Sep 06, 2023THNCyber Crime / Email Security
A previously undocumented "phishing empire" has been linked to cyber attacks aimed at compromising at least 8,000 Microsoft 365 business email accounts over the past six years.
"The threat actor created a hidden underground market, named W3LL Store, that served a closed community of at least 500 threat actors who could purchase a custom phishing kit called W3LL Panel, designed to bypass MFA, as well as 16 other fully customized tools for business email compromise (BEC) attacks," Group-IB said in a report shared with The Hacker News.
The phishing infrastructure is estimated to have targeted more than 56,000 corporate Microsoft 365 accounts, primarily in the U.S., the U.K., Australia, Germany, Canada, France, the Netherlands, Switzerland, and Italy between October 2022 and July 2023, netting its operators $500,000 in illicit profits.
Some of the prominent sectors infiltrated using the phishing solution include manufacturing, IT, consulting, financial services, healthcare, and legal services. Group-IB said it identified close to 850 unique phishing websites attributed to the W3LL Panel during the same time period.
The Singapore-headquartered cybersecurity company has described W3LL as an all-in-one phishing instrument that offers an entire spectrum of services ranging from custom phishing tools to mailing lists and access to compromised servers, underscoring the upward trend of phishing-as-a-service (PhaaS) platforms.
Active since 2017, the threat actor behind the kit has a storied history of developing bespoke software for bulk email spam (named PunnySender and W3LL Sender) before turning their attention to setting up phishing tools for compromising corporate email accounts.
A core component of W3LL's malware arsenal is an adversary-in-the-middle (AiTM) phishing kit that can bypass multi-factor authentication (MFA) protections. It's offered for sale for $500 for a three-month subscription with a subsequent monthly fee of $150.
The panel, besides harvesting credentials, packs in anti-bot functionality to evade automated web content scanners and extend the lifespan of their phishing and malware campaigns.
|Execution of a W3LL phishing attachment|
BEC attacks leveraging the W3LL phishing kit entail a preparatory phase to validate email addresses using an auxiliary utility referred to as LOMPAT and deliver the phishing messages.
Victims who open the bogus link or attachment are gated through the anti-bot script to filter out unpermitted visitors (who are directed to Wikipedia) and ultimately take them to the phishing landing page via a redirect chain that employs AitM tactics to siphon credentials and session cookies.
Armed with this access, the threat actor then proceeds to login to the target's Microsoft 365 account without triggering MFA, automate account discovery on the host using a custom tool dubbed CONTOOL, and harvest emails, phone numbers, and other information.
Some of the notable tactics adopted by the malware author are the use of Hastebin, a file-sharing service, to store stolen session cookies as well as Telegram and email to exfiltrate the credentials to the criminal actors.
The disclosure comes days after Microsoft warned of a proliferation of AiTM techniques deployed through PhaaS platforms such as EvilGinx, Modlishka, Muraena, EvilProxy, and Greatness to allow users access to privileged systems without re-authentication at scale.
"What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost entire killchain of BEC and can be used by cybercriminals of all technical skill levels," Group-IB's Anton Ushakov said.
"The growing demand for phishing tools has created a thriving underground market, attracting an increasing number of vendors. This competition drives continuous innovation among phishing developers, who seek to enhance the efficiency of their malicious tools through new features and approaches to their criminal operations."
from The Hacker News https://bit.ly/45Fc2EK