{"id":21461,"date":"2023-03-13T08:01:07","date_gmt":"2023-03-13T16:01:07","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/03\/13\/news-15192\/"},"modified":"2023-03-13T08:01:07","modified_gmt":"2023-03-13T16:01:07","slug":"news-15192","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/03\/13\/news-15192\/","title":{"rendered":"DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit"},"content":{"rendered":"

Credit to Author: Microsoft Security Threat Intelligence| Date: Mon, 13 Mar 2023 16:00:00 +0000<\/strong><\/p>\n

Adversary-in-the-middle (AiTM)<\/a> phishing kits are part of an increasing trend that is observed supplanting many other less advanced forms of phishing. AiTM phishing is capable of circumventing multifactor authentication (MFA) through reverse-proxy functionality. DEV-1101 is an actor tracked by Microsoft responsible for the development, support, and advertising of several AiTM phishing kits, which other cybercriminals can buy or rent. The availability of such phishing kits for purchase by attackers is part of the industrialization of the cybercriminal economy and lowers the barrier of entry for cybercrime.<\/p>\n

DEV-1101 offers an open-source kit that automates setting up and launching phishing activity and provides support services to attackers. The threat actor group began offering their AiTM phishing kit in 2022, and since then has made several enhancements to their kit, such as the capability to manage campaigns from mobile devices, as well as evasion features like CAPTCHA pages. These attributes make the kit attractive to many different actors who have continually put it to use since it became available in May 2022. Actors using this kit have varying motivations and targeting and might target any industry or sector.<\/p>\n

Microsoft 365 Defender<\/a> detects suspicious activities related to AiTM phishing attacks and follow-on activities, such as session cookie theft and attempts to use the stolen cookies to sign in.<\/p>\n

In this blog post, we share information on DEV-1101, the tool they offer, and details on related AiTM campaigns. We also share best practices and detection details to further protect organizations from AiTM phishing attacks.<\/p>\n

AiTM tool promotion<\/h2>\n

DEV-1101 began advertising their AiTM kit around May 2022 through a Telegram channel and an advertisement in exploit[.]in<\/em>, a popular cybercrime forum. The advertisement describes the AiTM kit as a phishing application written in NodeJS with PHP reverse-proxy capabilities, automated setup, detection evasion through an antibot<\/em> database, management of phishing activity through Telegram bots, and a wide range of ready-made phishing pages mimicking services such as Microsoft Office or Outlook.<\/p>\n

On June 12, 2022, DEV-1101 announced that the kit would be open source with a $100 monthly licensing fee. The actor also provided links to additional Telegram channels and a now-defunct GitHub page.<\/p>\n

\"DEV-1101
Figure 1. DEV-1101 announcement on their AiTM tool license<\/figcaption><\/figure>\n

In September 2022, DEV-1101 added the ability to manage servers running their kit through a Telegram bot rather than requiring the use of cPanel, further facilitating phishing activities and letting their customers manage campaigns from mobile devices.<\/p>\n

DEV-1101 was able to increase the price of their tool multiple times due to the rapid growth of their user base from July through December 2022. This allowed DEV-1101 to dedicate themselves fully to the development and support of their tool. As of this writing, DEV-1101 offers their tool for $300, with VIP licenses at $1,000. Legacy users were permitted to continue purchasing licenses at $200 prior to January 1, 2023.<\/p>\n

\"DEV-1101
Figure 2. DEV-1101 increased their prices repeatedly due to rapid growth.<\/figcaption><\/figure>\n

Microsoft observed several high-volume phishing campaigns from various actors using the tool offered by DEV-1101, comprising millions of phishing emails per day. DEV-0928, an actor Microsoft has tracked since September 2022, is one of DEV-1101\u2019s more prominent patrons and was observed launching a phishing campaign involving over one million emails.<\/p>\n

DEV-1101 phishing sequence<\/h2>\n

DEV-1101\u2019s many different patrons take different approaches to phishing attacks. The example below is of an initial phishing message from a campaign launched by DEV-0928 using the DEV-1101 phishing kit. Clicking the Open<\/em> button in the email leads to the next step in the sequence.<\/p>\n

\"Example
Figure 3. Malicious link shared in a phishing message for an AiTM campaign.<\/figcaption><\/figure>\n

Two different evasions might result from clicking the link in the phishing message. The DEV-1101 kit\u2019s antibot <\/em>functionality might trigger an href<\/em> redirection to a benign page. In this example, the DEV-0928 domain o365987656898087[.]xyz<\/em> redirects to example.com<\/em>:<\/p>\n

\"DEV-1101
Figure 4. DEV-1101 benign redirect response headers<\/figcaption><\/figure>\n

The default redirection domain defined in the source code is example.com<\/em>; however, any actor using the kit may define a different redirection domain.<\/p>\n

\"DEV-1101
Figure 5. DEV-1101 benign redirect in source-code<\/figcaption><\/figure>\n

The kit also allows threat actors to use CAPTCHA to evade detection. Inserting a CAPTCHA page into the phishing sequence could make it more difficult for automated systems to reach the final phishing page, while a human could easily click through to the next page.<\/p>\n

\"CAPTCHA
Figure 6. Evasion through CAPTCHA page<\/figcaption><\/figure>\n

While evasion through CAPTCHA was introduced in August 2022, the functionality then required active engagement from DEV-1101\u2019s support to complete the setup for any requesting users. DEV-1101 later added CAPTCHA as a core functionality.<\/p>\n

After the evasion pages, a phishing landing page is presented to the target from an actor-controlled host through the phishing actor\u2019s reverse proxy setup:<\/p>\n

\"DEV-1101
Figure 7. Credential harvester mimicking a Microsoft sign-in portal.<\/figcaption><\/figure>\n

At this point, the actor\u2019s server captures credentials entered by the user. If the user has MFA enabled, the AiTM kit continues to function as a proxy between the user and the user\u2019s sign-in service, meaning, as the user completes an MFA sign-in, the server captures the resulting session cookie. The attacker can then bypass MFA with the session cookie and the user\u2019s stolen credentials.<\/p>\n

The following diagram illustrates the AiTM phishing attack chain: <\/p>\n

\"DEV-1101
Figure 8. AiTM phishing attack diagram
<\/figcaption><\/figure>\n

For additional in-depth information on how AiTM phishing works, refer to the blog, From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud<\/a>.<\/p>\n

Mitigating AiTM phishing attacks<\/h2>\n

While AiTM phishing attempts to circumvent MFA, MFA implementation remains an essential pillar in identity security and highly effective at stopping a wide variety of threats. MFA is the reason that threat actors developed the AiTM session cookie theft technique in the first place. Organizations are advised to work with their identity provider to ensure security controls like MFA are in place. Microsoft customers can implement MFA in Azure AD<\/a> through various methods, such as using the Microsoft Authenticator, FIDO2 security keys, and certificate-based authentication. <\/p>\n

Defenders can also complement MFA with the following solutions and best practices to further protect their organizations from such attacks: <\/p>\n