Rockstar 2FA: A Driving Force in Phishing-as-a-Service (PaaS)
Trustwave SpiderLabs has been actively monitoring the rise of Phishing-as-a-Service (PaaS) platforms, which are increasingly popular among threat actors.
In our previous blog, we explored the appeal of these platforms and discussed various major phishing kits today. In this two-part blog, we'll focus on a phishing kit named ‘Rockstar 2FA’ that is linked to widespread adversary-in-the-middle (AiTM) phishing attacks. This article also provides a walkthrough of Rockstar 2FA’s attack flow with examples from the email campaign. Part two can be read here.
Phishing Campaign Overview
We have been tracking a widespread phishing campaign delivered via email that showed a significant increase in activity in August 2024 and continues to be prevalent as of writing. This campaign employs an AiTM attack, allowing attackers to intercept user credentials and session cookies, which means that even users with multifactor authentication (MFA) enabled can still be vulnerable. Microsoft user accounts are the prime target of these campaigns, as target users will be redirected to landing pages designed to mimic Microsoft 365 (O365) login pages.
One distinguishable characteristic of this campaign is the incorporation of car-themed web pages. Via urlscan.io, we were able to find over 5,000 hits of car-themed domains linked to this campaign since May 2024.
Figure 1. The monthly volume of car-themed pages with over 5,000 hits via urlscan.io showing an increasing trend from May to August 2024.
Rockstar 2FA PaaS
We have associated this campaign with a phishing kit called Rockstar 2FA, which is an updated version of the DadSec/Phoenix phishing kit.
Microsoft tracks the threat actor behind this as Storm-1575, where ‘Storm-####’ is a temporary label for emerging or unidentified threat clusters. Microsoft also reported that the DadSec PaaS was responsible for some of the highest volumes of phishing campaigns in 2023.
DadSec |
Phoenix |
Rockstar |
May 2023 |
Late 2023 |
Late 2023 |
The revamped phishing kit is still operating under the PaaS model, with marketing and communications observed on ICQ, Telegram, and Mail.ru. With these platforms, the kit becomes easily accessible for other cybercriminals seeking to acquire easy-to-set up phishing tools.
Figure 2. The official Telegram channel for the Rockstar kit had more than 1,500 subscribers in August 2024.
Marketing posts from Telegram showcase Rockstar 2FA’s various features, including two-factor authentication (2FA) bypass, harvesting of 2FA cookies, antibot protection, multiple login page themes, randomized source codes and attachments, fully undetectable (FUD) links, telegram bot integration, and a user-friendly admin panel, among others. Rockstar 2FA is offered for as low as US$200 for a two-week subscription service and US$180 for a two-week API renewal service. It also offers monthly and one-time subscription options.
Figure 3. Posts from Rockstar 2FA’s Telegram channel showing the features of the Rockstar kit.
Figure 4 shows the Rockstar admin panel that displays the phishing activity summary, including the number of bots blocked, total visits, and information on both valid and invalid accounts. The portal also features built-in tools like URL and attachment generators and theme customization options that can be used in email campaigns, as seen in Figure 5.
Figure 4. Rockstar 2FA portal’s main dashboard. This screenshot was taken from a video tutorial posted on Rockstar 2FA’s Telegram channel.
Figure 5. Rockstar 2FA portal’s Preferences tab.
Email Campaigns
The campaigns we observed employ various email delivery mechanisms, including compromised accounts and abused legitimate services such as email marketing platforms. These methods of phishing delivery are more effective since the emails originate from trusted or legitimate sources, which are less likely to be flagged by traditional filters. Based on our data, these attacks have affected users across multiple sectors and regions instead of targeting a specific group.
Figure 6. Email attack flow of Rockstar 2FA phishing campaigns.
The threat actors of this kit utilize varying templates and themes to successfully launch social engineering attacks on victims. Below are the prevalent themes observed in the phishing messages:
- Document and file-sharing notifications
- E-signature platform-themed messages
- HR and payroll-related messages
- MFA lures
- IT department notifications
- Password/account-related alerts
- Voicemail notifications
Figure 7. Email examples linked to Rockstar 2FA PaaS.
In the messages we analyzed, various techniques were utilized to bypass antispam detections, such as obfuscation methods and the use of FUD links, including the abuse of legitimate link services, document attachments like HTML and PDF, and even QR codes.
Figure 8. Examples of legitimate platforms abused in phishing links as observed from urlscan.io.
The Landing Page
The phishing campaigns from this PaaS lead to a phishing page or a car-themed site, depending on the AiTM server’s response. Before reaching either of these, landing page visitors will be prefiltered.
Antibot
The user will be presented with a Cloudflare Turnstile challenge once redirected to the landing page. Cloudflare Turnstile is a free service designed to protect websites from unwanted visitors such as bots. This service was released to the public in September 2023. Threat actors have started to use it to deter the automated analysis of their phishing pages.
Since May 2024, there have been more than 3,700 hits on urlscan.io associated with this campaign that follows the URL format ‘https?:\/\/{URLDOMAIN}\/{RANDOM_4-5_LETTERS}\/’. The trend showed a significant increase from June to August 2024, with an increased number of hits continuing in subsequent months.
Figure 9. This chart shows the monthly volume of Cloudflare Turnstile pages used by the phishing campaign as observed from urlscan.io.
AiTM Phishing Page
After passing the Cloudflare Turnstile challenge, the phishing page will be retrieved. This task happens when the embedded JavaScript on the landing page is invoked.
Figure 10. After passing the Cloudflare Turnstile challenge, the phishing page will be retrieved.
The JavaScript contains two functions:
1. The first function contains an AES-CBC decryption routine that accepts data in JSON format. The JSON must have the following as keys:
Key |
Description |
a |
AES-CBC encoded data |
b |
salt to derive the PBKDF2 key |
c |
Initialization vector (IV) for AES decrypt |
d |
passphrase to derive the PBKDF2 key |
2. The second function utilizes the first function. It decrypts the domain of the AiTM server, which is hardcoded within itself, and then retrieves the phishing page from the server through an AJAX POST request. The server’s response is encrypted data in JSON format. The decrypted data is the HTML code of either the phishing page or a decoy car-themed site. Based on our testing, we suspect further user validations are happening on the AiTM server-side, such as IP checking. As a result, the car-themed webpage will be shown instead of the fake login page for certain users or locations.
Figure 11. The AiTM server will give the HTML code of either the phishing page or the decoy.
The phishing page design closely resembles the sign-in page of the brand being imitated despite numerous obfuscations applied to the HTML code. Syntax-based obfuscations were also applied to the pages. The “Sign-in” string was inserted with hidden words with a font size of nearly zero.
All the data provided by the user on the phishing page is immediately sent to the AiTM server. The exfiltrated credentials are then used to retrieve the session cookie of the target account. Based on the phishing pages examined, the names associated with this kit and the MFA methods can be one of the letters ‘a’ to ‘e.’ In the POST request, the name is contained in the JSON data key ‘service.’
Figure 12. The code snippet of the phishing page’s handling of the MFA methods.
The Decoy Page
Accessing the domain of the AiTM server shows the decoy page as well. Below are the noteworthy domains hosting the decoy content we came across during the investigation:
URL Name Theme | Domain with URLScan Result Link | Screenshot |
Google Security | Googlesecurityforums[.]moscow | |
Call Center Voicemail | callcenter838685d0747612ac193e85fcb5ae45287b09e8a0mailvoice.s3.us-east-2.amazonaws[.]com | |
Payment Confirmation | payment-confirmation-to-your-bank-account-s-dabringhaus-licatec.packinqsystems[.]de | |
Microsoft OneDrive | pub-fe581134d7ae4857a97443270a27e0fa.r2[.]dev/0nedrive.html | |
File Sharing | docsecureatt-docdrive-filedoc.pages[.]dev/ |
Figure 13. Noteworthy Rockstar 2FA-related domains and their corresponding decoy landing pages.
