February 12, 2025

Editor’s notice: Sophos MDR’s Johua Rawles, Mark Parsons, Jordon Olness, and Colin Cowie contributed to this report.

 

One of many Web’s most prolific cybercrime-as-a-service operations just lately suffered a setback: In November, Sophos MDR observed that detections for the Rockstar2FA “phishing-as-a-service”(PaaS) platform had out of the blue gone quiet.

Based mostly on telemetry gathered by Sophos MDR, it seems that the group operating the service skilled at the least a partial collapse of its infrastructure, with pages related to the service not reachable. This doesn’t seem like due to a takedown motion, however because of some technical failure on the backend of the service.

The disappearance of Rockstar2FA, an up to date model of phishing providers often called DadSec (beforehand related to Microsoft’s Storm-1575 risk group) got here two weeks earlier than TrustWave published research detailing the phishing-as-a-service operation. Parts of the phishing service’s infrastructure at the moment are not reachable, returning an HTTP 522 response— indicating that they have been reduce off from the Cloudflare content material supply community. Telegram channels related to command and management of the service additionally seem to have gone offline.

Within the weeks following  the disruption of Rockstar2FA, we noticed a surge in using an analogous set of PaaS portals which have been tagged by some researchers as “FlowerStorm”—the title coming from using plant-related phrases within the HTML web page titles of most of the phishing pages themselves (“Flower,” “Sprout, “Blossom,” and “Leaf,” for instance). FlowerStorm shares numerous options with Rockstar and with Tycoon, one other Telegram bot-powered PaaS platform.

So, you need to be a rock star

Rockstar2FA is (or maybe was) a PaaS package that mimics legit credential-request habits of generally used cloud and software-as-a-service platforms. Would-be cybercriminals buy and management phishing campaigns by means of Telegram and are given a singular phishing web page and URL to make use of of their marketing campaign.  Visits through the hyperlink delivered to the goal delivered the phish; visits to the area of the positioning itself are routed to a “decoy” web page. Rockstar’s decoy pages normally had an automotive theme.

A screenshot of a Rockstar2FA "decoy" page, a fake auto dealer site.
Determine 1: A Rockstar2FA “decoy” web page

Guests to the URL could be routed to a counterfeit Microsoft login web page. That web page captured credentials and multifactor authentication tokens and despatched them through an HTTP POST message to an adversary-controlled “backend server” web page —a PHP web page with a seemingly random quantity for its title (as proven in Determine 2). These back-end servers have been largely on .ru, .de and .moscow registered domains. The decoy pages have been ceaselessly hosted on the identical hosts because the back-end servers.

Screen shots of the developer view of Chrome showing web requests sent from a Rockstar2FA phishing portal.
Determine 2: HTTP POST knowledge despatched from a Rockstar2FA phishing web page to a backend server on a .ru area (proven in Chrome developer software view)

Many of the phishing pages have been on domains registered within the .com, .de, .ru. and .moscow top-level domains. At any given time, the Rockstar2FA service used about 2,000 domains throughout these and different TLDs.

A pie chart showing the distribution of top-level domains the 10 most heavily used domain names were registered with. A third were .ru, a fifth were .com.
Determine 3: Distribution of Prime 10 Rockstar2FA phishing domains by TLD

Nonetheless, beginning no later than June 2024, a few of these pages used Cloudflare Pages serverless deployment (utilizing the area pages[.]dev), together with code deployed as Cloudflare staff (on the area employee[.]dev), whereas nonetheless counting on backend servers for exfiltrating phishing knowledge. These phishing pages used subdomain names that didn’t seem like created with a website technology algorithm (DGA)—as a substitute, they seem to have been manually typed by the operator of the package. Some have been crafted to emulate particular goal domains (as with 4344655-proofpoint-online-secure.pages[.]dev). However others have been just like keyboard spam:

  • whenyoucreatanydominsamedominusedturnslite.pages[.]dev
  • pppaaaaulhaaaammmlinnnnbuiiildddeeeerrsssssnzzzzzozzzz.pages[.]dev

These domains made up solely a small variety of the general URLs associated to Rockstar, and have been usually related to the phishing portals themselves.

