{"id":25602,"date":"2024-12-19T09:21:16","date_gmt":"2024-12-19T17:21:16","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/12\/19\/news-19331\/"},"modified":"2024-12-19T09:21:16","modified_gmt":"2024-12-19T17:21:16","slug":"news-19331","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/12\/19\/news-19331\/","title":{"rendered":"Phishing platform Rockstar 2FA trips, and \u201cFlowerStorm\u201d picks up the pieces"},"content":{"rendered":"

Credit to Author: gallagherseanm| Date: Thu, 19 Dec 2024 15:11:48 +0000<\/strong><\/p>\n

\n

Editor’s note: Sophos MDR’s Johua Rawles, Mark Parsons, Jordon Olness, and Colin Cowie contributed to this report.<\/h4>\n

 <\/p>\n

One of the Internet\u2019s most prolific cybercrime-as-a-service operations recently suffered a setback: In November, Sophos MDR noticed that detections for the Rockstar2FA \u201cphishing-as-a-service\u201d(PaaS) platform had suddenly gone quiet.<\/p>\n

Based on telemetry gathered by Sophos MDR, it appears that the group running the service experienced at least a partial collapse of its infrastructure, with pages associated with the service no longer reachable. This does not appear to be because of a takedown action, but due to some technical failure on the backend of the service.<\/p>\n

The disappearance of Rockstar2FA, an updated version of phishing services known as DadSec (previously associated with Microsoft\u2019s Storm-1575 threat group) came two weeks before TrustWave published research detailing the phishing-as-a-service operation<\/a>. Elements of the phishing service\u2019s infrastructure are now no longer reachable, returning an HTTP 522 response\u2014 indicating that they were cut off from the Cloudflare content delivery network. Telegram channels associated with command and control of the service also appear to have gone offline.<\/p>\n

In the weeks following\u00a0 the disruption of Rockstar2FA, we observed a surge in the use of a similar set of PaaS portals that have been tagged by some researchers<\/span><\/a> as \u201cFlowerStorm\u201d\u2014the name coming from the use of plant-related terms in the HTML page titles of many of the phishing pages themselves (\u201cFlower,\u201d \u201cSprout, \u201cBlossom,\u201d and \u201cLeaf,\u201d for example). FlowerStorm shares a number of features with Rockstar and with Tycoon, another Telegram bot-powered PaaS platform.<\/p>\n

So, you want to be a rock star<\/h2>\n

Rockstar2FA is (or perhaps was) a PaaS kit that mimics legitimate credential-request behavior of commonly used cloud and software-as-a-service platforms. Would-be cybercriminals purchase and control phishing campaigns through Telegram and are given a unique phishing page and URL to use in their campaign.\u00a0 Visits via the link delivered to the target delivered the phish; visits to the domain of the site itself are routed to a \u201cdecoy\u201d page. Rockstar\u2019s decoy pages usually had an automotive theme.<\/p>\n

\"A<\/a>
Figure 1: A Rockstar2FA \u201cdecoy\u201d page<\/figcaption><\/figure>\n

Visitors to the URL would be routed to a counterfeit Microsoft login page. That page captured credentials and multifactor authentication tokens and sent them via an HTTP POST message to an adversary-controlled \u201cbackend server\u201d page \u2014a PHP page with a seemingly random number for its name (as shown in Figure 2). These back-end servers were largely on .ru, .de and .moscow registered domains. The decoy pages were frequently hosted on the same hosts as the back-end servers.<\/p>\n

\"Screen<\/a>
Figure 2: HTTP POST data sent from a Rockstar2FA phishing page to a backend server on a .ru domain (shown in Chrome developer tool view)<\/figcaption><\/figure>\n

Most of the phishing pages were on domains registered in the .com, .de, .ru. and .moscow top-level domains. At any given time, the Rockstar2FA service used about 2,000 domains across these and other TLDs.<\/p>\n

\"A<\/a>
Figure 3: Distribution of Top 10 Rockstar2FA phishing domains by TLD<\/figcaption><\/figure>\n

However, starting no later than June 2024, some of these pages used Cloudflare Pages serverless deployment<\/a> (using the domain pages[.]dev), along with code deployed as Cloudflare workers (at the domain worker[.]dev), while still relying on backend servers for exfiltrating phishing data. These phishing pages used subdomain names that did not appear to be created with a domain generation algorithm (DGA)\u2014instead, they appear to have been manually typed by the operator of the kit. Some were crafted to emulate specific target domains (as with 4344655-proofpoint-online-secure.pages[.]dev). But others were similar to keyboard spam:<\/p>\n