A Tale of Greatness
Business Email Compromise (BEC) still remains a threat type overshadowed by cyber extortion, however, as an incident responder, it is one of the more common types we respond to. Since the adoption of MFA, kits have moved to session theft, and Phishing-as-a-Service kits make it easier than ever for actors to enter this space.
Greatness (the Greatness kit, or Greatness Boss) is a phishing kit that was recently reported on by Cisco after a long period of very limited public coverage by security vendors.
The article explained what the kit’s capabilities are and trends over the last year. However, I had the benefit of watching them a little closer for a while now and can provide some behind-the-scenes footage including OPSEC failures and additional BEC tooling information.
1. Greatness and Fisherstell
The Greatness kit is used by BEC threat actors to target the theft of credentials and sessions of Microsoft 365 users. I will not go into too much detail of the phishing kit itself and I encourage you to read the Cisco article about it instead.
The author of this is kit goes by @fisherstell on Telegram. The kit is approximately $1,200 USD which is typically paid through BTC. The majority of the clientele spoke Nigerian Pidgin in the Telegram groups.
The phishing kit is regularly updated with most new features being around additional obfuscation of the payloads to reduce detection rates or security upgrades around the administrator panel. The version v6 saw a major update introducing an Admin Panel and additional features to the kit.
Note: As of writing, the version of the latest kit was at v18.5 and v19 has been released since.
The Greatness Hub Chat
The Telegram group “Greatness Hub Chat” chat served as a community to share wins, tips and memes as well as any updates to the products. A telegram bot served as the way the customers bought the tools, activated any new tooling, and downloaded the latest versions.
The group was administered by fisherstell and their 2nd-in-command, Patrick. Note: Patrick is a user of the greatness kit and appears to moderate the chat but has no control over the backend server or financials.
From the common use of the hashtag in the telegram group, to the welcome message of the admin panel, the owner and customers regularly use this tongue-in-cheek phrase we often see in other tools abused by threat actors.
A trend among many BEC actors in general is an amusing link in their bio’s to a message that definitely absolves them of all crimes committed, and our fisherstell is no different.
However, in the main Telegram chat brags about successful invoice fraud…
3. Fisherstell’s other tooling and ventures
Fisherstell offers several tools to supplement the BEC actor’s arsenal. When interacting with the Greatness bot, they advertise the following:
One of the main tools used alongside the kit itself, the sender uses credentials to spam attachments generated by the kit (.html, .htm, .shtml).
The extractor tool is used to extract additional email addresses from compromised accounts. This tool requires an Azure application with permissions to read the compromised user’s mailbox. Commonly we observe threat actors pivot from a compromised mailbox by sending additional phishing emails to addresses harvested from the mailbox.
This tool takes a list of leads (email addresses) and attempts to validate if they are real email addresses as well as determining what type of MFA is used or hosting is behind it.
Stealer Malware (Feat. Opsec lesson)
Fisherstell had hinted they were working on an infostealer and dropped this screenshot into the chat one day, bragging about his 0 detection score.
Besides the RDP IP address, I was able to use this VT link to identify the source code of the stealer (more below about this). Fisherstell kept the group update posting teaser outputs of his testing:
In another picture they shared leaked that the stealer is likely written in Python and possibly co-authored by ChatGPT😘 by the open browser in the background.
This wasn’t the only time ChatGPT appeared, as it seemed to be just as relevant in the BEC world.
In an unrelated tutorial video about how to set up the phishing kit, fisherstell leaks their Hostinger admin panel with the following domains:
On the domain <REDACTED>[.]com, a VT submission stood out among the related phishing attachments and URL scans:
This was a zip of the full python source code to fisherstell’s infostealer malware…
4. Reaction to Cisco article and future of Greatness
Once the group became aware of the Cisco article, there was an immediate sense of panic and paranoia, many of which assumed all of their phishing sites were compromised as well as suspecting a mole had been in their midst.
Many jumped to throwing threats around at the Cisco authors, and others began to distrust the product they had invested in.
Despite all the commotion, the admins kept the customers as calm as possible and hinted that they will scrap all current customers including their API keys and start again on a referral-only basis.
Update: while the number of new Greatness phishing pages has decreased, there are still new ones popping up with the new kit version and I expect that this will not slow them down in the long run.
TLDR: Block .html, .htm and .shtml from incoming emails if your business does not use them and use U2F if you can :)