Follow on X RSS Feed
Malware

Rockstar 2FA Phishing Kit Empowers Hackers to Bypass MFA Defenses

Cybersec Sentinel

8 min read
Rockstar 2FA Phishing Kit Empowers Hackers to Bypass MFA Defenses

Threat Group: Storm-1575
Threat Type: Phishing-as-a-Service (PhaaS)
Exploited Vulnerabilities: User credentials and session cookies
Malware Used: Rockstar 2FA phishing kit
Threat Score: High (8.5/10) — Due to its capability to bypass multi-factor authentication (MFA) and widespread targeting of Microsoft 365 users.
Last Threat Observation: November 30, 2024

Overview

The cybersecurity landscape has recently been disrupted by the emergence of "Rockstar 2FA," a sophisticated Phishing-as-a-Service (PhaaS) platform. This service enables cybercriminals to conduct large-scale adversary-in-the-middle (AiTM) attacks, specifically targeting Microsoft 365 users. By intercepting user credentials and session cookies, Rockstar 2FA effectively bypasses multi-factor authentication (MFA), posing a significant threat to organizational security.

Evolution and Background
Rockstar 2FA is an evolution of earlier phishing kits like DadSec and Phoenix, which were prominent in 2023. This new iteration boasts enhanced capabilities, including advanced obfuscation techniques and integrated real-time exfiltration via Telegram. Since its surge in activity starting in August 2024, Rockstar 2FA has gained widespread adoption in underground markets, where it is sold via platforms like ICQ, Telegram, and Mail.ru. Subscriptions start at $200 for two weeks, lowering the technical barrier for launching sophisticated phishing campaigns.

Functionality and Features
Rockstar 2FA offers a streamlined platform designed for non-technical users. Key features include:

  • Bypassing MFA: Using AiTM techniques to capture session cookies in real time.
  • Credential Harvesting: Stealing user credentials with mimicked login portals.
  • Evading Detection: Employing heavily obfuscated JavaScript and randomized source codes to bypass traditional defenses.
  • Customizable Themes: Allowing attackers to create tailored phishing pages with car-themed decoys and Microsoft 365 impersonations.
  • Antibot Protections: Utilizing Cloudflare Turnstile to evade automated analysis.

Impact and Implications
The rise of Rockstar 2FA underscores the vulnerabilities of even advanced security measures like MFA when paired with insufficient monitoring or mitigation strategies. By compromising Microsoft 365 accounts, attackers can access sensitive emails, documents, and organizational data, leading to financial losses, reputational harm, and possible regulatory repercussions. The service’s affordability and accessibility make it an attractive tool for novice and experienced threat actors alike, further compounding its impact.

Rockstar 2FA's rapid adoption and growing sophistication highlight the pressing need for robust security measures. Organizations must adopt a proactive, multi-layered defense strategy to mitigate the risk posed by this evolving threat..

Key Details

Delivery Method
Rockstar 2FA phishing campaigns primarily rely on targeted phishing emails that are designed to appear legitimate. These emails often use themes such as:

  • Document sharing notifications (e.g., "You’ve received a secure document.")
  • IT department alerts requesting password changes or account verifications.
  • HR-related emails about salary adjustments, policy changes, or benefits updates.
  • E-signature requests (e.g., DocuSign, Adobe Sign).

These phishing emails frequently contain links redirecting victims to malicious sites designed to mimic legitimate login pages for Microsoft 365.

Targets
The primary focus of Rockstar 2FA campaigns has been Microsoft 365 users across various industries, including:

  • Financial services.
  • Healthcare organizations.
  • Educational institutions.
  • Government agencies.
  • Small to medium-sized enterprises (SMEs).

The campaigns are not geographically restricted and have been observed targeting users in North America, Europe, and parts of Asia.

Notable Functions

  • MFA Bypass: Rockstar 2FA intercepts session cookies during login, rendering MFA ineffective by allowing attackers to hijack authenticated sessions.
  • Credential Theft: Adversary-in-the-middle (AiTM) techniques enable real-time harvesting of usernames and passwords as victims interact with phishing sites.
  • Antibot Protections: The platform leverages tools like Cloudflare Turnstile to block automated scanning tools and reduce detection rates.
  • Custom Themes: Offers car-themed decoy pages and authentic-looking Microsoft 365 login portals to increase victim trust.
  • Telegram Integration: Sends stolen credentials and cookies to attackers in real time via Telegram bots for immediate use or resale.

