Rockstar 2FA: A Driving Force in Phishing-as-a-Service (PaaS)

Summary:
Trustwave SpiderLabs highlights the rise of Phishing-as-a-Service platforms, particularly focusing on the Rockstar 2FA phishing kit linked to adversary-in-the-middle attacks. This kit targets Microsoft accounts and employs sophisticated tactics to bypass multifactor authentication. The article discusses the phishing campaignโ€™s characteristics, delivery mechanisms, and the evolving nature of these threats.
#PhishingAsAService #Rockstar2FA #AiTMPayments

Keypoints:

  • Trustwave SpiderLabs monitors the rise of Phishing-as-a-Service (PaaS) platforms.
  • The Rockstar 2FA phishing kit is linked to adversary-in-the-middle (AiTM) attacks.
  • Microsoft accounts are primary targets of these phishing campaigns.
  • The campaign has shown significant activity since August 2024.
  • Over 5,000 car-themed domains related to the campaign were identified.
  • Rockstar 2FA offers features like 2FA bypass and antibot protection.
  • Email campaigns utilize compromised accounts and legitimate services for delivery.
  • Phishing messages employ various social engineering tactics and themes.
  • Cloudflare Turnstile is used to filter out automated bot traffic.
  • The phishing page design closely resembles legitimate login pages.

  • MITRE Techniques:

  • Adversary-in-the-Middle (T1557): Intercepts user credentials and session cookies, allowing access even with MFA enabled.
  • Phishing (T1566): Utilizes email campaigns with social engineering tactics to deceive users.
  • Obfuscated Files or Information (T1027): Employs obfuscation methods to bypass antispam detections.
  • Credential Dumping (T1003): Exfiltrates user credentials from phishing pages.
  • Exploitation of Public-Facing Applications (T1190): Targets users through compromised legitimate services.

  • IoC:

  • [url] hxxp[://]cc[.]naver[.]com/cc?a=pst[.]link&m=1&nsc=Mblog[.]post&u=hxxps%3A%2F%2Fwww[.]curiosolucky[.]com/dos/
  • [url] hxxp[://]www[.]curiosolucky[.]com/dos/
  • [url] hxxp[://]magenta-melodious-garnet[.]glitch[.]me/public/rc[.]htm
  • [url] hxxp[://]track[.]senderbulk[.]com/9164124/c?p=pDvu1IoaZGOuiG9hOsGCPPBXFmtx2_vWwJfaiQBzucIA8v9mjc3ztSyOneYxrKLjPngUzpA11TuGi1aI2aLIylOF1nHcpBoP4YzUvVEMYHtwY1nRlztPcQOoC6S6KSWuNNAgIAVnfapCVCgF1cOjSXtedVH_tWc1vLDH7FDQA0VZbtHORodc9jBuNuHh0DMH7zq9Mo6OMyLjnApzvQ3Kvw==
  • [url] hxxp[://]edlyj[.]r[.]ag[.]d[.]sendibm3[.]com/mk/cl/f/sh/OycZvHuFo1eQsnbcJj9r9GQ4/Lf5JdugpPYQV
  • [url] hxxp[://]link[.]trustpilot[.]com/ls/click?upn=u001[.]u9-2FNN-2FjLZCX2YnHXPQ1lM4gqkGMqJbqpuJx-2FSxHxK-2FHK5blCjdqA4sTpFhMxVuvd4F2C_ytJ-2BU3wnk2t0HzMc51nsdI5jCvjlH5KkDNOR5oq1uEJItlkSMD-2F0mdF-2F-2B0td2onmiDV9xpRWw-2FdvTM3A0wCvdsiFkF1kSdgdFrVAE78L337Qo3s56Gk0s6E6DwCfNIKl8bRli5iK2LUC2ldGxjFPYGCigbeEgNBwg1dcBwOOCSSMKGEAZxhwoFvF5-2Fm5JIsTGsZgQlFDpHLis00H4SRzSjnDGYeia8OxbZOi3NmC9Zu0y59gc0DEENkQqz3vpJLxuDhLJpYJpzgnl5FKcj4hKsjfHYOBYWFlwHMrDBS4Cvh4Jej-2FzpBQsqkaAsezwGEEHqB22DcDQgay2Cm-2BbwAcZMOxqHcQjy3nz6aJyACCXDZkVr8P3iPKgjlqDjbsFb-2BJ-2BuUIiNGVhLp1-2F3wvR6hrzO1bA127bZ68-2BmxJz7ux0F5Htfv1SipEoRgLt6VWovRUTbAmRMRtZHvPS49KRBqCjzSnmChbhoVriyoBm5l9IeUaV5raA4vZxPckk3vcYaVa0xmCZLDFC14eTimJvqIk1CqOPtji8DUcs3pyfer4J-2Fk-3D
  • [url] hxxp[://]u1427642[.]ct[.]sendgrid[.]net/ss/c/u001[.]d04lnC885Iiw-JDl08ZraoSXFe9HwA-SkWLpgNZDbZzgIKoIZZYrlHao4m6r2Vm6/4a0/vg0RNJ9pTvCzCNn5rS7A6Q/h0/h001[.]3pGdTVyFoOmaVG2IhlxshDsg0cLE6sckLThbmumHqI0
  • [url] hxxp[://]docsend[.]com/view/q6f7ukbdeviagha2
  • [url] hxxp[://]cloudflare-kol[.]github[.]io/out/red[.]html?url=aHR0cHM6Ly9zaG9ydHVybC5hdC80SlZnbg==
  • [url] hxxp[://]shorturl[.]at/4JVgn
  • [url] hxxp[://]system23cfb9[.]link[.]bmesend[.]com/api/LinkHandler/getaction2?redirectParam2=K09weU5vMDBKWXFUK0ZPdkw4azdKWHk5QlJsZkNXWXlLMUxiMHdXQU1YK3FFZGFsZG9ZQ2ZqNUdHd3ErZEpLeGpyeVE1U1hmU2xoSy9WemJySVEzQytGajZBVWE4em5jaEpuRHhEa05xOTZOcWxQRVdUN1g2S2ViR3YvZjN1K2dJZk9rQTRVajZmMD0%3d
  • [url] hxxp[://]r[.]g[.]bing[.]com/bam/ac?!&&daydream=vasectomy&u=a1aHR0cHM6Ly9jeWJlcm5leGlsbHVtby56YS5jb20vVFZOUHIv==
  • [url] hxxp[://]ctrk[.]klclick3[.]com/l/01J5V2NHDC0KB0P8B51Z9PCPZS_0
  • [url] hxxp[://]googlevoicesecrets[.]com/EHkslw5/auth/?_kx=lKiN48B6FuEu_OYp2PJPXw[.]Sdgjsn
  • [url] hxxp[://]www[.]google[.]com[.]au/url?q=//www[.]google[.]co[.]nz/amp/s/synthchromal[.]ru/Vc51/
  • [url] hxxp[://]semi-zcmp[.]maillist-manage[.]com/click/1122f15d012c0933f/1122f15d012c08f77?utm_source=aynures-newsletter[.]beehiiv[.]com&utm_medium=newsletter&utm_campaign=yes-my-gee&_bhlid=c1191c405e82c32c645acb82f875fdd8fad29209
  • [url] hxxp[://]involucrases[.]sa[.]com/
  • [url] hxxp[://]callcenter838685d0747612ac193e85fcb5ae45287b09e8a0mailvoice[.]s3[.]us-east-2[.]amazonaws[.]com
  • [url] hxxp[://]payment-confirmation-to-your-bank-account-s-dabringhaus-licatec[.]packinqsystems[.]de/
  • [url] hxxp[://]pub-fe581134d7ae4857a97443270a27e0fa[.]r2[.]dev/0nedrive[.]html
  • [url] hxxp[://]docsecureatt-docdrive-filedoc[.]pages[.]dev/
  • [url] hxxp[://]bluntchiefei[.]za[.]com/XTCfX/
  • [url] hxxp[://]botolaasprop[.]sa[.]com/N26Vu/
  • [url] hxxp[://]erfolgstipss[.]com[.]de/Gnq8/
  • [url] hxxp[://]digitalgadgetbuzz[.]sa[.]com/WyAn/
  • [url] hxxp[://]bitesizeusaei[.]za[.]com/ol6Bu/
  • [url] hxxp[://]enterbuzztechscener[.]pl/pbtmx/
  • [url] hxxp[://]pfremiumshirts[.]store/D91p/
  • [url] hxxp[://]lifestylesyncteche[.]pro/Ykiy/
  • [url] hxxp[://]bytequestixo[.]pro/wWge/
  • [url] hxxp[://]cybernexillumo[.]za[.]com/TVNPr/
  • [url] hxxp[://]novatechies[.]cbg[.]ru/BUeEj/
  • [url] hxxp[://]synthchromal[.]ru/Vc51/
  • [url] hxxp[://]cyberdynalumeo[.]ru/1RB3Y/

  • Full Research: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-a-driving-force-in-phishing-as-a-service-paas/