Conclusion
Commodity phishing attacks, such as campaigns linked to the Rockstar 2FA PaaS platform, continue to be prevalent due to their low cost and ease of deployment. With the integration of AiTM techniques, additional layers of security like MFA can be bypassed. The likelihood of secondary attacks, such as account takeovers, launching phishing campaigns using compromised accounts, or performing business email compromise (BEC) attacks, also increases.
Rockstar has led to large-scale phishing attacks using sophisticated tactics, techniques, and procedures (TTPs,) including FUD links, QR codes, and Cloudflare Turnstile challenges. The noteworthy phishing campaigns employing this kit will be presented in the second part of this blog series.
Given the continued Rockstar-led phishing activities, it is more likely that the threat actors behind this PaaS will continue updating this kit or develop even more advanced phishing kits.
IOCs:
Initial and/or Intermediary links:
hxxp[://]cc[.]naver[.]com/cc?a=pst[.]link&m=1&nsc=Mblog[.]post&u=hxxps%3A%2F%2Fwww[.]curiosolucky[.]com/dos/
hxxps[://]www[.]curiosolucky[.]com/dos/
hxxps[://]magenta-melodious-garnet[.]glitch[.]me/public/rc[.]htm
hxxp[://]track[.]senderbulk[.]com/9164124/c?p=pDvu1IoaZGOuiG9hOsGCPPBXFmtx2_vWwJfaiQBzucIA8v9mjc3ztSyOneYxrKLjPngUzpA11TuGi1aI2aLIylOF1nHcpBoP4YzUvVEMYHtwY1nRlztPcQOoC6S6KSWuNNAgIAVnfapCVCgF1cOjSXtedVH_tWc1vLDH7FDQA0VZbtHORodc9jBuNuHh0DMH7zq9Mo6OMyLjnApzvQ3Kvw==
hxxps[://]edlyj[.]r[.]ag[.]d[.]sendibm3[.]com/mk/cl/f/sh/OycZvHuFo1eQsnbcJj9r9GQ4/Lf5JdugpPYQV
hxxps[://]link[.]trustpilot[.]com/ls/click?upn=u001[.]u9-2FNN-2FjLZCX2YnHXPQ1lM4gqkGMqJbqpuJx-2FSxHxK-2FHK5blCjdqA4sTpFhMxVuvd4F2C_ytJ-2BU3wnk2t0HzMc51nsdI5jCvjlH5KkDNOR5oq1uEJItlkSMD-2F0mdF-2F-2B0td2onmiDV9xpRWw-2FdvTM3A0wCvdsiFkF1kSdgdFrVAE78L337Qo3s56Gk0s6E6DwCfNIKl8bRli5iK2LUC2ldGxjFPYGCigbeEgNBwg1dcBwOOCSSMKGEAZxhwoFvF5-2Fm5JIsTGsZgQlFDpHLis00H4SRzSjnDGYeia8OxbZOi3NmC9Zu0y59gc0DEENkQqz3vpJLxuDhLJpYJpzgnl5FKcj4hKsjfHYOBYWFlwHMrDBS4Cvh4Jej-2FzpBQsqkaAsezwGEEHqB22DcDQgay2Cm-2BbwAcZMOxqHcQjy3nz6aJyACCXDZkVr8P3iPKgjlqDjbsFb-2BJ-2BuUIiNGVhLp1-2F3wvR6hrzO1bA127bZ68-2BmxJz7ux0F5Htfv1SipEoRgLt6VWovRUTbAmRMRtZHvPS49KRBqCjzSnmChbhoVriyoBm5l9IeUaV5raA4vZxPckk3vcYaVa0xmCZLDFC14eTimJvqIk1CqOPtji8DUcs3pyfer4J-2Fk-3D
