Summary:
Trustwave SpiderLabs highlights the rise of Phishing-as-a-Service platforms, particularly focusing on the Rockstar 2FA phishing kit linked to adversary-in-the-middle attacks. This kit targets Microsoft accounts and employs sophisticated tactics to bypass multifactor authentication. The article discusses the phishing campaignโs characteristics, delivery mechanisms, and the evolving nature of these threats.
#PhishingAsAService #Rockstar2FA #AiTMPayments
Trustwave SpiderLabs highlights the rise of Phishing-as-a-Service platforms, particularly focusing on the Rockstar 2FA phishing kit linked to adversary-in-the-middle attacks. This kit targets Microsoft accounts and employs sophisticated tactics to bypass multifactor authentication. The article discusses the phishing campaignโs characteristics, delivery mechanisms, and the evolving nature of these threats.
#PhishingAsAService #Rockstar2FA #AiTMPayments
Keypoints:
Trustwave SpiderLabs monitors the rise of Phishing-as-a-Service (PaaS) platforms.
The Rockstar 2FA phishing kit is linked to adversary-in-the-middle (AiTM) attacks.
Microsoft accounts are primary targets of these phishing campaigns.
The campaign has shown significant activity since August 2024.
Over 5,000 car-themed domains related to the campaign were identified.
Rockstar 2FA offers features like 2FA bypass and antibot protection.
Email campaigns utilize compromised accounts and legitimate services for delivery.
Phishing messages employ various social engineering tactics and themes.
Cloudflare Turnstile is used to filter out automated bot traffic.
The phishing page design closely resembles legitimate login pages.
MITRE Techniques:
Adversary-in-the-Middle (T1557): Intercepts user credentials and session cookies, allowing access even with MFA enabled.
Phishing (T1566): Utilizes email campaigns with social engineering tactics to deceive users.
Obfuscated Files or Information (T1027): Employs obfuscation methods to bypass antispam detections.
Credential Dumping (T1003): Exfiltrates user credentials from phishing pages.
Exploitation of Public-Facing Applications (T1190): Targets users through compromised legitimate services.
IoC:
[url] hxxp[://]cc[.]naver[.]com/cc?a=pst[.]link&m=1&nsc=Mblog[.]post&u=hxxps%3A%2F%2Fwww[.]curiosolucky[.]com/dos/
[url] hxxp[://]www[.]curiosolucky[.]com/dos/
[url] hxxp[://]magenta-melodious-garnet[.]glitch[.]me/public/rc[.]htm
[url] hxxp[://]track[.]senderbulk[.]com/9164124/c?p=pDvu1IoaZGOuiG9hOsGCPPBXFmtx2_vWwJfaiQBzucIA8v9mjc3ztSyOneYxrKLjPngUzpA11TuGi1aI2aLIylOF1nHcpBoP4YzUvVEMYHtwY1nRlztPcQOoC6S6KSWuNNAgIAVnfapCVCgF1cOjSXtedVH_tWc1vLDH7FDQA0VZbtHORodc9jBuNuHh0DMH7zq9Mo6OMyLjnApzvQ3Kvw==
[url] hxxp[://]edlyj[.]r[.]ag[.]d[.]sendibm3[.]com/mk/cl/f/sh/OycZvHuFo1eQsnbcJj9r9GQ4/Lf5JdugpPYQV
