Phishing Kit V3B (Exploit Kit) – Malware

Overview

In a significant escalation of cybercrime, a sophisticated phishing kit named V3B has emerged, targeting banking customers across the European Union (EU). Uncovered by Resecurity, this phishing kit represents a formidable threat to financial institutions and their clients. Designed to intercept and exploit sensitive information, including login credentials and one-time passwords (OTPs), V3B employs advanced social engineering tactics to deceive victims into disclosing their personal data.

Launched in March 2023 by the threat actor known as “Vssrtje,” the V3B phishing kit has swiftly gained traction within the cybercriminal community. It is distributed through a Phishing-as-a-Service (PhaaS) model, making it accessible to a wide range of fraudsters. The kit has been prominently featured in dark web forums and Telegram channels, where it has garnered a substantial following. With over 1,255 members in its Telegram channel, the scale of the operation reflects a serious and organized attempt to undermine the security of EU financial institutions.

The V3B kit’s sophistication lies in its multi-faceted approach to phishing. It includes encrypted code to evade detection, customizable templates for a variety of European banks, and advanced features such as QR code and PhotoTAN support. These capabilities enable cybercriminals to bypass traditional security measures and conduct real-time interactions with victims, increasing the likelihood of successful fraud. The kit’s integration with a secondary component, uPanel, further enhances its effectiveness by allowing fraudsters to interact with victims and collect OTP codes in real-time.

Targets

Individuals

How they operate

At its core, the V3B phishing kit is engineered to deceive users into providing confidential banking information, such as login credentials and one-time passwords (OTPs). The kit is distributed through dark web forums and Telegram channels, where it has established a substantial user base. The malware’s delivery mechanism relies heavily on social engineering techniques, employing meticulously crafted phishing emails and fake websites that mirror legitimate banking interfaces. Victims are lured into entering their data, which is then intercepted by the kit’s sophisticated credential capture system.

The operational architecture of V3B is built on two primary components: the phishing kit itself and the administrative panel known as uPanel. The phishing kit features encrypted code, obfuscated using JavaScript and other techniques to evade detection by anti-phishing systems and security tools. This obfuscation not only conceals the kit’s functionalities but also protects its source code from analysis and signature-based detection. The kit supports a wide array of financial institutions across Europe, with customizable templates that replicate the authentication and verification processes of various banks.

One of the standout features of V3B is its advanced support for multiple authentication methods. The kit includes modules for QR code phishing, allowing attackers to exploit services that use QR codes for user authentication. Additionally, it supports PhotoTAN and Smart ID, reflecting a keen awareness of evolving 2FA technologies. The phishing kit’s uPanel component enables real-time interaction with victims, allowing fraudsters to initiate OTP and token requests and manipulate victim responses. This interactive capability significantly increases the likelihood of successful data capture and fraudulent transactions.

The exfiltration of stolen data is executed through secure communication channels, with Telegram API being a primary conduit for relaying intercepted information back to the attackers. The V3B kit also incorporates advanced anti-bot measures to prevent detection by automated security systems, ensuring that phishing operations remain stealthy and effective. The kit’s modular design, including the ability to support over 54 financial institutions and various authentication methods, underscores its adaptability and the persistent threat it poses to financial security.

MITRE Tactics and Techniques

Initial Access

Phishing (T1566): V3B is a phishing kit designed to deceive users into revealing sensitive information, such as credentials and OTP codes. It uses social engineering tactics to lure victims into entering their data on fake banking sites.

Credential Access

Credential Dumping (T1003): The kit collects login credentials and OTP codes entered by victims. It may also capture session tokens or other authentication details.
Input Capture (T1056): The phishing kit’s interface captures inputs directly from users, including passwords and OTPs.

Collection

Data from Input Capture (T1056.001): V3B captures and transmits sensitive data entered by victims, such as login credentials and OTP codes, to the attackers.

Command and Control

Application Layer Protocol (T1071): The kit uses Telegram and other communication channels to relay stolen data back to the attackers. This involves using standard protocols to send data over the network.

Exfiltration

Exfiltration Over Command and Control Channel (T1041): The kit exfiltrates captured data via its communication channels, which include Telegram and other dark web platforms.

Defense Evasion

Obfuscated Files or Information (T1027): V3B employs obfuscated code to avoid detection by anti-phishing systems and security tools. It uses JavaScript obfuscation and other techniques to hide its malicious functions.

Impact

Data Manipulation (T1565): The phishing kit can potentially manipulate financial data by facilitating unauthorized transactions once credentials are compromised.

References

• Cybercriminals attack banking customers in EU with V3B phishing kit