Triskele Labs Blog

Evilginx2: What’s in a name?

Written by Nick Morgan | Feb 16, 2022 8:08:50 PM

What’s in a name?

Well, here’s a hint: if it’s got the word “evil” in it, it’s probably not good!

Most people are now used to phishing emails – spam emails that send a malicious link wanting you to review your account for security purposes because there has been an update, for instance. 

Thankfully, most people are now wise to these sorts of emails, especially now that two-factor authentication has become more common and most people understand it’s essential to safeguard their private information. 

But you can be sure that whenever you think the good guys are winning, the bad guys are always one step ahead. 

 

Enter: Evilginx2. 

Just like its name suggests, Evilginx2 is a nasty little program that lets threat actors specify a website to clone. This could be a Microsoft 365 login, or a VPN portal, even a custom company website, or a front-end for all of your business’ logins. 

Evilginx2 acts as a proxy frontend to the backend of the legitimate website. So, if the user clicks the link, they would be presented with a site that is hosted by Evilginx2 and enter their username and password. 

Evilginx2 will then take those credentials and pass them to the legitimate website and login, generating a valid session as that user. 

It will then return those credentials to the Evilginx2 proxy, which will prompt for a two-factor authentication code. The user then enters their 2FA code, which is then also sent back to the legitimate website, resulting in a valid login session. It is exactly this valid login session that the hacker is after, and which Evilginx2 has just conveniently saved for them to be re-used in the form of session cookies and tokens.  

And just like that, a hacker has stolen not only your login details, but also your two-factor authentication credentials, which gives them access to steal session tokens, user information, business information, or even your identity. 

This means that two-factor authentication can no longer be completely relied upon as a watertight security measure, and that organisations now need to take a layered approach to cyber security. 

This should include monitoring and detection, so you have eyes on your network and its users 24 hours a day, 7 days a week, 365 days a year. 

It should also include behaviour analytics so that unusual occurrences are picked up and dealt with immediately, like a team member who lives in Melbourne logging in from Vladivostok at 3:30am. 

This is the sort of thing that threat actors using Evilginx2 will do, to get past your defences and compromise your business. 

 

 

Want to know more about red-teaming and how it can help protect your organisation? 

> Learn more in this episode of our vodcast, Cybeers