A threat actor known as W3LL developed a phishing kit that can bypass multi-factor authentication along with other tools that compromised more than 8,000 Microsoft 365 corporate accounts.
In ten months, security researchers discovered that W3LL’s utilities and infrastructure were used to set up about 850 phishing that targeted credentials for more than 56,000 Microsoft 365 accounts.
Growing the business
Serving a community of at least 500 cybercriminals, W3LL’s custom phishing tools were employed in business email compromise (BEC) attacks that caused millions of U.S. dollars in financial losses.
Researchers say that W3LL’s inventory covers almost the entire kill chain of a BEC operation and can be operated by “cybercriminals of all technical skill levels.”
In a report today, cybersecurity company Group-IB provides details about W3LL and how it grew to be one of the most advanced malicious developers for BEC groups.
The first evidence of W3LL’s activity appears to be from 2017 when the developer started to offer a custom tool for bulk email sending called W3LL SMTP Sender, which was used for spamming.
The actor’s popularity and business started to grow when it started to sell a custom phishing kit focused on Microsoft 365 corporate accounts.
In 2018, W3LL launched its W3LL Store, an English-speaking marketplace where it could promote and sell its tools to a closed community of cybercriminals, the researchers say.
“W3LL’s major weapon, W3LL Panel, may be considered one of the most advanced phishing kits in class, featuring adversary-in-the-middle functionality, API, source code protection, and other unique capabilities” - Group-IB
W3LL arsenal for BEC attacks
Apart from W3LL Panel, which was designed to bypass multi-factor authentication (MFA), the actor provides 16 more tools, all primed for BEC attacks. The catalog includes:
- SMTP senders PunnySender and W3LL Sender
- The malicious link stager W3LL Redirect
- A vulnerability scanner called OKELO
- An automated account discovery utility named CONTOOL
- An email validator called LOMPAT
According to Group-IB, W3LL Store offers solutions for deploying a BEC attack from the initial stage of picking victims, phishing lures with weaponized attachments (default or customized), to launching phishing emails that land in the victims’ inboxes.
The researchers say that W3LL is sufficiently skilled to protect its tools from being detected or taken down by deploying and hosting them on compromised web servers and services.
However, customers also have the option to use W3LL’s OKELO scanner to find vulnerable systems and gain access to them on their own.
Bypassing filters and security agents
Some of the techniques W3LL employs to bypass email filters and security agents include various obfuscation methods for email headers and text body (Punycode, HTML tags, images, links with remote content).
Initial phishing links are also delivered using multiple methods that evade detection. One is through phishing attachments instead of embedding them in the email body.
The link is placed in an HTML file that comes as an attachment, the researchers discovered. When the victim launches the malicious HTML, which could be disguised as a document or voice message, a browser window opens up with a “genuine-looking MS Outlook animation.”
This is the W3LL Panel phishing page ready to collect Microsoft 365 account credentials.
Analyzing a W3LL phishing attachment discovered in the wild, Group-IB noticed that it was an HTML file that displayed a website in an iframe by using JavaScript obfuscated through base64 encoding.
In a newer version, updated in late June, W3LL added multiple layers of obfuscation and encoding. It loads the script directly from the W3LL Panel instead of including it in the HTML code.
The chain of events for the more recent variant looks like this:
Hijacking Microsoft 365 corporate accounts
Group-IB researchers explain that the initial link in a phishing lure does not lead to the fake Microsoft 365 login page in the W3LL Panel and it is only the start of a redirect chain intended to prevent the discovery of W3LL Panel phishing pages.
For W3LL to compromise a Microsoft 365 account, it uses the adversary/man-in-the-middle (AitM/MitM) technique, where communication between the victim and the Microsoft server passes through the W3LL Panel and the W3LL Store acting as a backend system.
The goal is to obtain the victim’s authentication session cookie. For this to happen, W3LL Panel needs to go through several steps, which include:
- Pass CAPTCHA verification
- Set up the correct fake login page
- Validate the victim's account
- Obtain the target organization’s brand identity
- Get the cookies for the login process
- Identify the type of account
- Validate the password
- Obtain the one-time-passcode (OTP)
- Get an authenticated session cookie
After the W3LL Panel gets the authentication session cookie, the account is compromised and the victim is shown a PDF document, to make the login request appear legitimate.
Account discovery stage
Using CONTOOL, the attacker can automate the finding of emails, phone numbers, attachments, documents, or URLs the victim used, which could help with the lateral movement stage.
The tool can also monitor, filter, and modify incoming emails, as well as receive in a Telegram account notifications based on specific keywords.
According to Group-IB, the typical results from such an attack are:
- Data theft
- Fake invoice with the attacker’s payment info
- Impersonating professional services to send fraudulent payment requests to clients
- Classic BEC fraud - access to a top executive and acting on their behalf to instruct employees to make wire transfers or purchase goods
- Distribute malware
Making money
Group-IB’s report dives deep into the functionality of the W3LL Panel, describing at a technical level how some of the features work to achieve the intended goal, be it evading detection or collecting data.
W3LL Panel is the crown jewel of the developer and it comes at $500 for three months, and a $150 monthly renewal price. A license to activate it must also be bought.
Bellow is the purchase page for the kit and the administration panel:
The W3LL threat actor has been around for about five years and amassed a customer base of more than 500 cybercriminals that have in the store over 12,000 items to choose from.
Apart from phishing and BEC-related tools, W3LL also provides access to compromised web services (web shell, email, content management systems) and SSH and RDP servers, hosting and cloud service accounts, business email domains, VPN accounts, and hijacked email accounts.
Group-IB researchers say that between October 2022 and July 2023, W3LL sold more than 3,800 items, for an estimated turnover that exceeds $500,000.
Comments
Mahhn - 9 months ago
So the solution here is to get as many of these phishing Emails as possible, track the domains/IPs the scum are using and add those to global malicious list every hour. Glad we have tools that do that. Layers of tools that do that.
Hmm888 - 9 months ago
"So the solution here is to get as many of these phishing Emails as possible, track the domains/IPs the scum are using and add those to global malicious list every hour. Glad we have tools that do that. Layers of tools that do that. "
LOL. The tools may be there, are they being used? And your logic is akin to get everyone (young and old) infected and allow many to perish. Great logic!