Threat Research

A Phishing Tale of DoH and DNS MX Abuse

Infoblox

Threat actors are utilizing advanced DNS techniques for phishing attacks, specifically leveraging DNS mail exchange (MX) records to serve personalized phishing pages targeting over 100 brands. This sophisticated phishing-as-a-service (PhaaS) platform, dubbed Morphing Meerkat, employs various techniques to deliver spam emails and evade detection. Affected: brands, email service providers, individuals, organizations

Keypoints :

  • Threat actors use DNS techniques to enhance phishing campaigns.
  • The discovered phishing kit uses DNS MX records to create tailored login pages for victims.
  • Morphing Meerkat exploits open redirects and compromises domains for phishing activities.
  • Mail servers sending spam are centralized, primarily using ISPs such as iomart and HostPapa.
  • The platform offers advanced services, like translating phishing content into multiple languages.
  • Phishing kits have evolved to target over 114 different brands effectively.
  • The attack chain involves redirecting users and collecting credentials through various means.
  • Security evasion techniques include obfuscated code and exploiting legitimate infrastructure.
  • Indicators of Compromise include IP addresses and malicious URLs related to phishing attempts.

MITRE Techniques :

  • T1071: Application Layer Protocol – Uses application protocols to bypass security measures, employed through URLs that redirect users.
  • T1070: Indicator Removal on Host – Implements obfuscation to hinder forensic analysis of the phishing kit’s code.
  • T1566: Phishing – Distributes spam emails to gather credentials, leveraging tailored messages based on the victim’s email provider.
  • T1040: Traffic Filtering – Uses malicious links embedded within legitimate domains to evade detection.
  • T1583: Acquire Infrastructure – Compromises domains for phishing kits and uses open redirects on advertising platforms.

Indicator of Compromise :

  • [IP Address] 107[.]173[.]166[.]107
  • [IP Address] 109[.]200[.]24[.]11
  • [IP Address] 122[.]183[.]248[.]102
  • [URL] hXXp://ln[.]run/HxEHS#{user_email}
  • [URL] hXXps://is[.]gd/UYdiV6/#{user_email}

Full Story: https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/