Full Report
A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection. [...]
Analysis Summary
# Tool/Technique: Morphing Meerkat Phishing Kit
## Overview
Morphing Meerkat is a Phishing-as-a-Service (PhaaS) operation characterized by its use of advanced evasion techniques, notably **DNS over HTTPS (DoH)** and **DNS MX record lookups**, to deliver tailored phishing experiences and evade network monitoring.
## Technical Details
- Type: Attack Tool/Framework (Phishing Kit)
- Platform: Client-side execution (Web Browser)
- Capabilities: Credential harvesting, dynamic phishing template delivery based on target email provider, real-time data forwarding.
- First Seen: Not explicitly mentioned in the provided text.
## MITRE ATT&CK Mapping
Since the focus is on the delivery and evasion aspect of the phishing operation rather than the initial access method (the phishing email itself), the mapping focuses on the infrastructure and data exfiltration methods described:
- **TA0001 - Initial Access** (If the phishing email is considered the mechanism)
- T1566 - Phishing
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Using AJAX/PHP scripts to send data)
- **TA0008 - Lateral Movement / TA0011 - Command and Control** (Related to the use of DNS infrastructure for communication)
- T1071 - Application Layer Protocol
- T1071.004 - DNS (Utilizing DoH for resolution)
## Functionality
### Core Capabilities
- **Credential Harvesting:** Captures user-entered credentials via AJAX requests to external servers and PHP scripts hosted on the phishing pages.
- **Double Credential Submission:** Serves a fake error ("Invalid Password.! Please enter email correct password") on the first attempt to force the victim to submit the password a second time, ensuring data accuracy.
- **Redirection:** Redirects the victim instantly to the legitimate authentication page after credential capture to reduce user suspicion.
- **Real-Time Forwarding:** Capable of forwarding captured data in real-time using **Telegram bot webhooks**.
### Advanced Features
- **DNS over HTTPS (DoH) Evasion:** Performs DNS resolution for external communication (e.g., getting MX records) using encrypted HTTPS requests, bypassing traditional plaintext DNS monitoring.
- **Dynamic Phishing Template Delivery via DNS MX:** Upon loading the kit in the victim's browser, it queries external DoH providers (Google or Cloudflare) for the **MX (Mail Exchange) records** associated with the victim's entered email domain. Based on the identified email provider (from the MX record), the kit dynamically serves the correct, matching phishing page template to the victim, significantly tailoring the attack.
## Indicators of Compromise
- File Hashes: [Not available in context]
- File Names: PHP scripts and potential front-end files related to the kit execution.
- Registry Keys: [Not applicable/available in context]
- Network Indicators:
- C2/Exfiltration targets: External servers receiving data via AJAX requests.
- Communication Infrastructure: Connections to DoH servers (e.g., Google, Cloudflare) used for reconnaissance via MX lookups. (Specific IPs/Domains need consulting the linked GitHub repository).
- Behavioral Indicators: Client-side DNS queries made over HTTPS (DoH) to non-standard monitoring servers, and second-time password submission attempts followed by immediate redirection.
## Associated Threat Actors
- The context describes a "Phishing-as-a-Service operation" using this kit. Specific known threat actor groups are not named in the provided text snippet, but it implies organized cybercriminal service providers.
## Detection Methods
- Signature-based detection: [Not explicitly mentioned]
- Behavioral detection: Detecting client-side initiation of DNS lookups encapsulated within TLS/HTTPS traffic directed toward public DoH resolvers (if not normally permitted or monitored). Monitoring for secondary credential submissions followed immediately by redirection.
- YARA rules: [Not available in context]
## Mitigation Strategies
- Tighter "DNS control so that users cannot communicate with DoH servers."
- Blocking user access to adtech and file-sharing infrastructure not critical to the business.
- Detailed monitoring of network egress traffic for unusual HTTPS connections originating from client-side scripts that resolve domain information (like MX records).
## Related Tools/Techniques
- DNS over HTTPS (DoH) (as a technique)
- DNS MX Record usage for host discovery/reconnaissance