The use of the W3LL Panel phishing kit to compromise more than 56,000 Microsoft 365 accounts has come to light. This relatively obscure threat group, known as W3LL, initially emerged six years ago with a custom tool for conducting bulk email spam but has since expanded its operations significantly.
Researchers from Group-IB have unveiled that W3LL has undertaken a substantial operation, primarily involving the sale of a phishing kit designed to target Microsoft 365 business email accounts. To maintain a low profile, this group has engaged with a community of at least 500 threat actors through a secretive underground marketplace known as the W3LL Store.
Delving into the specifics, the W3LL Panel phishing kit is offered alongside 16 additional customised tools, strategically crafted for Business Email Compromise (BEC) attacks. These tools are adept at circumventing Multi-Factor Authentication (MFA) safeguards. They include SMTP senders like PunnySender and W3LL Sender, a tool for staging malicious links (W3LL Redirect), a vulnerability scanner named OKELO, an automated account discovery instrument referred to as CONTOOL, as well as reconnaissance tools and more. These tools are available at a reasonable price point.
What stands out is the W3LL threat group's consistent effort to enhance its tools, incorporating new functionalities and anti-detection mechanisms. This dedication has translated into substantial financial gains, with the group amassing approximately $500,000 in profit over the past 10 months.
These multipurpose tools provide cybercriminals with various options for exploiting compromised accounts. They can steal sensitive data, orchestrate fake invoice scams, impersonate legitimate account owners, or distribute malware through the infiltrated accounts.
The scale of the operation is further highlighted by the identification of nearly 850 distinct phishing websites linked to the W3LL Panel. In the past ten months alone, this phishing kit, along with its accompanying tools, has been employed to target over 56,000 Microsoft 365 accounts across regions including the United States, Europe, and Australia. Out of this significant number, over 8,000 accounts were successfully compromised. The majority of these targeted accounts belonged to sectors such as manufacturing, IT, financial services, consulting, healthcare, and legal services.
In conclusion, the rise of phishing kits like W3LL Panel underscores the growing threat landscape. These tools enable attackers to automate a variety of attacks, contributing to their popularity among cybercriminals. While W3LL Panel is just one example, recent reports indicate a surge in EvilProxy phishing attacks over the past five months. The dynamic nature of the threat landscape emphasises the importance of staying updated on the evolving tactics, techniques, and procedures (TTPs) employed by threat actors. Remaining vigilant and informed is essential in the ongoing battle against cyber threats.
A novel malware loader, known as HijackLoader, has garnered the attention of the cybercriminal underworld for distributing various payloads such as DanaBot, SystemBC, and RedLine Stealer.
Zscaler ThreatLabz researcher Nikolaos Pantazopoulos noted that despite lacking advanced features, HijackLoader possesses a unique modular architecture that allows it to utilise multiple modules for code injection and execution, a feature uncommon among most loaders.
First observed in July 2023, this malware employs a range of techniques to remain inconspicuous. These techniques include utilising syscalls to elude security solution monitoring, monitoring processes associated with security software based on an embedded blocklist, and deliberately delaying code execution by up to 40 seconds at different stages of its operation.
The exact initial access method employed to infiltrate target systems remains undisclosed. Notwithstanding its anti-analysis characteristics, HijackLoader includes a primary instrumentation module that enables flexible code injection and execution through embedded modules.
Persistence on compromised hosts is achieved by creating a shortcut file (LNK) in the Windows Startup folder, which directs to a Background Intelligent Transfer Service (BITS) job.
Pantazopoulos emphasised that HijackLoader is a modular loader incorporating evasion techniques, offering a wide range of loading options for malicious payloads. He also noted that it lacks advanced features, and the quality of its code is subpar.
In a related development, Flashpoint disclosed details about an updated version of an information-stealing malware named RisePro. Previously distributed via a pay-per-install (PPI) malware downloader service called PrivateLoader, RisePro claims to incorporate the best aspects of 'RedLine' and 'Vidar' to create a potent information stealer. Notably, users of RisePro can host their own panels to prevent logs from being stolen by sellers.
