View RSS Feed

Fb1h2s aka Rahul Sasi's Blog

How the Internet Bug bounty Killed an Exploit Kit.

Rating: 21 votes, 4.71 average.
Name:  BUGCROWD.jpg
Views: 13256
Size:  10.5 KB
It is been 4 years since the Internet [Web] bug bounty programs kicked in. It would be great to see what changes it has brought to the Security community. From what I understood is the most no of reported bugs to bug-bounty programs are XSS . Yes Cross Site scripting. We are writing about an Infamous Phishing/Exploit kit named Chillyfisher that was used by few APT groups that utilized xss and phishing emails to hack their targets.

Name:  exploit-kits.jpg
Views: 21409
Size:  49.3 KB

ChilyFisher Exploit Kit:

ChilyFisher was a Phishing+Exploit+XSS exploit framework used by multiple APT groups including the infamous "NETTRAVELER" group mainly in 2008-2013. The name chillyfisher is given based on the string present in the kit "Copyright 2008 ChilyFisher, Allright Reserved" . One of the interesting features of this kit was the ability to hack multiple Web Mails including [Yahoo, Aol,,rediffmail, sina, ] etc . The kit used XSS vulnerabilities and phishing pages to hack email conversations. Back in 2010 it was pretty easy to find an XSS in the above mentioned targets. But with the rise in the many bug bounty programs the many similar exploit kits died. For example the bug bountys managed by hackerone for yahoo and where among the targeted webmails for this APT team.

Name:  001.jpg
Views: 3543
Size:  18.7 KB

Though there is no public information available about this kit, it was widely known among the security community. This blog would give an overview of this exploit kit , how it was used and attribution.

Front End code:

The kit had a frontend and Backend code . The function of the Front end code was to send mass phishing/exploit emails to targets. The front end code allowed attackers to mass include target emails, subject and email content. The phishing email sent has a hyperlink with unique callback to the backend code. Now when victims open their email , the XSS would be triggered and the cookies would be logged to backend server or will fall back to secondary attack "phishing". The kit contained a phishing and browser exploit module . Also have seen multiple java exploits on chillyfisher hosted servers . Chillyfishes had phishing modules for almost all popular webmails . The following are the list of websites the kit had phishing modules for.

Chillyfisher Phishing modules and supported sites:

The following screenshot provides info on the database that keeps the Phishing/Exploit emails , Targets, Recipient, Email Subject .

Targets emails, Email subject , Send as email:

Zoom Image:

Back End code:

All the collected information is managed by a backend web application made in asp.From the admin interface attackers could view all the collected information of the victims . For example the following screenshot shows Chillyfisher login page.

Exploit kit Admin Login :

Name:  Screen Shot 2014-06-08 at 5.23.24 pm.jpg
Views: 5210
Size:  19.0 KB
The backend database used is MS-Access . All collected information is stored in this database.

DB Structure

Name:  Screen Shot 2014-07-18 at 1.47.53 am.jpg
Views: 5165
Size:  21.4 KB

In the above screenshot we could see the DB structure of a Chillyfisher instance and "Loginlog" table having informations about ChillyFisher admins who logged into the control panel. "Too bad feature for an exploit kit I suppose " . Btw all the admin logins were from China , so that should give a fair idea where the attackers are from. The log informations are also emailed to a user at .

Name:  Screen Shot 2014-07-18 at 2.15.46 am.png
Views: 3560
Size:  19.3 KB
The following screenshot is that of the landing page after authentication.

Chillyfisher Control Panel

Name:  Screen Shot 2014-06-08 at 5.27.45 pm.jpg
Views: 3508
Size:  20.0 KB

Logged in users would be able to view collected cookies, password, and other informations related to victims.

Name:  Screen Shot 2014-07-18 at 3.10.55 am.jpg
Views: 3561
Size:  19.4 KB

Infections and Attributions :

I have collected about 10,000 unique IP address from multiple chillyfisher exploit kits we identified in the wild. And have created a geo map out of it. The most no of the targets were from China followed by USA.

IP address that logged into Control panel .

Name:  Screen Shot 2014-07-16 at 1.52.28 pm.jpg
Views: 3427
Size:  15.0 KB

Since this kit was mainly used to monitor activist[emails] rather than corporate espionage , the most hits were from China. The second map would provide better understanding of the numbers of targets based on City.

A better quality Map is over here:


Chinese regions were most targeted. Since nettravler was previously attributed we an either assume the attckers are in China or is using China as a proxy .

Screenshot of Infections in Asia Pacific regions:

Screen Shot of Infections in N|S America , Middle East and Europe :

Btw these awsome Maps were build using ipt2map code .

The kit seems like not being used anymore , since it is hard to find an XSS in yahoo or or any other mail clients. But the phishing modules will work.

The moral of the post would be to not underestimate when someone finds an XSS bugs and how XSS was used by APT groups for surveillance. How efficient bugbounty programs are making the internet a lot more safe.

If you need more information on the kit Contact me over email at fb1h2s[@]

Rahul Sasi,
Attached Thumbnails Attached Images  
Tags: None Add / Edit Tags


  1. [s]'s Avatar
    Yes XSS played main role in the Phishing. One more way , Ive seen which is floating over everyone's emails and spreading mass

    One of the following code of phishing found in some audits.

    Note : Above code is only for educational purpose.


Total Trackbacks 0
Trackback URL: