. Maybe the threat actor screwed up with their opt and it's

the one time they made that mistake. So to summarize, a good CTI is actionable, meaning the information you provide is usable or can be acted upon to help us defend against threat. reproducible as someone else is able to pick up their investigation from where you finished without having to start over from scratch. Useful. It contains more than just a list of bad hashes. Include domains, IPs, and TTPs as best as you can. The more information you can provide, the more useful it is since it provides much more context and can help us figure out who they are. and bad CTR is pay if you're only helping your own customers and who is that really helping? What about your customers

customers? What happens to you when your customers customers all get shut down and they can't obviously can't afford to pay their security redacted screenshots or IOC's with IOC's redacted. This is more common with your pay threat intelligence, but why is this even a thing? PII or sensitive info, sure, but IOC's, who exactly are you trying to protect? Cuz it's certainly not against against the victims. Rushed or limited value content. It's not a race to be the first to post. Instead, you should be racing to provide the most valuable, reproducible, and actionable content. And I also um already said what I said.

So now that I finished ranting, let's move into the main topic, which is of course SA. So who's who is Saiga? Saiga or SA group is a threat actor that primarily operates out of Telegram. They've been active from late 2023 to early 2024. And based on the investigation, you're a strong indication that at least some of the core members are based out of Nigeria. River of course focus on financial crime. Here's some of their campaign statistics. So, now that you have a bit of an overview, let's take a step back and start from the start. So the initial investigation started when we were notified of a successful fish against a business linked to one of

our clients. After the initial investigation, we had some early indicators of how they operated. But there was no public information about this group whatsoever. And with the fishing kit itself being vastly different to most other things out there, we decided that conduct a much deeper investigation. So the initial email contained a link to a suspicious Google sites page. This itself was unrelated to saiga and was more of a not so good attempt by the proactctor heals using the service to make it harder to to detect. But remember what I was saying from earlier using trusted services or trusted redirection can make it much harder to detect. So, for instance, this is going to show up in your DNS logs as Google.com. Like,

that's not going to make anything look like a red flag. And this brings us to the fishing page now. So, it looks like a standard fishing page or Microsoft login, I guess. But under the hood, it's using Express and Next.js, which at the time and even now, I don't really see that often. So I won't be going into the fishing investigation itself, the fishing interaction. If you want to know more information about this side of things, uh you can read the full article on our blog. I'll add a QR code at the end of it. So now we have one domain. What's next? You gather as much static information as possible to find more of these same

fishing sites. So, uh, JavaScript, uh, any images, babys, which this is didn't take long since that babyon and most of the other assets were all static and unique to this fishing kit. So, now we have a bigger list of domains and in infrastructure. So, what's next? So, at the moment, we still had no idea on the scale or the name of the group. All we had was domains and infrastructure. So we started to look into the telegram bots and we saw a name pop up in quite a few of them Sigra. So the oent process resets. So after googling googling and more googling but with and without googling we found more leads. We came across a

Tik Tok profile that had a profile picture of the actual saiga log output which was kind of interesting. So this is where the fun really begins. The telegram channel had over a thousand members over two years of content to sipher many messages, videos, images. Additional ocean led to discovering code repositories plus other information which I'll go through in the next section. So as mentioned a further opsac further oent led to code repos. One was the installer of the fishing client so to speak which downloaded additional code for senders and other scripts. Essentially this would be what the threat actor would install when they purchased the service. It allowed them to create vision templates, send emails, monitor progress

status etc. and downloaded other code and scripts. So some of the initial code repositories had 100 of the commits with the later ones having binaries but the early ones had code and contained everything you'd expect to define in a for a code repository hardcoded API keys credentials and other useful information. The initial script downloaded file code.js JS from a remote server. Uh, what do you think would happen if you downloaded main.js? Yes, their API server code, which sent backups of their user licenses to one of their Telegram channels, which we'll go into a bit later. So, back to Telegram. It contains years of cyber crime and advertisements. But note, since it's a a channel, only

admins can post to this channel. So anyone posting had some linked to Zagre itself. The types of crimes included um like fraud, identity theft, uh selling of services and access to services like lead generation, email sending, um email accounts, hack servers, fishing services hosting etc.

There's thousands of messages, thousands of images, videos, etc. which was quite valuable into understanding their operation, including who they were or at least their country of origin. We found this through audio, images, and pictures of some of their members via reflection of their laptop screens. And bit of a fun fact, on more than one occasion, some of their members accidentally sent what looks to be selfies to the credential dump bots. >> So, I'll flick through some random images from the Telegram channel. Now, you likely won't be able to see the actual text, but it's not that important. So, this one shows access to um an email that they've gotten from credentials. It has code in the background. various

scripts and other things running. And this is another one. I didn't add that red line. Um, they tried to redact that image themselves, but they definitely didn't look at the window title. This also, as you can see, has code repositories. Um, they use chat jp in the background. Yeah, admin is definitely up. U this is another one just uh more code random script outputs etc. All of the pictures were similar to this so you could imagine how long it took to comb through all of this and this one's one of my favorite.

So with all these useful intelligence how did they remain undetected for so long? I honestly don't know. This group operated for over a year. They had a lot of followers on social media and most of the victims weren't just random Gmail. They all or business accounts, um, education, a government, etc. Which means either no one knew anything or our industry just simply weren't doing their jobs. All right, I'll go through some of their code in the next sections, but I won't be going through any reverse engineering steps as it's out of scope of this. But as a quick reverse engineering 101, when looking at like fishing, just look for what's called an ebound and change it to print.

