Full Report
A PhaaS platform, dubbed 'Morphing Meerkat,' uses DNS MX records to spoof over 100 brands and steal credentials, according to Infoblox Threat Intel
Analysis Summary
# Tool/Technique: Morphing Meerkat PhaaS Platform
## Overview
Morphing Meerkat is a sophisticated Phishing-as-a-Service (PhaaS) platform designed primarily to steal email user login credentials. It employs advanced, dynamic techniques, including abusing DNS MX records, to spoof over 100 different brands and deliver highly targeted phishing landing pages.
## Technical Details
- Type: Malware/Platform (Phishing Kit/PhaaS)
- Platform: General web targets (delivers web pages)
- Capabilities: Dynamic brand spoofing (114+ brands), DNS MX record querying for service provider identification, dynamic content translation (over a dozen languages), security evasion (open redirects, code obfuscation).
- First Seen: Campaigns identified as early as 2020.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Used to deliver initial link)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
- T1027.006 - Encoding Persistent Stored Data (Implied via code obfuscation)
- TA0011 - Command and Control
- T1105 - Ingress Tool Transfer (Used in conjunction with external, potentially vulnerable infrastructure like adtech servers)
## Functionality
### Core Capabilities
- **Credential Theft:** Primary goal is stealing login credentials, particularly for email services.
- **Brand Spoofing:** Capable of mimicking over 114 different brand login pages.
- **Dynamic Content Delivery:** Uses the victim's email domain's DNS MX record to determine the victim's email service provider and dynamically serve the matching fake login page.
- **Internationalization:** Can dynamically translate phishing content based on the victim's web profile, targeting users in over a dozen languages.
### Advanced Features
- **DNS Abuse (DNS Cloaking):** Leveraging DNS MX records for automated reconnaissance and tailored content delivery—a "DNS version of living off the land."
- **Security Evasion:** Utilizes open redirects on adtech servers and obfuscates its code to hinder security analysis.
- **User Deception:** After a couple of failed login attempts, the kit often redirects the victim to the legitimate login page of their service provider to avoid raising immediate suspicion.
## Indicators of Compromise
- File Hashes: [Not specified in the article]
- File Names: [Not specified in the article, relies on delivered web content]
- Registry Keys: [Not applicable/Not specified]
- Network Indicators: [Techniques rely on abusing legitimate infrastructure like **adtech servers** for open redirects, and querying **DNS MX records**.]
- Behavioral Indicators: Querying the MX record of the victim's email domain upon link click; attempts to redirect users to known service provider login pages after simulated failures.
## Associated Threat Actors
- Threat Actor: ‘Morphing Meerkat’ (The entity operating the PhaaS infrastructure).
## Detection Methods
- Signature-based detection: [Not specified, but evolving signatures would be needed for the web content.]
- Behavioral detection: Monitoring for unusual DNS MX record queries initiated by web-serving infrastructure or looking for redirection chains involving adtech servers.
- YARA rules: [Not specified]
## Mitigation Strategies
- **Strong DNS Security:** Implementing robust DNS security controls.
- **DNS Control Hardening:** Tightening DNS controls to prevent or monitor communication with opportunistic or unknown DoH (DNS over HTTPS) servers.
- **Infrastructure Reduction:** Blocking user access to adtech and file-sharing infrastructure not critical to business operations to reduce the available attack surface for exploit chains.
## Related Tools/Techniques
- Phishing-as-a-Service (PhaaS) platforms (e.g., LabHost mentioned in related articles).
- Techniques involving abusing legitimate services for evasion (Living Off the Land).
- Adversary-in-the-Middle (AITM) techniques (related contextually, though Morphing Meerkat focuses on traditional credential harvesting via dynamic spoofing).