A bar chart showing the distribution of TLDs and number of URLs detected per month for Rockstar2FA. The number of .ru domains decreased significantly over time.
Determine 4: New Rockstar URL detections by day from Might 24 to November 12, grouped by top-level area. The usage of .ru domains shrank over time because the marketing campaign progressed, and use of .com TLDs expanded. November knowledge ends at November 12 when new detections dropped off. The usage of pages.dev was restricted to a handful of hostnames per thirty days.

Technical difficulties

On November 11, the infrastructure of Rockstar2FA out of the blue was disrupted. Redirects to decoy pages failed, yielding a Cloudflare 522 error, indicating that the server offering the web page was not in communication with Cloudflare.

A screenshot of a failed connection error for a Rockstar decoy page.Determine 5. A failed connection to a decoy web page area

Moreover, the portal pages started to fail. Whereas clicking the Cloudflare “I’m human” check beforehand resulted in a counterfeit Microsoft login portal being loaded, now all that loaded was the animated Outlook emblem. The rest of the script for the portal pages fails as a result of the connection to the back-end server (through a POST request) has been severed.

A screenshot of an animated Office365 logo for Outlook used by Rockstar's phishing portal pages.
Determine 6: The Microsoft Outlook animated emblem proven by the now-failing phishing package

The identical was true for pages[.]dev hosted portal pages, which additionally hung whereas making an attempt to hook up with the back-end URLs. Since November, we’ve continued to see new phishing portal pages arrange on pages[.]dev subdomains, however all of them fail to hook up with their backend servers.

A screenshot of a Chrome developer view of a Rockstar pages.dev phishing portal failing to connect to a backend server.
Determine 7: A failed POST request to a Rockstar2FA backend server

This implies that the operators are persevering with to wrestle to get their infrastructure again on-line. This can be due to a webhosting drawback or another technical subject plaguing the Rockstar2FA operators. The truth that the Telegram bots used to run the service additionally seem like down suggests there may be some bigger form of disruption to the operation.

The rising rock star (?): FlowerStorm

Inside a couple of week and a half of the interruption of Rockstar, we noticed a surge in exercise from FlowerStorm, although we additionally discovered many of those websites have been being disrupted as properly. The FlowerStorm PaaS platform has been energetic since at the least June of 2024.

Trying on the habits of FlowerStorm samples, we discovered that the portal used the identical URL to ship an authentication request for the goal as utilized in communication requests to the “backend portal”—on this case, to a backend server using the file “subsequent.php”.

 

A screenshot of data abouit and
Determine 8: An HTTP request from the FlowerStorm phishing web page

 

On this case, the identical IP deal with utilized for the credential harvesting was additionally used for the authentication to the consumer account, based mostly on EntraID sign-in logs.

Figure 9: the EnteraID log for a sign-in by the adversary-in-the-middle script on the phishing service’s back-end server.
Determine 9: the EnteraID log for a sign-in by the adversary-in-the-middle script on the phishing service’s back-end server.

The phishing pages’ communication to the backend servers PHP file utilized the anticipated fields and communication under:

Subject Descriptions and Anticipated Values

Subject/Occasion Description Worth/Instance
Do Specifies the motion being requested. “test” – For test operation “login” – For login occasion
CheckVerify Periodic server test for authentication technique standing. – do: “checkVerify”- token: <token>- consumer: <e mail>- service: “notif”- key: <base64_encoded_password>
e mail Consumer’s e mail deal with. <e mail>
go Consumer’s password, required when do is “login”. base64_encoded_password
token JWT containing session data. <JWT_Token>

