The Perils of Phishing Attacks: Advanced W3LL Kit

Written By Destiny Tham

The threat actor known as W3LL has developed an advanced phishing kit capable of bypassing multi-factor authentication (MFA). Over the past ten months, W3LL's tools and infrastructure have been responsible for compromising more than 8,000 corporate Microsoft 365 accounts. This actor's tools have been employed in business email compromise (BEC) attacks that have resulted in significant financial losses. W3LL's inventory covers almost the entire kill chain of BEC operations and is accessible to cybercriminals of all technical skill levels. 

Background

The threat actor W3LL has emerged as a prominent developer of malicious tools for BEC groups. W3LL's journey began in 2017 with the offering of a bulk email sending tool called W3LL SMTP Sender, primarily used for spamming. Subsequently, W3LL expanded its operations by launching the W3LL Store in 2018, an English-speaking marketplace catering to a closed community of cybercriminals. The W3LL Panel, a key weapon in W3LL's arsenal, stands out as one of the most advanced phishing kits available, featuring adversary-in-the-middle functionality, API support, source code protection, and other unique capabilities.

Attack Details

W3LL's toolkit for BEC attacks is extensive and includes tools such as SMTP senders (PunnySender and W3LL Sender), the malicious link stager (W3LL Redirect), a vulnerability scanner (OKELO), an automated account discovery utility (CONTOOL), and an email validator (LOMPAT). These tools enable cybercriminals to execute a BEC attack from victim selection to the delivery of phishing emails.

Evasion Strategies

W3LL employs various obfuscation methods to bypass email filters and security agents, including Punycode, HTML tags, images, and links with remote content. Phishing links are often delivered through phishing attachments, further evading detection. In the most recent variant, W3LL has added multiple layers of obfuscation and encoding, loading scripts directly from the W3LL Panel.

BEC Attack Kill Chain

W3LL's approach involves intercepting communication between the victim and the Microsoft server, ultimately obtaining the victim's authentication session cookie. This complex process includes CAPTCHA verification, setting up a fake login page, validating the victim's account, identifying the target organization's brand identity, and obtaining an authenticated session cookie.

 

W3LL's BEC attacks have led to various consequences, including data theft, fraudulent payment requests, impersonation of professional services, distribution of malware, and financial gains. The attacker has also provided access to compromised web services, servers, hosting accounts, and email domains.

Recommendations

To defend against BEC attacks facilitated by W3LL's tools, the following actions are recommended:

  • Be cautious when handling email attachments.

  • Encourage the use of strong authentication methods, such as multi-factor authentication (MFA), for accessing corporate accounts, especially those linked to critical systems or financial transactions.

  • Regularly update and patch systems to address vulnerabilities.

  • Monitor email traffic for suspicious activity and implement user awareness training programs.

 

To conclude, W3LL represents a significant threat in the realm of BEC attacks, offering advanced tools and services to cybercriminals worldwide. As W3LL continues to evolve and innovate, organizations must remain vigilant and employ a multi-layered security approach to defend against this ever-present threat.

 

Destiny Tham
Previous

Exploitation of Vulnerabilities: Malicious Window’s ThemeBleed
Next

The Perils of Phishing Attacks: MalDoc in PDF