The W3LL Phishing Kit is a phishing-as-a-service tool notable for its marketplace, W3LL Store, which allows users to customize capabilities for their phishing campaigns targeting Microsoft 365 credentials via adversary-in-the-middle attacks. Researchers uncovered a campaign using a fake Adobe Shared File webpage to steal Outlook login credentials, supported by exposed infrastructure like the teffcopipe[.]com server and obfuscated PHP code. #W3LL #W3LLStore #teffcopipe.com #AdversaryInTheMiddle
Keypoints
- The W3LL Phishing Kit, identified by Group-IB in 2022, provides a marketplace called W3LL Store for users to select phishing campaign capabilities.
- It primarily targets Microsoft 365 credentials by leveraging adversary-in-the-middle (AitM) techniques to hijack session cookies and bypass MFA protections.
- Researchers detected a phishing campaign that uses a fake Adobe Shared File service webpage to trick users into entering Outlook login credentials.
- The phishing pages and core kit components are often hosted under directories named “/OV6” and contain obfuscated PHP files protected by IonCube encryption.
- Stolen credentials are sent via POST requests to attacker infrastructure such as teffcopipe[.]com, indicating centralized credential collection and potential resale or further phishing use.
- Generic, non-personalized phishing messages suggest campaigns may still be in development or testing phases.
- Open directory listings expose these phishing kit files publicly, making discovery and defensive research possible through platforms like Hunt.io.
MITRE Techniques
- [T1556] Adversary-in-the-Middle – The kit hijacks session cookies to bypass multi-factor authentication (‘utilizes adversary-in-the-middle (AitM) to hijack session cookies and bypass multi-factor authentication’).
- [T1566] Phishing – Attackers use fake Adobe Shared File service pages to lure victims into entering Outlook credentials (‘phishing campaign underway that uses a fake Adobe Shared File service webpage to steal Outlook login credentials’).
- [T1140] Deobfuscate/Decode Files or Information – Use of IonCube to encrypt obfuscated PHP files slows analysis efforts (‘W3LL uses IonCube, a tool for encrypting/obfuscating PHP code, which is useful in slowing down research efforts’).
- [T1078] Valid Accounts – Stolen credentials could be used to send further phishing emails from compromised accounts (‘infrastructure likely used for stealing credentials for sale or to send further phishing emails from a valid account’).
Indicators of Compromise
- [Domain] Attacker infrastructure domain – teffcopipe[.]com
- [IP Address] Server hosting malicious PHP handler – 5.63.8[.]243
- [File] PHP credential handler script – /wazzy.php
- [Directory] Phishing kit control panel location – /OV6
- [Certificate] SSL certificate details for teffcopipe[.]com – Let’s Encrypt, valid from 2023-12-20 to 2024-03-19
Read more: https://hunt.io/blog/phishing-kit-targets-outlook-credentials