Obfuscation Techniques
Rockstar 2FA employs several methods to evade detection:

  • Heavily Obfuscated Code: The phishing kits use randomized JavaScript and unique code iterations to confuse automated analysis tools.
  • Dynamic Link Generation: Each phishing email includes unique, disposable URLs to prevent blacklisting and improve success rates.
  • Antivirus Evasion: Payloads are designed to bypass most traditional antivirus and antimalware systems through advanced encoding techniques.

Service Accessibility and Popularity

  • Subscription Model: Rockstar 2FA is sold on underground forums with pricing starting at $200 for two weeks or $500 for a monthly subscription, making it accessible to a broad spectrum of cybercriminals.
  • Ease of Use: The PhaaS platform is user-friendly and designed for attackers with minimal technical expertise, contributing to its widespread adoption.
  • Marketing Channels: It is actively promoted via Telegram, ICQ, and other messaging platforms, where users receive support and updates directly from developers.

Impact on Security
The capabilities of Rockstar 2FA highlight the growing sophistication of phishing kits and their ability to bypass security measures like MFA. This underscores the critical need for organizations to implement enhanced detection mechanisms and proactive monitoring of login behavior to counteract such threats.

Attack Vectors

Initial Entry: Phishing Emails
The attack begins with a highly targeted phishing email. These emails often impersonate trusted entities, such as internal IT departments, HR teams, or external services like DocuSign or Microsoft. Key tactics include:

  • Brand Spoofing: Using logos, language, and formatting that mimic legitimate emails to increase authenticity.
  • Urgency Triggers: Messages emphasize immediate action, such as resetting passwords, signing documents, or confirming account details.
  • Malicious Links: Links redirect victims to phishing sites that closely resemble legitimate login portals for Microsoft 365 or other services.

Phishing Sites
Victims who interact with malicious links are directed to phishing sites that serve as adversary-in-the-middle (AiTM) proxies. These sites replicate legitimate login pages with near-perfect accuracy. Key elements include:

  • Domain Spoofing: URLs use slight variations of legitimate domains or generic link shorteners to evade suspicion.
  • SSL Certificates: Sites often display valid SSL certificates to create a false sense of security.
  • Dynamic URL Generation: Unique URLs are generated for each email to avoid detection and blacklisting.

Adversary-in-the-Middle (AiTM) Tactics
Once victims enter their credentials on the phishing site, Rockstar 2FA initiates AiTM attacks, enabling:

  • Real-Time Credential Interception: Username and password combinations are stolen as they are entered.
  • Session Hijacking: Session cookies are captured, allowing attackers to bypass MFA and gain direct access to accounts.
  • Immediate Data Exfiltration: Captured credentials and cookies are sent to the attacker in real time, often via Telegram bots.

Obfuscation and Detection Evasion
Rockstar 2FA employs advanced techniques to evade detection during and after the attack:

  • Cloudflare Turnstile: Used to prevent automated scanning tools from detecting the phishing pages.
  • JavaScript Obfuscation: Heavily obfuscated scripts make it difficult for analysts and automated tools to decode the malicious code.
  • Bot Filtering: Filters and challenges block web crawlers and security tools while allowing real user traffic.

Post-Compromise Activity
After obtaining credentials and session cookies, attackers move quickly to exploit the access:

  • Account Takeover (ATO): Attackers log in to compromised accounts to access emails, files, and other sensitive data.
  • Pivoting: Compromised accounts are often used to launch further phishing campaigns within the same organization.
  • Data Theft: Emails, financial records, and proprietary information are stolen for resale or extortion.
  • Impersonation: Attackers may use the compromised accounts to impersonate employees, sending fraudulent requests or spreading malware.

Command and Control (C2)
Rockstar 2FA integrates with Telegram for real-time attacker control and stolen data management. Key C2 features include:

  • Credential Alerts: Alerts are sent to attackers instantly when credentials are captured.
  • Data Organization: Telegram bots catalog stolen credentials for easy access.
  • Anonymity: Using Telegram as a C2 channel reduces the likelihood of attribution and takedown by authorities.

Delivery Infrastructure
Rockstar 2FA uses a robust delivery infrastructure to support campaigns:

  • Disposable Domains: Multiple landing pages hosted on short-lived domains to prevent blacklisting.
  • Geo-Targeting: Phishing campaigns often focus on specific regions, tailoring themes to local audiences.
  • Cloud Services Exploitation: Hosting phishing content on trusted cloud platforms like AWS or GitHub Pages to evade suspicion.

Known Indicators of Compromise (IoCs)

Domains:

  • entertainmentcircuitss.ru
  • fruechtebox-expresszsnu.ru
  • recambioselecue.ru
  • googlesecurityforums.Moscow
  • entertaingadgetop.ru
  • ponnet.msk.su
  • mieten.com.ru

URLs

  • hxxp://cc.naver.com/cc?a=pst.link&m=1&nsc=Mblog.post&u=hxxps%3A%2F%2Fwww.curiosolucky.com/dos/
  • hxxps://www.curiosolucky.com/dos/
  • hxxps://magenta-melodious-garnet.glitch.me/public/rc.htm
  • hxxp://track.senderbulk.com/9164124/c?p=pDvu1IoaZGOuiG9hOsGCPPBXFmtx2_vWwJfaiQBzucIA8v9mjc3ztSyOneYxrKLjPngUzpA11TuGi1aI2aLIylOF1nHcpBoP4YzUvVEMYHtwY1nRlztPcQOoC6S6KSWuNNAgIAVnfapCVCgF1cOjSXtedVH_tWc1vLDH7FDQA0VZbtHORodc9jBuNuHh0DMH7zq9Mo6OMyLjnApzvQ3Kvw==
  • hxxps://edlyj.r.ag.d.sendibm3.com/mk/cl/f/sh/OycZvHuFo1eQsnbcJj9r9GQ4/Lf5JdugpPYQV
  • hxxps://link.trustpilot.com/ls/click?upn=u001.u9-2FNN-2FjLZCX2YnHXPQ1lM4gqkGMqJbqpuJx-2FSxHxK-2FHK5blCjdqA4sTpFhMxVuvd4F2C
  • hxxps://u1427642.ct.sendgrid.net/ss/c/u001.d04lnC885Iiw-JDl08ZraoSXFe9HwA-SkWLpgNZDbZzgIKoIZZYrlHao4m6r2Vm6/4a0/
  • hxxps://docsend.com/view/q6f7ukbdeviagha2
  • hxxps://cloudflare-kol.github.io/out/red.html?url=aHR0cHM6Ly9zaG9ydHVybC5hdC80SlZnbg==
  • hxxps://shorturl.at/4JVgn
  • hxxps://system23cfb9.link.bmesend.com/api/LinkHandler/getaction2?redirectParam2=K09weU5vMDBKWXFUK0ZPdkw4azdKWHk5QlJsZkNXWXlLMUxiMHdXQU1YK3FFZGFsZG9ZQ2ZqNUdHd3ErZEpLeGpyeVE1U1hmU2xoSy9WemJySVEzQytGajZBVWE4em5jaEpuRHhEa05xOTZOcWxQRVdUN1g2S2ViR3YvZjN1K2dJZk9rQTRVajZmMD0=
  • hxxps://bluntchiefei.za.com/XTCfX/
  • hxxps://botolaasprop.sa.com/N26Vu/
  • hxxps://erfolgstipss.com.de/Gnq8/
  • hxxps://digitalgadgetbuzz.sa.com/WyAn/
  • hxxps://bitesizeusaei.za.com/ol6Bu/
  • hxxps://enterbuzztechscener.pl/pbtmx/

Mitigation and Prevention

To protect against threats like Rockstar 2FA and similar advanced phishing campaigns, organizations should adopt a multi-layered security approach that combines user education, technical defenses, and proactive monitoring.

