Rockstar 2FA: A Driving Force in Phishing-as-a-Service (PaaS)

Dec. 5, 2024, 10:25 a.m.

Description

This analysis explores the Rockstar 2FA phishing-as-a-service kit, focusing on real-world email campaign examples. It highlights various techniques used by attackers, including the abuse of legitimate services for FUD (Fully Undetectable) links, such as Microsoft OneDrive, OneNote, Dynamics 365, Atlassian Confluence, and Google Docs Viewer. The use of QR codes in phishing attempts and the insertion of stolen email threads to inflate message size are also discussed. The article emphasizes the multi-stage nature of these attacks and the importance of caution when dealing with emails sent through trusted platforms.

External References

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-a-driving-force-in-phishing-as-a-service-paas/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-phishing-as-a-service-paas-noteworthy-email-campaigns/
https://otx.alienvault.com/pulse/6750e1e2ad0568f66faeff19
Tags
phishing
aitm
email campaigns
microsoft 365
2024-12-03
phishing-as-a-service
dadsec
rockstar 2fa
2024-12-04
rockstar

Date

  • Created: Dec. 4, 2024, 11:12 p.m.
  • Published: Dec. 4, 2024, 11:12 p.m.
  • Modified: Dec. 5, 2024, 10:25 a.m.

Indicators

  • https://www.curiosolucky.com/dos/
  • https://vilug-onteroi.com.pl/RkHd/
  • https://vidy-cloudy.com.pl/13SP
  • https://urbanlifeinnolo.ru/KGgt
  • https://vendantacoursessonu.ru/7VINm
  • https://synthchromal.ru/Vc51/
  • https://saluminyum.com/secure/index.html
  • https://swiftsparkmon.ru/F4CQo/
  • https://pfremiumshirts.store/D91p/
  • https://novatechies.cbg.ru/BUeEj/
  • https://payment-confirmation-to-your-bank-account-s-dabringhaus-licatec.packinqsystems.de/
  • https://luthschoenmode.nl/winkel/generated/arull.php?7104797967704b536932307466507a53784b7a4d37494c79704b7a4d73723053744f314
  • https://enterbuzztechscener.pl/pbtmx/
  • https://googlevoicesecrets.com/EHkslw5/auth/?_kx=lKiN48B6FuEu_OYp2PJPXw.Sdgjsn
  • https://docsecureatt-docdrive-filedoc.pages.dev/
  • https://cyberdynalumeo.ru/1RB3Y/
  • https://bytequestixo.pro/wWge/
  • https://apexaurora.ru/SDoHg/
  • https://pub-fe581134d7ae4857a97443270a27e0fa.r2.dev/0nedrive.html
  • https://lifestylesyncteche.pro/Ykiy/
  • https://54774675.rainblessings.pages.dev
  • www.curiosolucky.com
  • 54774675.rainblessings.pages.dev
  • vilug-onteroi.com.pl
  • vidy-cloudy.com.pl
  • vendantacoursessonu.ru
  • urbanlifeinnolo.ru
  • txjudge-mentsol.com.pl
  • swiftsparkmon.ru
  • saluminyum.com
  • quedi.adv.br
  • luthschoenmode.nl
  • lifestreamtechho.ru
  • apexaurora.ru
  • system23cfb9.link.bmesend.com
  • payment-confirmation-to-your-bank-account-s-dabringhaus-licatec.packinqsystems.de
  • novatechies.cbg.ru
  • docsecureatt-docdrive-filedoc.pages.dev
  • aynures-newsletter.beehiiv.com
  • 2fwww.curiosolucky.com
  • synthchromal.ru
  • recambioselecue.ru
  • pfremiumshirts.store
  • lifestylesyncteche.pro
  • googlevoicesecrets.com
  • fruechtebox-expresszsnu.ru
  • entertainmentcircuitss.ru
  • entertaingadgetop.ru
  • enterbuzztechscener.pl
  • cyberdynalumeo.ru
  • bytequestixo.pro
Download all indicators here!

Attack Patterns

  • T1534
  • T1550.001
  • T1204.001
  • T1566.002
  • T1566
  • T1078