A new Chinese-language phishing-as-a-service (PhaaS) platform named "darcula" has been targeting postal organizations in more than 100 countries, including the United States Postal Service (USPS).
Netcraft researchers said in a March 27 post that the attacks use more than 20,000 phishing domains to trick victims into entering credentials and other sensitive information in the belief they are interacting with legitimate postal organizations.
The researchers said the “darcula” platform has been used for numerous high-profile phishing attacks over the last year, including messages received on Apple and Android devices in the United Kingdom, as well as package scams impersonating USPS in the United States. There have also been many attacks across the Middle East.
“We found ‘darcula’ to be the most pervasive worldwide package scam operation we have seen,” said Robert Duncan, vice president of product strategy at Netcraft. “Other operations we have seen recently have been of a much smaller scale and more geographically targeted. For example, Frappo/LabHost focused more on North American and multinational brands.”
Duncan explained that the precursor to a more modern iteration of PhaaS was in phishing kits, which have been around for a long time. Netcraft reported on a Moroccan group named Mr-Brain back in 2008 selling pre-made kits to deploy phishing sites with hidden functionality to siphon the stolen details back to the original author alongside the criminal who purchased and deployed the kit.
As with the legitimate business world, Duncan said the tactics and techniques of cybercrime groups evolve and grow more sophisticated. Based on what the Netcraft team observed, Duncan said they believe “darcula” primarily or exclusively uses Chinese, with external templates in other languages created by those using the platform. Non-Chinese speaking users can use it if they use a translation tool in their browser. Still, the communications in the telegram channel and group use Chinese.
“We’re unaware of an English-language version,” said Duncan. “We can’t be 100% certain that there aren’t other hidden options.”
Rather than the more typical PHP, the “darcula” platform uses many of the same tools employed by high-tech start-ups, including JavaScript, React, Docker, and Harbor. Using iMessage and Rich Communication Services (RCS) — the default SMS app provided on many Android devices — the attackers bypass SMS firewalls, which they use to target USPS, along with postal services and other established organizations around the world.
Michael Covington, vice president of portfolio strategy at Jamf, explained that Google offers RCS as an alternative messaging protocol that has a more feature-rich and interactive messaging experience than traditional SMS. In addition to supporting more characters in each transmission, Covington said RCS offers modern enhancements like read receipts, typing indicators, and high-resolution media. From a security perspective, RCS also has end-to-end encryption, offering a more secure and private messaging experience.
“For several years, we have seen attackers exploit modern messaging platforms, like iMessage and WhatsApp, to launch phishing campaigns, so we are not surprised to see RCS added to the list of potential attack vectors,” said Covington. “These encrypted services are often considered by end users to be more secure, so there’s some inherent trust that’s often not present with basic SMS messaging. That said, we believe the benefits of end-to-end encryption and the modern messaging features are worthy upgrades from more outdated communication protocols where privacy is at risk.”
The use of modern technologies such as JavaScript, React, Docker, and Harbor in PhaaS platforms like as “darcula” allows for continuous updates and new feature additions without the need for clients to reinstall phishing kits, explained Krishna Vishnubhotla, vice president of product strategy at Zimperium. It’s a tremendous benefit for malicious actors in that it enhances the agility and adaptability of phishing campaigns, making them more effective against evolving security measures.
“It also lowers the technical barrier for new malicious actors, enabling even those with limited skills to conduct sophisticated attacks seamlessly,” said Vishnubhotla. “With enhancements like these, PhaaS quickly becomes a persistent and adaptable threat in the cybersecurity ecosystem. This is an ominous sign. Providers of these services just make the service exponentially much more attractive and lucrative.”
