Full Report
An interruption to the phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA has led to a rapid uptick in activity from another nascent offering named FlowerStorm. "It appears that the [Rockstar2FA] group running the service experienced at least a partial collapse of its infrastructure, with pages associated with the service no longer reachable," Sophos said in a new report published last
Analysis Summary
# Tool/Technique: Rockstar2FA (Phishing-as-a-Service)
## Overview
Rockstar2FA was a Phishing-as-a-Service (PhaaS) toolkit designed to enable criminal actors to launch phishing attacks specifically targeting Microsoft 365 account credentials and session cookies, thereby achieving Multi-Factor Authentication (MFA) bypass. Following a partial infrastructure collapse around November 11, 2024, activity from a similar offering, FlowerStorm, rapidly increased to fill the void. Rockstar2FA is assessed to be an updated version of the DadSec phishing kit, which is also tracked by Microsoft under the name Storm-1575.
## Technical Details
- Type: Tool (Phishing-as-a-Service)
- Platform: Web/Microsoft 365 environments, likely targeting Windows/macOS users accessing web services.
- Capabilities: Harvesting Microsoft 365 credentials and session cookies to bypass MFA; use of intermediate decoy pages for redirection.
- First Seen: Documented by Trustwave late November 2024 (active prior to this).
## MITRE ATT&CK Mapping
*Note: Direct mapping is inferred based on functionality (MFA bypass and credential harvesting).*
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If used in context, though primarily web-based)
- T1566.002 - Spearphishing Link
- T1078 - Valid Accounts
- T1078.004 - Cloud Accounts
- T1555 - Credentials from Password Stores (Applicable if session cookies are harvested)
## Functionality
### Core Capabilities
- Serving sophisticated phishing portals designed to mimic Microsoft 365 login pages.
- Capability to capture user-provided credentials.
- Ability to harvest valid session cookies used by the target browser session.
### Advanced Features
- MFA Circumvention: Designed specifically to capture both credentials and subsequent session cookies, effectively bypassing MFA protection mechanisms.
- Based on the DadSec phishing kit lineage (Storm-1575).
## Indicators of Compromise
- File Hashes: N/A (As a service, infrastructure indicators are key, but none are provided in the text).
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Domain usage included .com, .de, .ru, and .moscow TLDs for hosting phishing pages. (No specific C2 infrastructure provided).
- Behavioral Indicators: Observed exhibiting Cloudflare time-out errors on intermediate decoy pages around November 11, 2024, indicating infrastructure failure.
## Associated Threat Actors
- Criminal actors utilizing PhaaS services (specific threat group not named, but linked to the lineage of Storm-1575).
## Detection Methods
- Signature-based detection: Could apply to known signatures of the underlying DadSec/Storm-1575 kit.
- Behavioral detection: Monitoring for unusual redirects involving intermediate decoy pages leading to Microsoft 365 login attempts.
- YARA rules: N/A
## Mitigation Strategies
- Strict monitoring of network traffic aiming at Microsoft 365 login endpoints for unusual redirection chains.
- Implementing robust phishing protection policies that look beyond basic credential capture (e.g., evaluating cookie transmission context).
- Enforcing strong authentication mechanisms that are resistant to session token replay.
## Related Tools/Techniques
- FlowerStorm: A similar PhaaS offering whose activity surged following the collapse of Rockstar2FA.
- DadSec phishing kit / Storm-1575: The predecessor/underlying platform for Rockstar2FA.
---
# Tool/Technique: FlowerStorm (Phishing-as-a-Service)
## Overview
FlowerStorm is a Phishing-as-a-Service (PhaaS) offering that has seen an increase in activity following the partial collapse of the Rockstar2FA infrastructure. It shares several similarities with Rockstar2FA in terms of phishing portal page formatting and backend connection methods, suggesting possible shared origins or operational overlap.
## Technical Details
- Type: Tool (Phishing-as-a-Service)
- Platform: Web/Microsoft 365 environments.
- Capabilities: Phishing credential harvesting, likely including MFA bypass mechanisms similar to Rockstar2FA.
- First Seen: Active since at least June 2024.
## MITRE ATT&CK Mapping
*Note: Inferred mapping based on direct comparison to Rockstar2FA.*
- T1566 - Phishing
- T1566.002 - Spearphishing Link
- T1078 - Valid Accounts
- T1078.004 - Cloud Accounts
## Functionality
### Core Capabilities
- Launching phishing campaigns against targets.
- Mimicking login portals, specifically targeting Microsoft 365 environments.
### Advanced Features
- Shared characteristics (format and connection methods) with Rockstar2FA/DadSec kit.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (No specific IOCs provided in the text).
- Behavioral Indicators: Increased volume of activity correlating with the demise of Rockstar2FA.
## Associated Threat Actors
- Unknown threat actors utilizing PhaaS platforms.
## Detection Methods
- Detection should leverage established monitoring for precursors to the Rockstar2FA/DadSec kits due to functional similarity.
- Behavioral detection: Monitoring for page formats or connection patterns matching known M365 phishing kits.
## Mitigation Strategies
- General anti-phishing measures; focusing detection efforts on infrastructure that resembles known M365 credential harvesting platforms.
## Related Tools/Techniques
- Rockstar2FA
- DadSec phishing kit / Storm-1575