A sophisticated phishing campaign is actively targeting users’ valuable Microsoft Outlook credentials. This campaign employs the W3LL Phishing Kit alongside elaborate and deceptive impersonation techniques. Group-IB security researchers first identified this dangerous phishing-as-a-service (PhaaS) tool in 2022. Since then W3LL has evolved into a comprehensive and dangerous phishing ecosystem for criminals. This ecosystem even includes its own dedicated marketplace which is called the W3LL Store. There malicious actors can fully customize their phishing campaign capabilities according to specific needs. The primary goal remains harvesting sensitive login information from many unsuspecting online users. This highly adaptable toolkit poses a significant threat to individuals and also organizations.
The campaign primarily focuses on effectively harvesting users’ Microsoft 365 account login credentials. It achieves this by employing advanced adversary-in-the-middle (AitM) session hijacking techniques. These AitM methods allow attackers to successfully hijack active user session cookies. They can also cleverly bypass widely used multi-factor authentication (MFA) security mechanisms. The W3LL kit lures its unsuspecting victims through very convincing phishing email messages. These deceptive emails then direct users to carefully crafted and fake phishing login pages. These pages often impersonate legitimate online services like Adobe’s Shared File platform. Security researchers from Hunt.io recently identified this active and ongoing phishing campaign.
Their investigation began while they were analyzing suspicious content found in open directories.
Hunt.io’s analysis revealed a complex server infrastructure supporting this widespread phishing campaign. This infrastructure is efficiently designed to capture stolen user credentials from many victims. The stolen data is then immediately funneled directly to various attacker-controlled remote servers. Researchers particularly noted that the phishing pages are always meticulously and deceptively designed. They closely mimic the authentic look and feel of real login portals, tricking users. This careful mimicry makes quick detection very challenging for most average internet users. When examining servers investigators found multiple folders specifically named “OV6” on them. This “OV6” folder name is a telltale signature of the W3LL phishing kit. The phishing flow starts when users see a fake Adobe Shared File service page.
It prompts login to access a supposedly shared document but harvests their entered credentials.
The W3LL phishing kit also employs quite sophisticated obfuscation techniques to avoid discovery. These clever methods help it to successfully evade both detection and detailed technical analysis. One notable obfuscation method is its use of IonCube an encryption tool for PHP code. Using IonCube significantly slows down any research and also reverse engineering attempts. The OV6_ENCODED directory on servers reveals many heavily obfuscated PHP script files. These files are designed to hide the kit’s core functionality from security researchers. They also help it avoid detection by most automated security scanning software tools. A special config.php file is used to manage the kit’s operational configuration settings. This configuration allows attackers to customize various aspects of their illicit phishing campaigns. Network indicators include an open directory and infrastructure using old Let’s Encrypt certificates.
Reference: