Full Report
The Darcula phishing-as-a-service (PhaaS) platform is preparing to release its third major version, with one of the highlighted features, the ability to create do-it-yourself phishing kits to target any brand. [...]
Analysis Summary
# Tool/Technique: Darcula PhaaS (Phishing-as-a-Service)
## Overview
Darcula PhaaS is a phishing platform, recently updated to version 3.0, designed to automate the creation, deployment, and management of sophisticated corporate phishing campaigns. The new critical feature is its capability to automatically generate phishing kits tailored to any specified brand.
## Technical Details
- Type: Attack Tool / Framework (Phishing-as-a-Service)
- Platform: Web-based platform supporting the generation and deployment of phishing pages (targeting web users). The cloning process utilizes the Puppeteer tool.
- Capabilities: Automated phishing kit generation, site cloning, credential harvesting, real-time monitoring, virtual card generation, and anti-detection mechanisms.
- First Seen: The context focuses on the upgrade to Darcula 3.0, with prior versions (Darcula 2.0) actively detected over the last 10 months.
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1566 - Phishing
* T1566.001 - Spearphishing Attachment (Potential, if kits are distributed via this method)
* T1566.002 - Spearphishing Link (Primary method of delivery)
* **TA0010 - Exfiltration**
* T1041 - Exfiltration Over C2 Channel (Stolen data is exfiltrated via the admin panel)
* **TA0005 - Defense Evasion**
* T1027 - Obfuscated Files or Information (Implied via anti-detection features)
## Functionality
### Core Capabilities
- **DIY Phishing Kit Generator:** Allows users ("customers") to input a target brand URL, prompting the system to automatically generate all necessary phishing page templates, including HTML, CSS, images, and JavaScript.
- **Site Cloning:** Uses the **Puppeteer** tool to clone legitimate websites, maintaining the original design integrity.
- **Targeted Modification:** Allows modification of key elements like login fields, payment forms, and 2FA prompts, enabling replacement with phishing functionality.
- **Pre-made Templates:** Includes templates for common phishing scenarios, such as fake password reset pages, credit card payment forms, and 2FA code entry prompts.
- **Packaging:** Packages the configured kit into a ".cat-page" bundle for deployment.
- **Central Management:** The admin panel allows for deployment, central management, and real-time monitoring of harvested data.
### Advanced Features
- **Anti-Detection Suite:** Includes randomized deployment paths, IP filtering, crawler blocking, and device-type restrictions to evade security measures.
- **Real-Time Logging & Notifications:** Provides real-time logs of stolen credentials and sends alerts via **Telegram** upon victim submission of sensitive information.
- **Virtual Card Generation:** A new tool converts stolen credit card data into virtual card images compatible with digital payment apps.
## Indicators of Compromise
- File Hashes: N/A (Focus is on the platform infrastructure and generated kits)
- File Names: `.cat-page` (Bundle format for kits)
- Registry Keys: N/A
- Network Indicators: Telegram groups associated with promoting stolen cards generated from the platform.
- Behavioral Indicators: Deployment of sites designed to mimic legitimate corporate branding; use of URLs designed for credential harvesting; high volume of credential submissions logged through a central Darcula admin panel.
## Associated Threat Actors
The article implies that Darcula PhaaS is utilized by various threat actors in the underground economy who subscribe to the service. Specific named threat actor groups are not mentioned, but the service is actively promoted in Telegram groups.
## Detection Methods
- Signature-based detection: Detection of the `.cat-page` bundle format.
- Behavioral detection: Monitoring for high volume submissions to newly deployed, non-standard login/payment endpoints mimicking established brands.
- YARA rules: N/A
## Mitigation Strategies
- **Prevention measures:** Implementing robust email filtering and DMARC/SPF/DKIM policies to combat phishing attempts. Training users to recognize sophisticated phishing attempts.
- **Hardening recommendations:** Employing multi-factor authentication (MFA) on all critical services can mitigate credential theft success even if a user falls for the phishing page. Monitoring for unusual domain registrations that mimic internal or trusted partner branding.
## Related Tools/Techniques
- Puppeteer (Used internally by Darcula for site cloning)
- Other Phishing-as-a-Service (PhaaS) platforms.
- Tools that convert stolen card data into usable virtual cards.