Darcula PhaaS can now auto-generate phishing kits for any brand

The Darcula phishing-as-a-service (PhaaS) platform is preparing to release its third major version, with one of the highlighted features, the ability to create do-it-yourself phishing kits to target any brand.

The upcoming release, currently available as a beta, will remove the targeting scope restrictions by offering a finite number of phishing kits and allowing anyone to create their own.

In addition to this new feature, the upcoming release, named 'Darcula Suite,' also lifts technical skills requirements, a new user-friendly admin dashboard, IP and bot filtering, campaign performance measurement, and automated credit card theft/digital wallet loading.

Netcraft researchers tested one of the latest beta builds of Darcula Suite for hands-on analysis and confirmed that the announced features are legitimate.

Darcula emerged last year as a massive PhaaS operation relying on 20,000 domains that spoof renowned brands to steal credentials from Android and iOS users in over 100 countries.

With a much more powerful version underway, Netcraft warns that cybercriminals are moving to it even if the official release isn't out yet.

"Because the container images used to run the admin panel are publicly available at registry[.]magic-cat[.]world, Netcraft was able to get a rough estimate of the number of individuals already exploring this test suite," reads the report.

"The pull count of the API image has increased by more than 100% and the web image by more than 50% from February 5 to February 10."

DIY phishing

The highlighted feature of the upcoming Darcula Suite is the DIY phishing kit generator that lets "customers" insert the URL for the brand they want to impersonate. The platform will then automatically generate all the required templates for the attack.

The platform clones the legitimate site using the Puppeteer tool, copying the HTML, CSS, images, and JavaScript, to maintain the original design.

The fraudster may choose which elements to modify, such as the login fields, payment forms, and two-factor authentication prompts, replace them with phishing pages, use custom error messages, or modify JavaScript to steal input data.

Darcula Suite offers pre-made templates, like fake password reset pages, credit card payment forms, and 2FA code entry prompts.

Once configured, the phishing site is packaged into a ".cat-page" bundle containing all the files necessary for the attack.

The kit is then uploaded to the Darcula admin panel to allow deployment, central management, real-time data theft, and performance monitoring.

Apart from the new DIY system, Darcula 3.0 brings:

1. Anti-detection features with randomized deployment paths, IP filtering, crawler blocking, and device-type restrictions.
2. A new admin panel with simplified phishing campaign management, a performance dashboard, real-time logs of stolen credentials, and Telegram notifications for when a victim submits sensitive information.
3. A new tool to convert stolen credit card data into virtual card images that can be added to digital payment apps.

Netcraft says Telegram groups linked to Darcula are already promoting burner phones preloaded with multiple stolen cards for sale, another sign of the increased adoption of the new Darcula version.

The introduction of Darcula 3.0 and its powerful new features make detecting and stopping phishing campaigns even more challenging, while the ease of use of the latest version guarantees that phishing volumes will increase.

Netcraft comments that, in the last 10 months, it detected and blocked nearly 100,000 Darcula 2.0 domains, 20,000 phishing sites, and 31,000 IP addresses associated with the platform.