User Awareness and Training

  1. Regular Phishing Simulations: Conduct simulated phishing campaigns to train employees on identifying malicious emails.
  2. Awareness Programs: Educate employees on how phishing attacks work, emphasizing red flags such as suspicious links, urgent requests, and spoofed domains.
  3. Reporting Mechanisms: Implement easy-to-use mechanisms for employees to report suspected phishing attempts, such as a dedicated email address or reporting button in the email client.

Email Security Measures

  1. Advanced Email Filtering: Deploy email security solutions that use machine learning to detect and block phishing emails based on behavior, content analysis, and sender reputation.
  2. Domain-Based Authentication: Implement email authentication protocols such as DMARC, SPF, and DKIM to prevent domain spoofing.
  3. Link and Attachment Scanning: Ensure that all email links and attachments are scanned for malicious content before delivery to users.

Endpoint Protection

  1. Endpoint Detection and Response (EDR): Use EDR solutions to monitor endpoints for suspicious activities like unusual script execution or unauthorized access attempts.
  2. Antivirus and Anti-Malware: Keep all endpoint protection solutions updated to detect the latest threats.
  3. Browser Security: Deploy browser-based protections that block access to known malicious websites and phishing pages.

Authentication Enhancements

  1. Robust MFA: While Rockstar 2FA can bypass standard MFA, advanced MFA options like physical security keys (e.g., FIDO2) offer better protection.
  2. Conditional Access Policies: Configure access controls that require additional verification for logins from unfamiliar devices or locations.
  3. Zero Trust Architecture: Implement Zero Trust principles, ensuring continuous verification and limiting access based on need-to-know policies.

Monitoring and Response

  1. Log Analysis: Regularly monitor authentication logs for signs of compromise, such as logins from unusual IP addresses or locations.
  2. Behavioral Analytics: Deploy solutions that analyze user behavior to detect anomalies, such as atypical login patterns or unusual data access.
  3. Incident Response Plan: Develop and test an incident response plan for phishing attacks to ensure swift containment and remediation.

Infrastructure Security

  1. Domain Management: Monitor for domains similar to your organization's that may be used for phishing campaigns and request takedowns if necessary.
  2. TLS Everywhere: Ensure all legitimate services and domains use HTTPS to build user trust and differentiate from phishing pages.
  3. Cloud Service Monitoring: Keep a close watch on the use of legitimate cloud platforms (e.g., AWS, GitHub) for hosting phishing content, and report such abuses promptly.

Regular Updates and Patching

  1. Software Updates: Ensure that all software, including email clients and browsers, is regularly updated to patch known vulnerabilities.
  2. Third-Party Integrations: Monitor and secure third-party integrations that may inadvertently introduce vulnerabilities.

Advanced Defensive Measures

  1. Threat Intelligence Integration: Subscribe to threat intelligence feeds to stay informed about emerging threats like Rockstar 2FA and associated IoCs.
  2. Anti-AiTM Solutions: Use solutions specifically designed to combat AiTM attacks by monitoring and validating session integrity.
  3. Geofencing: Restrict logins from regions where your organization does not operate to minimize attack surfaces.

Organizational Policy Improvements

  1. Least Privilege Access: Implement least-privilege principles, ensuring users have access only to the systems and data they need for their roles.
  2. Account Recovery Protections: Harden account recovery processes to prevent attackers from exploiting them after a compromise.
  3. Vendor Risk Management: Regularly evaluate the security posture of third-party vendors, especially those that integrate with Microsoft 365.

Conclusion

The emergence of Rockstar 2FA underscores the growing sophistication and accessibility of phishing-as-a-service platforms, which pose significant risks even to organizations with robust security measures like multi-factor authentication (MFA). By leveraging adversary-in-the-middle (AiTM) techniques, obfuscation tactics, and real-time data exfiltration capabilities, this platform empowers cybercriminals to bypass MFA protections and gain unauthorized access to sensitive data. The widespread targeting of Microsoft 365 accounts further amplifies its impact, as these accounts often serve as gateways to critical organizational assets. To combat this evolving threat, organizations must adopt a proactive, multi-layered security strategy that includes user education, advanced email and endpoint protections, behavioral analytics, and continuous monitoring. By staying vigilant and implementing these defenses, organizations can mitigate the risks posed by sophisticated threats like Rockstar 2FA and strengthen their overall security posture in an increasingly hostile digital landscape.

Sources