Chinese-language Phishing-as-a-Service platform ‘darcula’ targets organizations in 100+ countries with sophisticated techniques using more than 20,000 phishing domains
‘darcula’ [sic] is a new, sophisticated Phishing-as-a-Service (PhaaS) platform used on more than 20,000 phishing domains that provide cyber criminals with easy access to branded phishing campaigns. Rather than the more typical PHP, the platform uses many of the same tools employed by high-tech startups, including JavaScript, React, Docker, and Harbor.
Using iMessage and RCS rather than SMS to send text messages has the side effect of bypassing SMS firewalls, which is being used to great effect to target USPS along with postal services and other established organizations in 100+ countries.
Phishing attacks conducted using text messages, known as ‘smishing’ attacks, are nothing new. Nor are campaigns featuring ‘missed package’ messages sent via SMS. These attacks trick users into entering credentials and other sensitive information in the belief they are interacting with legitimate postal organizations.
The darcula platform has been used for numerous high-profile phishing attacks over the last year, including messages received on both Apple and Android devices in the UK, as well as package scams impersonating United States Postal Service (USPS) highlighted in numerous posts on Reddit’s /r/phishing.
Those operating sites using darcula frequently distribute their URLs via RCS and iMessage. These messages are free to send, leverage consumer trust (many iPhone users will be used to blue messages only from known contacts), and evade some filters put in place by network operators, which often prevent scam SMS messages from being delivered to potential victims.
This blog post examines in detail how darcula works, how its campaigns differ from conventional smishing, and why these campaigns offer a uniquely effective approach to extracting critical data from victims.
darcula is a Chinese-language PhaaS platform developed by a Telegram user sporting the same name, offering easy deployment of phishing sites with hundreds of templates targeting worldwide brands. Like other PhaaS actors, the darcula group offers a paid monthly subscription to other criminals.
Unlike more typical phishing kits, darcula phishing websites can update in place to add new features and anti-detection measures (that is, the kit does not need to be removed and then re-installed to benefit from new updates) functionality Netcraft has observed directly. For example, a recent darcula update changed the kit to make the malicious content available through a specific path (i.e. example.com/track), rather than the front page (example.com) to disguise the attack’s location.
Figure 1 Phishing landing pages targeting postal services (from left to right: the DHL, Evri, the United States Postal Service)
The darcula platform claims to support around 200 phishing templates, covering a large range of brands based in over 100 different countries. The templates primarily target postal services but also other institutions that rely on large amounts of consumer trust, such as public and private utilities, financial institutions, government bodies (tax departments, etc), airlines, and telecommunication organizations.
Figure 2 Phishing landing pages targeting postal services (from left to right: Bulgarian Posts, Australia Post, Singapore Post)
darcula phishing attacks typically use purpose-registered domains rather than those that have been compromised, usually spoofing the relevant brand name. The most common top-level domains (TLDs) used for darcula are .top and .com, followed by numerous low-cost generic TLDs. Cloudflare’s platform is used by 32% of darcula pages, with Cloudflare’s services being recommended by darcula’s own documentation to avoid exposing the underlying server’s IP address. Tencent, Quadranet, and Multacom are also common choices.
In total, Netcraft has detected more than 20,000 darcula-related domains across 11,000 IP addresses, which target 100+ brands. Since the start of 2024, Netcraft has detected an average of 120 new domains hosting darcula phishing pages each day.
On the front page, darcula sites display a fake domain for sale/holding page, likely as a form of cloaking to disrupt takedown efforts. In previous iterations, darcula’s anti-monitoring mechanism would redirect visitors that are believed to be bots (rather than potential victims) to Google searches for various cat breeds. darcula is cat-themed, with a cat as its Telegram channel image, the administration panel previously being labeled with a cat image, and infrastructure domains such as magic-cat[.]net.
Figure 3 darcula anti-monitoring redirecting site crawlers to a cat breed
On a technical level, setup is designed to be easy for the fraudster: darcula uses the open-source container registry Harbor to host Docker images of phishing websites written in React. Fraudsters select a brand to target, then run a setup script that installs the phishing website specific to that brand and the associated admin panel in Docker. Additional information on the darcula platform and Telegram community are available on Oshri Kalfon’s LinkedIn pages, who investigated their platform after receiving a darcula message in Hebrew.
Unlike standard SMS-based phishing attacks, darcula lure messages typically use the alternative communication protocols RCS and iMessage:
The creation of RCS and iMessage was – in part – designed to provide more secure messaging protocols than SMS and MMS, which are now over 30 years old. These encrypted services are marketed to end users as the safest way to send messages to your network. Subsequently, these messages are often trusted more by consumers and remove a level of skepticism when users see an iMessage vs SMS, for example. Additionally, in the US, the Federal Communications Commission has recently introduced laws that “require mobile wireless providers to block certain robotext messages that are highly likely to be illegal,” whilst, in Singapore, the SMS Sender ID Registry (SSIR) initiative (which went live in January this year) has been introduced to tackle “unsolicited and fraudulent SMS messages.”
This legislation to make SMS-enabled cybercrime more difficult for criminals plays into how these URLs are distributed. While end-to-end encryption in RCS and iMessage delivers valuable privacy for end users, it also allows criminals to evade filtering required by this legislation by making the content of messages impossible for network operators to examine, leaving Google and Apple’s on-device spam detection and third-party spam filter apps as the primary line of defense preventing these messages from reaching victims. Additionally, they do not incur any per-message charges, which are typical for SMS, reducing the cost of delivery.
Criminals also put effort into overcoming security controls built into these platforms. For example, Apple introduced a security measure that links in iMessage can’t be clicked unless the message is from an account to which you’ve sent a reply. To evade this, one of the templates created by criminals using darcula is sent to Apple users with a ‘Please reply to Y’ or ‘Please reply to 1’ message. If users reply, the link in the message can then be clicked and will direct them to a darcula phishing website where the deception can continue.
Figure 4 darcula phishing messages targeting iMessage users, designed to make victims reply so URLs in messages become ‘clickable,’ image from Reddit /r/phishing
In addition, attackers can create iMessage ‘mass sender’ scripts, which run on macOS and automatically interact with the Messages application. Apple blocks IDs and devices for sending too many messages, so criminals may frequently change their Apple ID or use other techniques to avoid detection.
Figure 5 RCS message directing victims to a darcula phishing website
Spam using RCS can be performed with device farms, which use automation and many Android devices to send messages en masse. Recently, Google has moved to block RCS messaging on rooted phones in an attempt to reduce spam.
Be highly skeptical of any links sent to you from unrecognized senders. Look for inaccurate grammar, spelling errors, offers that are ‘too good to be true’ or require urgent action. If you’re expecting a message from an organization, navigate to their official website and avoid following links. Android and iOS users can further protect themselves by using Netcraft’s apps, which block phishing pages and other malicious sites.
Netcraft protects brands in 100+ countries and performs takedowns for four of the ten most phished companies on the internet. To find out how we can protect your organization from the threat of darcula and other phishing cyber attacks, you can request a demo by visiting https://www.netcraft.com/book-a-demo/, or find out more by visiting https://www.netcraft.com/platform/.
Click to Open Code Editor