Summary:
This article explores the sophisticated phishing techniques employed by the Rockstar kit, particularly focusing on the abuse of legitimate services for crafting undetectable links. It highlights various platforms exploited for phishing, including Microsoft and Atlassian services, and discusses the use of QR codes and HTML obfuscation to evade detection. The findings underscore the importance of vigilance when interacting with emails from trusted sources.
#PhishingTechniques #RockstarKit #EmailSecurity
This article explores the sophisticated phishing techniques employed by the Rockstar kit, particularly focusing on the abuse of legitimate services for crafting undetectable links. It highlights various platforms exploited for phishing, including Microsoft and Atlassian services, and discusses the use of QR codes and HTML obfuscation to evade detection. The findings underscore the importance of vigilance when interacting with emails from trusted sources.
#PhishingTechniques #RockstarKit #EmailSecurity
Keypoints:
Rockstar kit utilizes legitimate services to create fully undetectable (FUD) links in phishing campaigns.
Microsoft OneDrive is abused to host URL shortcut files that redirect users to phishing pages.
OneNote is exploited to evade text-based detection by embedding links in images.
Dynamics 365 Customer Voice is misused as a malicious link stager in phishing attempts.
Atlassian Confluence is leveraged to redirect users to malicious landing pages.
Google Docs Viewer is used to render malicious PDFs that link to phishing sites.
QR codes are increasingly used in phishing emails to redirect users to malicious sites.
Phishing emails often incorporate stolen email threads to appear more legitimate.
HTML obfuscation techniques are employed to evade detection by splitting code and inserting hidden elements.
The article emphasizes the need for caution with emails from legitimate platforms.
MITRE Techniques
Phishing (T1566): Utilizes various platforms to send deceptive emails that trick users into revealing sensitive information.
Obfuscated Files or Information (T1027): Employs HTML obfuscation techniques to evade detection mechanisms.
Credential Dumping (T1003): Redirects users to phishing pages that impersonate legitimate login interfaces.
Exploitation of Trust Relationships (T1199): Abuses legitimate services to gain user trust and facilitate phishing attacks.
IoC:
[url] hxxps[://]redacted-my[.]sharepoint[.]com/:f:/g/personal/redacted_co_uk/Et0A_Y6vtnVEtWHyL8XJVdoBZLTbzLR7TIojUo3w_WBnCQ?e=bsTg2D
[url] hxxps[://]1drv[.]ms/o/s!Ar8dxVBUvGlGiIgzb0_10Zq_e9ysmQ
[url] hxxps[://]emea[.]dcv[.]ms/5IgHbcWiml
[url] hxxps[://]customervoice[.]microsoft[.]com/Pages/ResponsePage[.]aspx?id=y8WYKByhAE-PQmCpBHM28YWYrIrntjdJiNDbsLTiwthUNEIySFJCSVBaRkxaVzYzSk0xUEJZN1RPWi4u
[url] hxxps[://][redacted][.]atlassian[.]net/wiki/external/ZWQxMzM2MDdmMTEwNDk5NDgwZGNlZDJkZmNkOTE4ZmY
[url] hxxps[://]docs[.]google[.]com/viewerng/viewer?url=hxxps[://]quedi[.]adv[.]br/N2[.]pdf
[url] hxxps[://][redacted][.]ladesk[.]com/XXXXXXX-SECURE-BUSINESS-DOCUMENTS
[url] hxxps[://]weathered-waterfall-4976[.]tekot88473[.]workers[.]dev/?e=
[url] hxxps[://]luthschoenmode[.]nl/winkel/generated/arull[.]php?7104797967704b536932307466507a53784b7a4d37494c79704b7a4d73723053744F3145764F7a39565044764a784b64494841413d3d
[url] hxxps[://]www[.]arceva[.]site/uploads/images/24_01/pbcmc[.]php?0096797967704b53693230746376793079703145334f7953394e7964524c7a732f564b386a524e7a514f4474414841413d3d
[url] hxxps[://]apexaurora[.]ru/SDoHg/
[url] hxxps[://]swiftsparkmon[.]ru/F4CQo/
[url] hxxps[://]54774675[.]rainblessings[.]pages[.]dev
[url] hxxps[://]saluminyum[.]com/secure/index[.]html
[url] hxxps[://]vilug-onteroi[.]com[.]pl/RkHd/
[url] hxxps[://]urbanlifeinnolo[.]ru/KGgt
[url] hxxps[://]vendantacoursessonu[.]ru/7VINm
[url] hxxps[://]vidy-cloudy[.]com[.]pl/13SP
[domain] cotsworld[.]com[.]ru
[domain] txjudge-mentsol[.]com[.]pl
[domain] lifestreamtechho[.]ru
Full Research: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-phishing-as-a-service-paas-noteworthy-email-campaigns/