W3LL Targets Microsoft 365 Accounts with Sophisticated Phishing Kit
A relatively unknown threat group that six years ago started with a custom tool used for bulk email spam is now running a massive operation selling a custom phishing kit that target corporate Microsoft 365 business email accounts.
According to researchers with cybersecurity firm Group-IB, the group – which has gone to lengths to keep under the radar – has more than 500 active users of its private underground marketplace and has pulled in about $500,000 over the past 10 months.
Group-IB is calling the threat group behind the operation “W3LL” and the customer phishing kit it sells “W3LL Panel.” Users can buy the kit from the “W3LL Store.”
W3LL Panel is collection of 16 custom tools that can be used in business email compromise (BEC) attacks and are designed to bypass multi-factor authentication (MFA) protections and which apparently is an attractive arsenal of weapons. According to Group-IB, those tools were used to target more than 56,000 Microsoft 365 accounts in the United States, Europe, and Australia between October 2022 and July.
“W3LL’s major weapon, W3LL Panel, may be considered one of the most advanced phishing kits in class, featuring adversary-in-the-middle functionality, API, source code protection, and other unique capabilities,” the security firm wrote in a report. “Due to its high efficiency, the phishing kit became trusted by a narrow circle of BEC criminals.”
From Humble Beginnings
According to the report, W3LL started in 2017 with the bulk email spam tool, W3LL SMTP Sender. The group later created and started selling a phishing kit targeting Microsoft 365 accounts that became so popular that it in 2018 it opened the W3LL Store, a hidden English-speaking marketplace.
“Over time, the platform evolved into a fully sufficient BEC ecosystem offering an entire spectrum of phishing services for cybercriminals of all levels, from custom phishing tools to supplementary items such as mailing lists and access to compromised servers,” the researchers wrote.
The highly organized store also offers user support through a ticketing system and live webchat, videos for hackers who don’t yet have the skills to use the tools, a referral bonus program – a 10% commission on referrals – and a reseller program that offers a 70-30 split on profits that third-party groups make from selling product on the store.
A three-month subscription for the W3LL Panel phishing kit goes for $500, then $150 per month after that. Each kit is activated through a token-based method, preventing it from being resold or the source code stolen, the researchers wrote.
Bad actors can’t just join the store; they need to be referred by existing members and then they have three days to make a deposit to their balance or risk their account being deactivated. The group tries keep the operation as quiet as possible, refusing to advertise the W3LL Store and asking users to not talk about it online.
Even with that, business is good. More than 3,800 items were sold through the marketplace between October 2022 and July and more than 12,000 are on sale now.
A Complete Phishing Toolkit
Within the phishing-as-a-service kit, bad actors can find everything they need to launch BEC attacks, from SMTP senders and a malicious link stager to a vulnerability scanner, automated account discovery instrument, and reconnaissance tools. The tools can be licensed for $50 to $350 a month.
“Furthermore, W3LL regularly updates its tools, adding new functionalities, improving anti-detection mechanisms, and creating new ones, which underlines the importance of staying up-to-date with the most recent changes in their TTPs [tactics, techniques, and procedures],” they wrote.
Cybercriminals can use the kit and its tools in a variety of ways. After compromising a target account, they can steal data, run fake-invoice scams, impersonate account owners, or distribute malware through the compromised account. Companies hit with the BEC attack can lose thousands to millions of dollars or see corporate data be leaked, which in turn can lead to a damaged reputation, compensation claims, and lawsuits.
Group-IB identified almost 850 phishing sites linked to W3LL Panel over the last 10 months and, via Telegram groups and chats controlled by the group and its infrastructure, found that 56,000 Microsoft 365 business accounts that were targeted. Of those, more than 8,000 were compromised. Most of the targets were in the manufacturing, IT, financial services, consulting, healthcare, and legal services sectors.
A Bad Omen
W3LL’s tools and operations portend bad times ahead for corporations, according to Pyry Avist, co-founder and CTO of security awareness products Hoxhunt.
“The W3LL phishing kit, and the details of its business model, signal the smoke before the coming wildfire of adversary-in-the-middle proxy attacks,” Avist told Security Boulevard. “AiTMs are the future of phishing because they’re extremely effective, hard to identify and detect and, most concerning, they are becoming easier to use.”
AiTMs are made to get by MFA protections, “and if proxy attacks like W3LL and EvilProxy become the norm, they’ll reduce the standalone effectiveness of MFA significantly,” he said.
W3LL and its phishing-as-a-service model also are reminders of the kinds of adversary security teams are facing.
The group is a “sophisticated criminal organization that operates like a business. Sometimes we forget that cybercrime is a multi-billion-dollar industry, whose economics dictate most threat actors’ activities. When a product is simple and works well enough to provide a high ROI, more criminals will use it.”
