A sophisticated phishing campaign utilizing the W3LL Phishing Kit has been actively targeting users\u2019 Microsoft Outlook credentials through elaborate impersonation techniques.<\/p>\n
First identified by Group-IB in 2022, this phishing-as-a-service (PhaaS) tool has evolved into a comprehensive ecosystem complete with its own marketplace called W3LL Store, where malicious actors can customize campaign capabilities according to their specific needs.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhrSnpj8OLStkc0-rnXdVf_lAWvXFLWO2nJ1slXg9tDSiFiiBYIInIIlHKyHMufTdRWlK2xdAV7G4otZbt_dX_zeSG_hZAOlXAN9BsZJ1YPB3NKiL6BlsUy7Ih7CbvmH6vN1ZgexvriX9ndqyVoO0c3x7wwrR2spjwOFLqk-ufJZGJmM8GCpqoc2n5shyphenhypheng\/s16000\/W3LL%2520Phishing%2520Kit%2520Files%2520%28Source%2520-%2520Hunt.io%29.webp?ssl=1\")
The campaign primarily focuses on harvesting Microsoft 365 credentials through adversary-in-the-middle (AitM) techniques, which allow attackers to hijack session cookies and bypass multi-factor authentication mechanisms.<\/p>\n
The kit lures unsuspecting victims through convincing emails that direct them to carefully crafted phishing pages<\/a> impersonating legitimate services such as Adobe\u2019s Shared File platform.<\/p>\n Hunt.io researchers identified<\/a> the campaign while investigating open directories containing suspicious content.<\/p>\n Their analysis revealed a complex infrastructure designed to efficiently capture credentials and funnel them to attacker-controlled servers.<\/p>\n The researchers noted that the phishing pages are meticulously designed to mimic the look and feel of authentic login portals, making detection challenging for average users.<\/p>\n When examining the server infrastructure, investigators discovered multiple folders named \u201cOV6,\u201d a telltale signature of the W3LL kit which typically positions its control panel at this location.<\/p>\n The phishing flow begins when users encounter a page mimicking Adobe\u2019s Shared File service, prompting them to log in to access a purportedly shared document. <\/p>\n Upon entering credentials, the information is transmitted via a POST request to attacker infrastructure at teffcopipe[.]com\/wazzy.php for harvesting.<\/p>\n The W3LL kit employs sophisticated obfuscation techniques to evade detection and analysis.<\/p>\n One notable method is the use of lonCube, an encryption tool for PHP code that significantly slows down research and reverse engineering efforts.<\/p>\n Examining the OV6_ENCODED directory reveals heavily obfuscated<\/a> PHP files designed to hide the kit\u2019s functionality from security researchers and automated scanning tools.<\/p>\n The kit\u2019s configuration is managed through a config.php file that contains crucial operational parameters.<\/p>\n A snippet of this file, provides insights into how the toolkit functions, including credential handling processes and data exfiltration methods.<\/p>\n This configuration allows attackers to customize various aspects of their campaign<\/a>, from visual elements of the phishing pages to the destination of stolen credentials.<\/p>\n Network indicators associated with this campaign include the open directory at 192.3.137[.]252:443 and additional infrastructure at teffcopipe[.]com pointing to 5.63.8[.]243, utilizing Let\u2019s Encrypt certificates valid until March 19, 2024.<\/p>\n Equip your SOC team with deep threat analysis for faster response ->\u00a0<\/strong>Get Extra \ud835\udde6\ud835\uddee\ud835\uddfb\ud835\uddf1\ud835\uddef\ud835\uddfc\ud835\ude05 \ud835\uddf9\ud835\uddf6\ud835\uddf0\ud835\uddf2\ud835\uddfb\ud835\ude00\ud835\uddf2\ud835\ude00 for Free<\/strong><\/a><\/strong><\/p>\n The post W3LL Phishing Kit Actively Attacking Users to Steal Outlook Login Credentials<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi-i5rjueUDXXcx-KBDHlxUBHEy3v-DW2zXdo2HrfvO1hcPxGTyep69KcCMQv-Q-lbfeBISvXMLpkFoWQUcYwE11ew56w35AwiqexDMzmMwXozh23ETBN_1zhnQUG-BqMCsdcc-a0KjfWhEjZmACxhrJLVKRXydRD0Cbzv_lW8eDHXDcVvDbEONzff12hc\/s16000\/wfiles.html%2520%28Source%2520-%2520Hunt.io%29.webp?ssl=1\")
Technical Analysis of Obfuscation Techniques<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEggENMgqnGrBXnBYZY6dlqgM_cEwGP4t3P4CPIGV3neEQDr9-nFibqKX2QrB3uynKxP1u5ob7HXrTSYj9rUmr4VB9aznzTlrT-zaQXzIUjq2e1Kh-Vzpw8yw5BbmGFycffgv3g3VETRym9vrD74NQ1UKPofAdJ1zSRF3msWmN2tcUiIISfC06bJHl30Mus\/s16000\/OV6_Encoded%2520folder%2520contents%2520%28Source%2520-%2520Hunt.io%29.webp?ssl=1\")