RisePro, coded in C++, is designed to harvest sensitive data from compromised systems and transmit it as logs to a command-and-control (C&C) server. It was first offered for sale in December 2022.
Additionally, a new information stealer written in Node.js has emerged, packaged into an executable and distributed through deceptive Large Language Model (LLM)-themed Facebook ads and counterfeit websites posing as ByteDance's CapCut video editor.
Upon execution, this stealer's main function is to pilfer cookies and credentials from various Chromium-based web browsers, subsequently exfiltrating this data to a C&C server and a Telegram bot. The client is also subscribed to the C&C server running GraphQL, enabling the stealing function to run again when the server sends a message. Targeted browsers encompass Google Chrome, Microsoft Edge, Opera (including OperaGX), and Brave.
This marks the second instance of counterfeit CapCut websites delivering stealer malware. In May 2023, Cyble uncovered two distinct attack chains that employed this software as bait to deceive unsuspecting users into executing Offx Stealer and RedLine Stealer.
These developments paint a dynamic picture of the ever-evolving cybercrime landscape. Information stealers remain a prevalent initial attack vector for threat actors seeking to infiltrate organisations and carry out post-exploitation activities.
Notably, threat actors are actively creating new strains of information stealers, such as Prysmax, which incorporates a multitude of functionalities akin to a Swiss Army knife. Prysmax, a Python-based malware, is packaged using Pyinstaller, bundling the malicious code and its dependencies into a single executable. It focuses on disabling Windows Defender, manipulating its settings, and configuring its response to threats.
Prysmax also strives to minimise traceability while maintaining a foothold on compromised systems. Its design prioritises data theft and exfiltration, all while evading detection by security tools and dynamic analysis sandboxes.
Apple has acted swiftly to address critical security concerns surrounding its products, including iOS, iPadOS, macOS, and watchOS. The company has released emergency security updates in response to the exploitation of two zero-day vulnerabilities that allowed the deployment of the NSO Group's Pegasus mercenary spyware.
These vulnerabilities are identified as follows:
It's worth noting that while Citizen Lab at the University of Toronto's Munk School discovered CVE-2023-41064, Apple internally identified CVE-2023-41061, with some assistance from Citizen Lab.
The security updates are accessible for various devices and operating systems, including iOS 16.6.1 and iPadOS 16.6.1 for devices like iPhone 8 and newer, various iPad models, and macOS Ventura 13.5.2 for compatible macOS devices. Additionally, watchOS 9.6.2 addresses the issue for Apple Watch Series 4 and later.
In a separate alert, Citizen Lab disclosed that these two vulnerabilities were exploited as part of a zero-click iMessage exploit chain called BLASTPASS to deploy Pegasus on iPhones running iOS 16.6. This exploit chain had the capability to compromise iPhones without any user interaction. It involved PassKit attachments containing malicious images sent from an attacker's iMessage account to the victim.
The technical specifics of these vulnerabilities have been deliberately withheld due to ongoing exploitation. However, it's noteworthy that this exploit managed to bypass Apple's BlastDoor sandbox framework, designed to mitigate zero-click attacks.
This revelation underscores the continued targeting of civil society by sophisticated exploits and mercenary spyware. Citizen Lab made this discovery while examining the device of an unidentified individual associated with a civil society organisation based in Washington D.C. with international operations.
Apple's proactive response to these vulnerabilities is commendable, as this incident marks the fixing of a total of 13 zero-day vulnerabilities in its software since the beginning of the year. Notably, these latest updates come after the company addressed an actively exploited kernel flaw (CVE-2023-38606).
This development coincides with reports of the Chinese government's decision to ban the use of iPhones and foreign-branded devices by central and state government officials. This move is attributed to concerns about cybersecurity, amid growing tensions in the Sino-U.S. trade war.
Security experts caution against assuming iPhones are immune to espionage, despite their reputation for security. The number of zero-click exploits, especially by commercial entities like NSO, highlights the challenges individuals, organisations, and governments face in protecting against cyber espionage via iPhones. Vigilance and comprehensive security measures remain crucial in the ever-evolving landscape of cyber threats.
*Subscribe to our newsletter
.svg)
.png)
.png)