It's the easiest way to get a bit of a quick win without having to try and figure out what's going on. And if you stare at the code long enough, this will be kind of obvious, but be safe. All right, let's start with the installer. So, this would simply just install NodeJS and sets up a few things, clone some repos. This one says psych mailer, but it's actually just a license generation and validation script. If you have a valid license, it'll download additional code. And if not, it'll give you a license to send to the bot. But I'm sure you can see that's what it's doing, right? No. Okay. What about now?

And this next one was used to generate encoded files, sets up templates, configs, and includes some additional email sending functionality. Supports a range of proxies and different attachments types uh like readable version.

So the various code in the repos were quite unorganized and honestly a bit of a mess to look through. So it was kind of difficult to work out what was happening. So this one generated different attachments that would be used. And as you can see that's some of the different encoding and encryption types that they supported. So they could automatically translate like email content to whatever language they wanted. It's kind of interesting. And it's also used as a bit of a configuration tool. I I've removed a few lines of this one to make it a bit easier to read. I left the banner cuz I thought it looked kind of cool. So this next one downloads emails,

extracts email addresses from obtained from their captured credentials through the fishing campaigns. They can automatically generate new fishing email based on extracted information. and also supports sending emails to the extracted uh to the extracted email addresses from within the compromised uh account. I'll go through a few of these examples. Now, so this was one of the ways that they sort of spread. They'd create an attachment, then send the attachment to someone and say, "Don't let this person know, and then they'd pay the deposit." And another example, all of the blanked out squares are company logos and QR codes, etc. And finally, the API server code. But oops, I don't think they were meaning to share this one.

So, as I mentioned before, there was quite a bit of a mess in the code repositories and there's a lot of code to go through, a lot of duplication. So, it's hard to work out what was going on. So, after looking to sag for a bit, in some of the earlier commits, they had references to F pages. So, I in there is called this S pages. Um this rep repo mostly contains fishlets and somewhat of a customized goofish. So this led to discovering a repo for f pages which had similar very similar code to the earlier saiga code. Uh digging into that a bit that had another repo called admin and there was another telegram bot

token. Uh so not only did this telegram channel contain your standard credentials or logs contain every log from every user who was had purchased that service. >> So during the investigation we couldn't def find a definite link between f pages and saga. We discovered at least one link due to similar usernames but it wasn't 100%. So we came to three possibilities. Uh f pages is saiga before creating saiga or it's just what they called their tools. Uh mods or other users of the service had a fallen out cuz their logs were being logged. So they took the code and created saga or group members got banned and so they pivoted. I'd say this one's probably

more likely since the f pages a lot of their code repositories are still active. And they had the same optic values as Tiger. So pretty strong link between them. So they also like a hardcoded API keys, credentials. And this brings me to the next section, the downfall of SA. So within days of publishing our research, the entire group abandoned the complete operation. So everything saiga was deleted. They really did leave in a bit of a panic. This Telegram channel was the same one that I showed earlier. So all social media, Telegram channels, bots, code repos, all infrastructure was taken down. And since their API server and dashboard functionality was so fundamental to this fishing service, shutting that down

meant not a single fishing domain made functional. So no API server means no more fishing which means no more victims which to me is winning.

So unfortunately they didn't shut down for good. Within months they spun up a new group which I'll go into next. So, Saiga returns. We have a new paint job, new name, SCML, SCUML skills. Uh, good. No one laughed. I guess no one knew the meaning of that word. But don't Google it because I might get in trouble. Uh, but I guess more recently they're calling themselves Scruml engine. So, what's changed? Not much really. Same obscures. with a new front end and a bit more heavier use of AR. The fishing kit itself remains relatively untouched and mostly reused the same assets. So, a lot of the IC's are the same and can be discovered just as easily as last time. Uh, but I guess

I have a new capture and move the Telegram bot token to the homepage to make it easier to find, I guess. Uh, so I've been watching this one for a bit until like recently they still in testing and development stage. And since this group isn't public yet or hasn't been discovered by anyone, does that mean I can call it a no day? And so what's next? Well, you'll have to stay tuned for a new article that will be coming soon. But before I move on, if this group abandoned their operation so quick and spun up a new one so quickly, this tells me it's not the first time they've done this. So then let me ask you this. Who

were they before Saiger? Now on to the key takeaways. So don't trust Virus or other platforms. I don't mean as a company they can be good. I meant don't rely 100% on the information they provide cuz they can never be 100% effective. And please strip out your email headers before uploading your email. Just do a simple find replace. Problem solved. Grabing the IC's and posting the IC's doesn't really help. Try to provide as much information you can, domains, IPs, and TTPs as it can give a much better context and can be a lot more helpful. And stop redacting cuz it's a bit of a pain. So going deeper and spending a little bit more time can help quite a bit and

anyone can do it. If your CTR can't be reproduced or actionable, that's not intelligence. It's marketing. Here's a QR code to our research post. But thank you for listening. Any questions?

>> Thank you, Justin. So, do we have any questions for any anybody? There we go.

>> Uh, thanks Justin. Enjoyed the talk. Did you have a look at say using something like URL scan and fingerprinting up the infrastructure and kind of keeping your tabs on it over like long period of time? >> Pretty much. It was like a daily occurrence. I checked URL scan. I check both. Um, they're two of the better ones because the other ones you have to pay a bunch to get their same service, but they're good and they normally pop up quite quickly. So, it's good. Feet is good because it's easier to determine the IP addresses rather than cuz they all use Cloudflare. So, it's a bit harder. So, yeah.

>> Uh, great talk, Justin. I was just wondering if you knew who they were actually before Saiga. Did you find that out? >> Sorry, what was that? >> Like before Saiga, you said uh they couldn't. >> No, I haven't. >> Oh, wow. So, that's still something you're looking forward to. All right. Thank you. >> Excellent. Let's uh thank uh Justin again. Thank you.