[url] hxxp[://]link[.]trustpilot[.]com/ls/click?upn=u001[.]u9-2FNN-2FjLZCX2YnHXPQ1lM4gqkGMqJbqpuJx-2FSxHxK-2FHK5blCjdqA4sTpFhMxVuvd4F2C_ytJ-2BU3wnk2t0HzMc51nsdI5jCvjlH5KkDNOR5oq1uEJItlkSMD-2F0mdF-2F-2B0td2onmiDV9xpRWw-2FdvTM3A0wCvdsiFkF1kSdgdFrVAE78L337Qo3s56Gk0s6E6DwCfNIKl8bRli5iK2LUC2ldGxjFPYGCigbeEgNBwg1dcBwOOCSSMKGEAZxhwoFvF5-2Fm5JIsTGsZgQlFDpHLis00H4SRzSjnDGYeia8OxbZOi3NmC9Zu0y59gc0DEENkQqz3vpJLxuDhLJpYJpzgnl5FKcj4hKsjfHYOBYWFlwHMrDBS4Cvh4Jej-2FzpBQsqkaAsezwGEEHqB22DcDQgay2Cm-2BbwAcZMOxqHcQjy3nz6aJyACCXDZkVr8P3iPKgjlqDjbsFb-2BJ-2BuUIiNGVhLp1-2F3wvR6hrzO1bA127bZ68-2BmxJz7ux0F5Htfv1SipEoRgLt6VWovRUTbAmRMRtZHvPS49KRBqCjzSnmChbhoVriyoBm5l9IeUaV5raA4vZxPckk3vcYaVa0xmCZLDFC14eTimJvqIk1CqOPtji8DUcs3pyfer4J-2Fk-3D
[url] hxxp[://]u1427642[.]ct[.]sendgrid[.]net/ss/c/u001[.]d04lnC885Iiw-JDl08ZraoSXFe9HwA-SkWLpgNZDbZzgIKoIZZYrlHao4m6r2Vm6/4a0/vg0RNJ9pTvCzCNn5rS7A6Q/h0/h001[.]3pGdTVyFoOmaVG2IhlxshDsg0cLE6sckLThbmumHqI0
[url] hxxp[://]docsend[.]com/view/q6f7ukbdeviagha2
[url] hxxp[://]cloudflare-kol[.]github[.]io/out/red[.]html?url=aHR0cHM6Ly9zaG9ydHVybC5hdC80SlZnbg==
[url] hxxp[://]shorturl[.]at/4JVgn
[url] hxxp[://]system23cfb9[.]link[.]bmesend[.]com/api/LinkHandler/getaction2?redirectParam2=K09weU5vMDBKWXFUK0ZPdkw4azdKWHk5QlJsZkNXWXlLMUxiMHdXQU1YK3FFZGFsZG9ZQ2ZqNUdHd3ErZEpLeGpyeVE1U1hmU2xoSy9WemJySVEzQytGajZBVWE4em5jaEpuRHhEa05xOTZOcWxQRVdUN1g2S2ViR3YvZjN1K2dJZk9rQTRVajZmMD0%3d
[url] hxxp[://]r[.]g[.]bing[.]com/bam/ac?!&&daydream=vasectomy&u=a1aHR0cHM6Ly9jeWJlcm5leGlsbHVtby56YS5jb20vVFZOUHIv==
[url] hxxp[://]ctrk[.]klclick3[.]com/l/01J5V2NHDC0KB0P8B51Z9PCPZS_0
[url] hxxp[://]googlevoicesecrets[.]com/EHkslw5/auth/?_kx=lKiN48B6FuEu_OYp2PJPXw[.]Sdgjsn
[url] hxxp[://]www[.]google[.]com[.]au/url?q=//www[.]google[.]co[.]nz/amp/s/synthchromal[.]ru/Vc51/
[url] hxxp[://]semi-zcmp[.]maillist-manage[.]com/click/1122f15d012c0933f/1122f15d012c08f77?utm_source=aynures-newsletter[.]beehiiv[.]com&utm_medium=newsletter&utm_campaign=yes-my-gee&_bhlid=c1191c405e82c32c645acb82f875fdd8fad29209
[url] hxxp[://]involucrases[.]sa[.]com/
[url] hxxp[://]callcenter838685d0747612ac193e85fcb5ae45287b09e8a0mailvoice[.]s3[.]us-east-2[.]amazonaws[.]com
[url] hxxp[://]payment-confirmation-to-your-bank-account-s-dabringhaus-licatec[.]packinqsystems[.]de/
[url] hxxp[://]pub-fe581134d7ae4857a97443270a27e0fa[.]r2[.]dev/0nedrive[.]html
[url] hxxp[://]docsecureatt-docdrive-filedoc[.]pages[.]dev/
[url] hxxp[://]bluntchiefei[.]za[.]com/XTCfX/
[url] hxxp[://]botolaasprop[.]sa[.]com/N26Vu/
[url] hxxp[://]erfolgstipss[.]com[.]de/Gnq8/
[url] hxxp[://]digitalgadgetbuzz[.]sa[.]com/WyAn/
[url] hxxp[://]bitesizeusaei[.]za[.]com/ol6Bu/
[url] hxxp[://]enterbuzztechscener[.]pl/pbtmx/
[url] hxxp[://]pfremiumshirts[.]store/D91p/
[url] hxxp[://]lifestylesyncteche[.]pro/Ykiy/
[url] hxxp[://]bytequestixo[.]pro/wWge/
[url] hxxp[://]cybernexillumo[.]za[.]com/TVNPr/
[url] hxxp[://]novatechies[.]cbg[.]ru/BUeEj/
[url] hxxp[://]synthchromal[.]ru/Vc51/
[url] hxxp[://]cyberdynalumeo[.]ru/1RB3Y/
Full Research: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-a-driving-force-in-phishing-as-a-service-paas/