Trustwave researchers have recently released a report about a phishing campaign they had been tracking which had experienced a significant increase in activity in August of 2024 and targeting primarily Microsoft 365 users. This campaign has been linked to the phishing kit called Rockstar 2FA. The Rockstar 2FA phishing kit has been deemed to be an updated version of the DadSec phishing kit. Microsoft tracks the threat actor behind these phishing kits under the moniker Storm-1575.
Rockstar operates under the phishing-as-a-service model, or PaaS, which means that the kit is an easily accessible means for perpetrating phishing attacks. The marketing for this kit has been observed in places like ICQ, Telegram, and Mail.ru. The costs for this phishing kit are as low as $200 dollars for a two-week subscription, or $350 dollars for a month. As with other "as a service" models, this allows threat actors with little to no technical knowledge the ability to mount campaigns.
The features of the Rockstar 2FA phishing kit include multi-factor authentication bypass, login page themes to mimic a variety of services, randomized code and email attachments, Telegram bot integration, and many more.
Links to malicious pages seem to be primarily spread through email. Link redirector services are used as a way to bypass antispam detection, and the kit also includes antibot features to mitigate automated analysis of phishing pages. The emails used for this campaign tend to adhere to a number of different message types, including document sharing notifications, HR and payroll messages, MFA lures, or password and account related alerts.
(Source: Trustwave)
An adversary-in-the-middle attack is a more sophisticated variant of a man-in-the-middle attack that involves impersonating multiple parties. This kind of attack is performed by a threat actor who positions themselves between a sender and a receiver of data. If this can be accomplished, this allows the threat actor to perform a number of actions like intercepting and/or manipulating communications, or simply redirecting traffic.
Depending on the circumstances, these actions can be performed on various communications layers, such as the network layer, the transport layer, or the application layer. The aspect of adversary-in-the-middle attacks that separates them from man-in-the-middle attacks is active manipulation. With this kind of attack, a threat actor can actively modify data, inject malicious payloads, or otherwise alter data that is in transit.
In this kind of attack, threat actors can control the communications between a victim and a legitimate endpoint. Often this can involve taking control of session tokens or cookies, which is what occurs during an attack with Rockstar 2FA, potentially negating the effectiveness of multifactor authentication. As we see with Rockstar 2FA and various other similar attacks, threat actors will impersonate trusted entitles and entice victims into giving up sensitive information.
(Source: Trustwave)
Storm 1575 is the moniker given to the threat actor behind Rockstar 2FA for tracking purposes. At the time of writing, Microsoft lists this threat actor as a “group in development” and they are also connected to DadSec, which as we mentioned a moment ago, is the previous incarnation of the Rockstar phishing kit.
Microsoft Threat Intelligence notes that they have been tracking DadSec since May of 2023. They note that the DadSec platform is responsible for some of the highest levels of phishing attacks since they began tracking.
Though much is still unknown about this group, they are known for frequently rebranding their phishing infrastructure, which could help explain the update from DadSec to Rockstar 2FA. Not long ago, Any.run analysts were able to connect several recently updated login panels to the groups’ activities.
As one might expect of a threat actor in charge of an “as a service” platform, this group tends to focus more on product offerings and support for customers rather than directly launching attacks themselves.
(Source: Microsoft)
In summary, Rockstar 2FA is a phishing kit which was linked to a recent phishing campaign by Trustwave researchers that has been gaining traction since August of this year. It is an updated version of the DadSec phishing kit and is operated under a phishing as a service model. The kit provides a number of features to threat actors on their phishing campaigns such as multi-factor authentication bypass, Telegram bot integration, and many more.
Adversary-in-the-middle attacks are a primary mechanism by which campaigns using Rockstar 2FA will operate. These sorts of attacks are such that threat actors are able to place themselves between a sender and a receiver of data for the sake of intercepting and/or manipulating communications. In fact, the active manipulation of data is what separates this sort of attack from a more standard man-in-the-middle attack. Further, this kind of attack allows threat actors to do things like take control of session tokens or cookies, thereby bypassing MFA protection of victim accounts.
Storm15-75 is Microsoft’s moniker for the threat actor behind Rockstar 2FA. Not many specifics are known at this time, but it is clear that they are also responsible for the DadSec phishing kit, which Microsoft has been tracking since May of 2023 and states it is responsible for a significant amount of phishing activity.
[1]: https://thehackernews.com/2024/11/phishing-as-service-rockstar-2fa.html
[4]: https://learn.microsoft.com/en-us/defender-xdr/microsoft-threat-actor-naming
[5]: https://hackread.com/storm-1575-threat-actor-new-login-panels-phishing-infrastructure/
[6]: https://x.com/MsftSecIntel/status/1712936244987019704?lang=en
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments