A sophisticated phishing campaign utilizing the W3LL Phishing Kit has been actively targeting users’ Microsoft Outlook credentials through elaborate impersonation techniques.
First identified by Group-IB in 2022, this phishing-as-a-service (PhaaS) tool has evolved into a comprehensive ecosystem complete with its own marketplace called W3LL Store, where malicious actors can customize campaign capabilities according to their specific needs.
.webp)
The campaign primarily focuses on harvesting Microsoft 365 credentials through adversary-in-the-middle (AitM) techniques, which allow attackers to hijack session cookies and bypass multi-factor authentication mechanisms.
.png
)
The kit lures unsuspecting victims through convincing emails that direct them to carefully crafted phishing pages impersonating legitimate services such as Adobe’s Shared File platform.
Hunt.io researchers identified the campaign while investigating open directories containing suspicious content.
Their analysis revealed a complex infrastructure designed to efficiently capture credentials and funnel them to attacker-controlled servers.
The researchers noted that the phishing pages are meticulously designed to mimic the look and feel of authentic login portals, making detection challenging for average users.
When examining the server infrastructure, investigators discovered multiple folders named “OV6,” a telltale signature of the W3LL kit which typically positions its control panel at this location.
.webp)
The phishing flow begins when users encounter a page mimicking Adobe’s Shared File service, prompting them to log in to access a purportedly shared document.
Upon entering credentials, the information is transmitted via a POST request to attacker infrastructure at teffcopipe[.]com/wazzy.php for harvesting.
Technical Analysis of Obfuscation Techniques
The W3LL kit employs sophisticated obfuscation techniques to evade detection and analysis.
One notable method is the use of lonCube, an encryption tool for PHP code that significantly slows down research and reverse engineering efforts.
.webp)
Examining the OV6_ENCODED directory reveals heavily obfuscated PHP files designed to hide the kit’s functionality from security researchers and automated scanning tools.
The kit’s configuration is managed through a config.php file that contains crucial operational parameters.
A snippet of this file, provides insights into how the toolkit functions, including credential handling processes and data exfiltration methods.
This configuration allows attackers to customize various aspects of their campaign, from visual elements of the phishing pages to the destination of stolen credentials.
Network indicators associated with this campaign include the open directory at 192.3.137[.]252:443 and additional infrastructure at teffcopipe[.]com pointing to 5.63.8[.]243, utilizing Let’s Encrypt certificates valid until March 19, 2024.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
