FOCUS MODE
EXTRACT IOC
Threat Research

DNS Spotlight: Rockstar2FA Shuts Down, FlowerStorm Starts Up

CircleID
DNS Spotlight: Rockstar2FA Shuts Down, FlowerStorm Starts Up
The article discusses the emergence of phishing-as-a-service (PhaaS) platform FlowerStorm, which gained traction following the shutdown of another operation, Rockstar2FA. Researchers identified a significant number of indicators of compromise (IoCs) linked to FlowerStorm, including domains and IP addresses, revealing its extensive infrastructure. Affected: FlowerStorm, Rockstar2FA, cybersecurity sector

Keypoints :

  • Phishing-as-a-service (PhaaS) offering called FlowerStorm emerged post-Rockstar2FA disruption.
  • Sophos noted an increase in the use of FlowerStorm portals after the previous operation’s shutdown.
  • Researchers identified 190 IoCs related to FlowerStorm consisting of 183 domains and 7 IP addresses.
  • The WhoisXML API team uncovered additional artifacts, including email-connected domains and various IP-connected domains.
  • Domains linked to FlowerStorm mostly registered in the U.S., with some in Malaysia and Indonesia.
  • 182 of the 183 domains had registrar data, with Hostinger Operations having the highest number of domain IoCs.
  • A significant number of the 183 domains are new, created in 2024, except one that dates back to 2013.
  • 181 of the 183 domains had IP resolutions, indicating active use.
  • Some IP address IoCs traced back to Japan and the U.S., with notable ISP associations.
  • The findings are part of a larger investigation available through the website for further insights and artifacts.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: FlowerStorm utilizes common application layer protocols for phishing communications.
  • T1070.002 – Indicator Removal on Host: Threat actors may employ techniques to remove evidence of their activities from compromised hosts.
  • T1583.001 – Acquire Infrastructure: The operation reportedly utilizes newly registered domains for phishing activities.

Indicator of Compromise :

  • [Domain] database-server[.]com
  • [Domain] 1069083060[.]site
  • [Domain] 5043056047[.]cloud
  • [Domain] 1616117488[.]site
  • [Domain] 1960373846[.]cloud

Full Story: https://circleid.com/posts/dns-spotlight-rockstar2fa-shuts-down-flowerstorm-starts-up

Tags: CLOUD, PHISHING, EMAIL, INDONESIA, DNS