A threat actor known as DEV-1101 has been discovered developing and promoting a new adversary-in-the-middle (AiTM) open source phishing kit.
The Microsoft Threat Intelligence team shared its findings in an advisory published Monday, explaining how kits can automate the setup and initiation of phishing campaigns to assist attackers.
“The threat actor group began offering the AiTM phishing kit in 2022 and has since made several enhancements to the kit,” reads Microsoft’s advisory.
These include the ability to manage campaigns from mobile devices and evasion features such as bypassing CAPTCHA pages.
According to a blog post Microsoft saw on a cyber forum in May 2022, the DEV-1101 kit is written in NodeJS and features PHP reverse proxy functionality, automatic setup, and anti-bot database evasion.
It also features phishing management activities via its Telegram bot and several ready-made phishing pages that impersonate services like Microsoft Office and Outlook.
Read more about Telegram bots here: Telegram bot abuse for phishing to grow 800% in 2022
“On June 12, 2022, DEV-1101 announced that the kit will be open source for a $100 monthly license fee,” Microsoft wrote. “The attacker also provided links to additional his Telegram channels and to his now-defunct GitHub page.”
A few months later, DEV-1101 upgraded the kit again to include the ability to manage the server via Telegram bot instead of cPanel.
“DEV-1101 was able to raise the price of the tool multiple times due to the rapid growth of its user base from July to December 2022,” Microsoft explained. “At the time of this writing, DEV-1101 is offering the tool for $300 and a VIP license for $1,000. Existing users will continue to purchase licenses for $200 through January 1, 2023. I was allowed to.”
The tech giant added that it has observed multiple threat actors conducting large-scale phishing campaigns (millions of phishing emails per day) using the tools provided by DEV-1101. .
Also in phishing-related news, cybersecurity researchers at Cyble recently warned of several new Windows and Android phishing campaigns leveraging ChatGPT to distribute malware.
