One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials

One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials

Published on

Published on

Published on

Mar 19, 2024

Mar 19, 2024

Mar 19, 2024

One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials
One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials
One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials
TABLE OF CONTENTS
  • The W3LL Phishing Kit, a phishing-as-a-service (PAaS) tool, was identified by Group-IB in 2022. What makes the kit different from other services is a marketplace called W3LL Store, allowing users to choose the capabilities needed to complete their campaigns.

  • Primarily focused on Microsoft 365 credentials, W3LL utilizes adversary-in-the-middle (AitM) to hijack session cookies and bypass multi-factor authentication.

  • Hunt researchers discovered a phishing campaign underway that uses a fake Adobe Shared File service webpage to steal Outlook login credentials. The webpage tricks users into logging in to access supposedly shared files. Below, we'll briefly discuss our findings.

Open Directory

httpshuntioimagesblogsphishing-kitimg-1-4xwebp
Figure 1: Open Directory containing W3LL Phishing Kit Files

Hunt can identify exposed files on servers with open directory listings. Even if a server disappears from the internet, those files are available for download or preview on our platform. Warning: it's important to note that downloading such files should only be done in a safe environment.

Check it out: https://app.hunt.io/open-directory-crawler?host=https://192.3.137.252:443.

The presence of multiple folders named "OV6" in Figure 1 strongly indicates a W3LL phishing kit. W3LL typically places its control panel at "/OV6". These folders likely contain the core components of the phishing scheme, including obfuscated PHP files, which will be analyzed later.

Navigating to the HTML file within the /access folder leads to a phishing page imitating Adobe's Shared File service. The page lures the user to log in to retrieve a supposed file.

The spoofed Adobe shared file page uses the generic message "Your Contact has shared a file with you." This lack of personalization, compared to including the sender's name, might suggest the campaign is still under development. Phishing attempts often leverage personalization to appear more legitimate and increase the success rate.

httpshuntioimagesblogsphishing-kitimg-2-4xwebp
Figure 2: Screenshot of wfiles.html

When we tried logging in with fake credentials, the page sent a POST request to teffcopipe[.]com (5.63.8[.]243)/wazzy.php. This PHP file likely handles the stolen credentials on the attacker's end, potentially being the same script used by the W3LL phishing kit panel.

httpshuntioimagesblogsphishing-kitimg-3-4xwebp
Figure 3: Outlook login page & additional attacker infrastructure

The contents of OV6_ENCODED can be seen below. It's important to note that W3LL uses IonCube, a tool for encrypting/obfuscating PHP code, which is useful in slowing down research efforts.

httpshuntioimagesblogsphishing-kitimg-4-4xwebp
Figure 4: OV6_Encoded folder contents

As the name implies, config.php contains valuable details that provide insight into how the toolkit functions. A snippet is provided below.

httpshuntioimagesblogsphishing-kitimg-5-4xwebp
Figure 5: Snippet of config.php

Conclusion

We briefly shed light on a recent phishing campaign targeting Outlook credentials in this post. Cybercriminals impersonated the Adobe Shared File service to trick users into logging in and stealing their login information. Our analysis revealed additional infrastructure likely used for stealing credentials for sale or to send further phishing emails from a valid account.

Understanding how W3LL and similar kits operate is crucial to staying protected.

Here's what you can do:

  • Stay informed: Watch for future W3LL phishing campaigns targeting your organization.
  • Educate employees: Train your staff to identify suspicious emails and login pages. Look for generic messages, unexpected senders, and requests for login credentials on unfamiliar websites.
  • Consider Hunt: Explore security solutions like Hunt that can help identify open directories potentially exposing sensitive data and targeting organizations.

Ready to learn more? Apply for a Hunt account today and empower your team to stay ahead of cyber threats!

