The threat actor known as DEV-1101 has been spotted developing and advertising a new adversary-in-the-middle (AiTM) open source phishing kit.
The Microsoft Threat Intelligence team shared the findings in an advisory published on Monday, which explained that the kit can automate the setup and launch of phishing activity and provide support for attackers.
“The threat actor group began offering their AiTM phishing kit in 2022, and since then has made several enhancements to their kit,” reads the Microsoft advisory.
These include the capability to manage campaigns from mobile devices and evasion features like the bypass of CAPTCHA pages.
According to a blog post seen by Microsoft on a cyber forum in May 2022, the DEV-1101 kit is written in NodeJS with PHP reverse-proxy capabilities, automated setup and detection evasion through an antibot database.
It also features phishing management activity via Telegram bots, as well as several ready-made phishing pages impersonating services like Microsoft Office or Outlook.
Read more on Telegram bots here: Telegram Bot Abuse For Phishing Increased By 800% in 2022
“On June 12 2022, DEV-1101 announced that the kit would be open source with a $100 monthly licensing fee,” Microsoft wrote. “The actor also provided links to additional Telegram channels and a now-defunct GitHub page.”
Months later, DEV-1101 then upgraded the kit again to include the ability to manage servers through a Telegram bot instead of cPanel.
“DEV-1101 was able to increase the price of their tool multiple times due to the rapid growth of their user base from July through December 2022,” Microsoft explained. “As of this writing, DEV-1101 offers their tool for $300, with VIP licenses at $1,000. Legacy users were permitted to continue purchasing licenses at $200 prior to January 1 2023.”
The tech giant added that it observed several threat actors conducting large-scale phishing campaigns (millions of phishing emails per day) using the tool offered by DEV-1101.
Also in phishing-related news, cybersecurity researchers at Cyble recently warned of several new Windows and Android phishing campaigns relying on ChatGPT for malware distribution.