Cybersecurity researchers have issued warnings about a new wave of malicious email campaigns leveraging a phishing-as-a-service (PhaaS) toolkit named Rockstar 2FA, which is designed to steal Microsoft 365 account credentials.
Key Points:
Nature of Attack:
• AiTM Attack: The campaign uses an adversary-in-the-middle (AiTM) attack to intercept user credentials and session cookies, rendering multi-factor authentication (MFA) insufficient.
• Trustwave Insight: Researchers Diana Solomon and John Kevin Adriano from Trustwave have highlighted the threat posed by this toolkit.
Toolkit Details:
• Updated Phishing Kit: Rockstar 2FA is considered an updated version of the DadSec (Phoenix) phishing kit, tracked by Microsoft under Storm-1575.
• Subscription Model: Advertised on platforms like ICQ, Telegram, and Mail.ru, available for $200 (two weeks) or $350 (a month).
Features:
• 2FA Bypass & Cookie Harvesting: Bypasses two-factor authentication and harvests cookies.
• Antibot Protection: Includes antibot measures and mimics popular login page themes.
• Admin Panel: Offers a user-friendly admin panel to track campaigns and customize phishing themes.
Campaign Techniques:
• Initial Access Vectors: Uses URLs, QR codes, and document attachments in emails from compromised accounts.
• Antispam Evasion: Employs legitimate link redirectors and antibot checks via Cloudflare Turnstile.
Observed Activity:
• Leveraging Trusted Platforms: Uses services like Atlassian Confluence, Google Docs Viewer, and Microsoft OneDrive to host phishing links.
• Phishing Page Design: Imitates sign-in pages closely while exfiltrating credentials to AiTM servers.
Additional Findings:
• Related Campaigns: Malwarebytes reported a campaign named Beluga using .HTM attachments to steal Microsoft OneDrive credentials.
• Social Media Phishing: Links and ads pushing adware and fraudulent financial apps on social media platforms.