The DEV-1101 malicious actors offer their phishing kits to different cybercriminal groups so they can launch separate Adversary-in-the-Middle campaigns. This phishing kit developer has already sold their product to a threat group that has already used it for a massive phishing operation.
Based on reports, DEV-1101 started advertising its AiTM phishing tool in May last year through a Telegram account and a cybercriminal forum named exploit[.]in. Moreover, the researchers explained that the advertised kit is coded in NodeJS, which includes PHP reverse-proxy capabilities, anti-evasion techniques, and an automated setup.
The malicious tool also contains phishing pages that impersonate well-known services like MS Office and Outlook. The hackers also employed several upgrades to their malicious kit, but users should spend a hundred dollars for the monthly licensing fee.
The group then added a new ability in September for managing servers in the kit through a Telegram bot. The malware developers employed the backdoor upgrades since the tool acquired traction among malicious actors.
One of DEV-1101 group’s primary customers used their offered phishing kits to launch millions of emails.
According to the investigation, DEV-1101 has already sold their phishing kits to one of its premium customers, DEV-0928. This customer has already utilised the phishing kit to deploy a phishing operation involving over one million malicious emails.
The operation began with a phishing email instructing its target to access a pdf file. Subsequently, the file will redirect the targeted user to a phishing page that masquerades as the login page of Microsoft.
The phishing kit then inserts a CAPTCHA page into the phishing method, which the hackers could bypass through human-machine interaction.
In a similar incident, a separate threat group launched a BEC campaign last August. It utilised the AiTM attacks to hack MS 365 accounts owned by corporate executives and high-ranking officials. The threat actors used the evilginx2 proxy phishing framework to run the AiTM campaign.
Organisations should employ additional layers of security to add more protection since AiTM phishing campaigns are constantly trying to bypass the MFA functionality. Lastly, companies should continuously monitor their systems to detect suspicious activities that could mitigate the effects of an attack.
