Full Report
Cybersecurity researchers are warning about malicious email campaigns leveraging a phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA with an aim to steal Microsoft 365 account credentials. "This campaign employs an AitM [adversary-in-the-middle] attack, allowing attackers to intercept user credentials and session cookies, which means that even users with multi-factor authentication (MFA)
Analysis Summary
# Tool/Technique: Rockstar 2FA
## Overview
Rockstar 2FA is a Phishing-as-a-Service (PhaaS) toolkit designed to facilitate the large-scale theft of Microsoft 365 account credentials, primarily by employing Adversary-in-the-Middle (AitM) attacks to bypass Multi-Factor Authentication (MFA). It is an updated version of the DadSec (or Phoenix) phishing kit.
## Technical Details
- Type: Tool (Phishing Kit/Framework)
- Platform: Web/Cloud Services (Hosting phishing pages)
- Capabilities: AitM attacks, 2FA bypass, 2FA cookie harvesting, antibot protection (Cloudflare Turnstile), admin panel, campaign tracking, customizable themes.
- First Seen: Context implies recent activity/update, successor to DadSec/Phoenix.
## MITRE ATT&CK Mapping
The primary focus is on credential harvesting and bypassing authentication mechanisms.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Via document attachments)
- T1566.002 - Spearphishing Link (Via direct URLs/redirectors)
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores
*Note: The AitM nature strongly implies execution against T1555.003 (Credentials from Web Session) by harvesting session cookies.*
## Functionality
### Core Capabilities
- **Adversary-in-the-Middle (AitM) Attack:** Intercepts user credentials and active session cookies during the login process.
- **MFA Bypass:** Effective against users with MFA enabled by capturing the subsequent session cookie.
- **Subscription Model:** Offered via services like ICQ, Telegram, and Mail.ru for $200 (2 weeks) or $350 (1 month).
- **Anti-Automation:** Incorporates antibot checks using Cloudflare Turnstile to deter automated analysis of the phishing infrastructure.
- **Link Evasion:** Uses legitimate link redirectors (shortened URLs, open redirects, URL protection services) to bypass antispam filters.
### Advanced Features
- **Customization:** "Modern, user-friendly admin panel" for campaign tracking, URL generation, attachment management, and theme personalization.
- **FUD Links:** Claims to provide fully undetectable links.
- **Telegram Bot Integration:** Used likely for receiving stolen data and campaign reporting.
- **Legitimate Service Hosting:** Phishing links are hosted on trusted platforms to improve delivery rates and evasion (e.g., Atlassian Confluence, Google Docs Viewer, LiveAgent, Microsoft OneDrive, OneNote, Dynamics 365 Customer Voice).
- **Credential/Cookie Exfiltration:** Sends all captured user data immediately to the AitM server, which then retrieves the session cookie.
## Indicators of Compromise
*Note: Specific C2 IPs/domains were not provided in the context, only the methods and underlying infrastructure used.*
- File Hashes: [N/A]
- File Names: [N/A - Campaigns utilize URLs, QR codes, or document attachments]
- Registry Keys: [N/A]
- Network Indicators: [URLs/Redirectors used to point to compromised legitimate hosting services]
- Behavioral Indicators: Rapid exfiltration of login credentials followed immediately by session cookie retrieval; traffic flow consistent with an AitM proxy setup; signs of Cloudflare Turnstile interaction without full resolution.
## Associated Threat Actors
- Developers/distributors associated with the **Dadsec PhaaS platform**, tracked by Microsoft as **Storm-1575**.
- Cyber criminals utilizing the paid subscription-based service.
## Detection Methods
- Signature-based detection: [Difficult for FUD links, better against known hosting patterns or specific code signatures within the kit itself]
- Behavioral detection: Monitoring for unexpected redirects to login pages that proxy the legitimate connection, rapid authentication attempts followed by cookie/token harvesting, and connections to known PhaaS C2 communication channels (e.g., specific Telegram bot interactions).
- YARA rules: [N/A]
## Mitigation Strategies
- **Implement Stronger Session Control:** Configure MFA solutions to frequently re-authenticate or require re-entry of MFA factors for sensitive operations, mitigating the risk of long-lived session cookies.
- **Browser Security Settings:** Ensure all security features (like anti-phishing warnings) are enabled.
- **User Training:** Educate users on verifying URLs, scrutinizing login pages (especially those hosted on unusual subdomains of known services), and being wary of external links in emails.
- **Network Monitoring:** Monitor outbound connections for anomalies related to session cookie transmission patterns indicative of AitM proxying.
## Related Tools/Techniques
- **DadSec (Phoenix) Phishing Kit:** Rockstar 2FA is an updated version.
- **Beluga Phishing Campaign:** Related by targeting Microsoft OneDrive credentials via .HTM attachments and exfiltrating data to a Telegram bot.
- **General AitM Phishing Frameworks:** Tools that facilitate credential and session harvesting via proxying user sessions.