hxxps[://]u1427642[.]ct[.]sendgrid[.]net/ss/c/u001[.]d04lnC885Iiw-JDl08ZraoSXFe9HwA-SkWLpgNZDbZzgIKoIZZYrlHao4m6r2Vm6/4a0/vg0RNJ9pTvCzCNn5rS7A6Q/h0/h001[.]3pGdTVyFoOmaVG2IhlxshDsg0cLE6sckLThbmumHqI0
hxxps[://]docsend[.]com/view/q6f7ukbdeviagha2
hxxps[://]cloudflare-kol[.]github[.]io/out/red[.]html?url=aHR0cHM6Ly9zaG9ydHVybC5hdC80SlZnbg==
hxxps[://]shorturl[.]at/4JVgn
hxxps[://]system23cfb9[.]link[.]bmesend[.]com/api/LinkHandler/getaction2?redirectParam2=K09weU5vMDBKWXFUK0ZPdkw4azdKWHk5QlJsZkNXWXlLMUxiMHdXQU1YK3FFZGFsZG9ZQ2ZqNUdHd3ErZEpLeGpyeVE1U1hmU2xoSy9WemJySVEzQytGajZBVWE4em5jaEpuRHhEa05xOTZOcWxQRVdUN1g2S2ViR3YvZjN1K2dJZk9rQTRVajZmMD0%3d
hxxps[://]r[.]g[.]bing[.]com/bam/ac?!&&daydream=vasectomy&u=a1aHR0cHM6Ly9jeWJlcm5leGlsbHVtby56YS5jb20vVFZOUHIv==
hxxps[://]ctrk[.]klclick3[.]com/l/01J5V2NHDC0KB0P8B51Z9PCPZS_0
hxxps[://]googlevoicesecrets[.]com/EHkslw5/auth/?_kx=lKiN48B6FuEu_OYp2PJPXw[.]Sdgjsn
hxxps[://]www[.]google[.]com[.]au/url?q=//www[.]google[.]co[.]nz/amp/s/synthchromal[.]ru/Vc51/
hxxps[://]semi-zcmp[.]maillist-manage[.]com/click/1122f15d012c0933f/1122f15d012c08f77?utm_source=aynures-newsletter[.]beehiiv[.]com&utm_medium=newsletter&utm_campaign=yes-my-gee&_bhlid=c1191c405e82c32c645acb82f875fdd8fad29209
hxxps[://]involucrases[.]sa[.]com/
hxxps[://]callcenter838685d0747612ac193e85fcb5ae45287b09e8a0mailvoice[.]s3[.]us-east-2[.]amazonaws[.]com
hxxps[://]payment-confirmation-to-your-bank-account-s-dabringhaus-licatec[.]packinqsystems[.]de/
hxxps[://]pub-fe581134d7ae4857a97443270a27e0fa[.]r2[.]dev/0nedrive[.]html
hxxps[://]docsecureatt-docdrive-filedoc[.]pages[.]dev/
Landing Pages:
hxxps[://]bluntchiefei[.]za[.]com/XTCfX/
hxxps[://]botolaasprop[.]sa[.]com/N26Vu/
hxxps[://]erfolgstipss[.]com[.]de/Gnq8/
hxxps[://]digitalgadgetbuzz[.]sa[.]com/WyAn/
hxxps[://]bitesizeusaei[.]za[.]com/ol6Bu/
hxxps[://]enterbuzztechscener[.]pl/pbtmx/
hxxps[://]pfremiumshirts[.]store/D91p/
hxxps[://]lifestylesyncteche[.]pro/Ykiy/
hxxps[://]bytequestixo[.]pro/wWge/
hxxps[://]cybernexillumo[.]za[.]com/TVNPr/
hxxps[://]novatechies[.]cbg[.]ru/BUeEj/
hxxps[://]synthchromal[.]ru/Vc51/
hxxps[://]cyberdynalumeo[.]ru/1RB3Y/
AiTM Server Domains:
entertainmentcircuitss[.]ru
fruechtebox-expresszsnu[.]ru
recambioselecue[.]ru
googlesecurityforums[.]Moscow
entertaingadgetop[.]ru
ponnet[.]msk[.]su
mieten[.]com[.]ru
albumilustrado[.]msk[.]ru
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.