Network Indicators 

Open Directory
192.3.137[.]252:443
Additional Infrastructure
teffcopipe[.]com → 5.63.8[.]243
/wazzy.php
Certificate: Let's Encrypt Let's Encrypt
Not Before: 2023-12-20 13:06:56
Not After: 2024-03-19 13:06:55
TABLE OF CONTENTS
  • The W3LL Phishing Kit, a phishing-as-a-service (PAaS) tool, was identified by Group-IB in 2022. What makes the kit different from other services is a marketplace called W3LL Store, allowing users to choose the capabilities needed to complete their campaigns.

  • Primarily focused on Microsoft 365 credentials, W3LL utilizes adversary-in-the-middle (AitM) to hijack session cookies and bypass multi-factor authentication.

  • Hunt researchers discovered a phishing campaign underway that uses a fake Adobe Shared File service webpage to steal Outlook login credentials. The webpage tricks users into logging in to access supposedly shared files. Below, we'll briefly discuss our findings.

Open Directory

httpshuntioimagesblogsphishing-kitimg-1-4xwebp
Figure 1: Open Directory containing W3LL Phishing Kit Files

Hunt can identify exposed files on servers with open directory listings. Even if a server disappears from the internet, those files are available for download or preview on our platform. Warning: it's important to note that downloading such files should only be done in a safe environment.

Check it out: https://app.hunt.io/open-directory-crawler?host=https://192.3.137.252:443.

The presence of multiple folders named "OV6" in Figure 1 strongly indicates a W3LL phishing kit. W3LL typically places its control panel at "/OV6". These folders likely contain the core components of the phishing scheme, including obfuscated PHP files, which will be analyzed later.

Navigating to the HTML file within the /access folder leads to a phishing page imitating Adobe's Shared File service. The page lures the user to log in to retrieve a supposed file.

The spoofed Adobe shared file page uses the generic message "Your Contact has shared a file with you." This lack of personalization, compared to including the sender's name, might suggest the campaign is still under development. Phishing attempts often leverage personalization to appear more legitimate and increase the success rate.

httpshuntioimagesblogsphishing-kitimg-2-4xwebp
Figure 2: Screenshot of wfiles.html

When we tried logging in with fake credentials, the page sent a POST request to teffcopipe[.]com (5.63.8[.]243)/wazzy.php. This PHP file likely handles the stolen credentials on the attacker's end, potentially being the same script used by the W3LL phishing kit panel.

httpshuntioimagesblogsphishing-kitimg-3-4xwebp
Figure 3: Outlook login page & additional attacker infrastructure

The contents of OV6_ENCODED can be seen below. It's important to note that W3LL uses IonCube, a tool for encrypting/obfuscating PHP code, which is useful in slowing down research efforts.

httpshuntioimagesblogsphishing-kitimg-4-4xwebp
Figure 4: OV6_Encoded folder contents

As the name implies, config.php contains valuable details that provide insight into how the toolkit functions. A snippet is provided below.

httpshuntioimagesblogsphishing-kitimg-5-4xwebp
Figure 5: Snippet of config.php

Conclusion

We briefly shed light on a recent phishing campaign targeting Outlook credentials in this post. Cybercriminals impersonated the Adobe Shared File service to trick users into logging in and stealing their login information. Our analysis revealed additional infrastructure likely used for stealing credentials for sale or to send further phishing emails from a valid account.

Understanding how W3LL and similar kits operate is crucial to staying protected.

Here's what you can do:

  • Stay informed: Watch for future W3LL phishing campaigns targeting your organization.
  • Educate employees: Train your staff to identify suspicious emails and login pages. Look for generic messages, unexpected senders, and requests for login credentials on unfamiliar websites.
  • Consider Hunt: Explore security solutions like Hunt that can help identify open directories potentially exposing sensitive data and targeting organizations.

Ready to learn more? Apply for a Hunt account today and empower your team to stay ahead of cyber threats!

Network Indicators 

Open Directory
192.3.137[.]252:443
Additional Infrastructure
teffcopipe[.]com → 5.63.8[.]243
/wazzy.php
Certificate: Let's Encrypt Let's Encrypt
Not Before: 2023-12-20 13:06:56
Not After: 2024-03-19 13:06:55

Related Posts:

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.