Anticipated Responses and Interpretations

Motion Response Description
test “standing”: “success”, “banner”: null, “background”: null, “federationLogin”: “”, “sort”: “workplace” Signifies a sound e mail and points a token.
login “standing”: “confirm”, “message”: “Please confirm your account”, “technique”: “<base64 encoded technique response>”, “token”: “<JWT_Token>”, “key”: “<base64_encoded_password>”, “consumer”: “<e mail>” Prompts for MFA utilizing the identical JWT for session monitoring.
Technique “standing”: true, “knowledge”: “<base64 encoded session knowledge>”, “quantity”: 59 Posts session-specific knowledge used for MFA.
Technique (Knowledge Decoded) [ “authMethodId”: “PhoneAppNotification”, “data”: “PhoneAppNotification”, “isDefault”: true , “authMethodId”: “PhoneAppOTP”, “data”: “PhoneAppOTP”, “phoneAppOtpTypes”: [“MicrosoftAuthenticatorBasedTOTP”] ] Particulars multi-factor authentication strategies accessible to the consumer.
CheckVerify (Failure) “standing”: false, “message”: “Verification failed”, “token”: “<JWT_Token>” Server begins checking for MFA acceptance.
CheckVerify (Success) “<string_with_session_cookies>” MFA was accepted, response comprises session cookies for authentication.

 

Not all of the phishing pages make the most of the identical backend server construction. Some portals will make the most of a subsequent.php hosted on the identical area because the phishing touchdown web page. The IP deal with in EntraID authentication logs is not going to be the identical for these portals. For instance, within the case under, the phishing web page protectivewearsupplies[.]doclawfederal[.]com/wQBPg/ sends its publish request to a unique host with the identical area title:

Figure 10: the HTTP header data for a phishing page’s backend server communications on a separate host
Determine 10: the HTTP header knowledge for a phishing web page’s backend server communications on a separate host
Figure 11: A developer browser view of the phishing page protectivewearsupplies[.]doclawfederal[.]com/wQBPg/
Determine 11: A developer browser view of the phishing web page protectivewearsupplies[.]doclawfederal[.]com/wQBPg/

Rockstar2FA/ FlowerStorm similarities

FlowerStorm has a big variety of similarities to Rockstar2FA, each within the format of its phishing portal pages and the connection to its backend server .

Doc object mannequin

 

The HTML of FlowerStorm’s portal pages has modified over the previous six months however nonetheless retains an analogous Doc Object Mannequin (DOM) content material to that of Rockstar pages. The HTML pages of older and newer FlowerStorm phishing pages, like these of Rockstar2FA, have strings of random, unrelated textual content in HTML feedback, use Cloudflare “turnstile” keys to immediate a test of the incoming web page request, and produce other comparable buildings and content material, as proven under:

 

  New FlowerStorm Outdated Rockstar2FA Outdated FlowerStorm
Title OreganoLeaf Unalike Elderberry
Turnstile Sitekey 0x4AAAAAAA0_fAGSk-ZDbrja 0x4AAAAAAAhiG1SBeMjCx4fG 0x4AAAAAAAceMeRudDiJWXJJ
Type Submission Script FennelBlossom Nautili Bravery
Feedback Themes Literary/educational Automobiles, health, fruits Automobiles, life-style, fruits
Seen Safety Textual content “Initializing browser safety protocols” “Operating browser verification to guard your security” “Browser safety verification ongoing on your security”

The weather within the chart above are referred to as out within the screenshots under, displaying the HTML code of every of the phishing portals. The HTML doc title tags are highlighted with a pink field, feedback are highlighted with orange, turnstyle key with yellow, the script perform title in inexperienced, and the seen “safety” textual content in blue. All seem to comply with the identical form of template for producing HTML, although the remark and title naming schemes reference completely different textual content arrays.

Figure12: The document object model of a Rockstar2FA phishing page
Figure12: The doc object mannequin of a Rockstar2FA phishing web page
Figure 13: The DOM of an older FlowerStorm phishing page (from June 2024)
Determine 13: The DOM of an older FlowerStorm phishing web page (from June 2024)

 

Figure 14: The DOM of a newer FlowerStorm phishing page; the algorithm generating the title and function names uses a combination of two botanical-themed words
Determine 14: The DOM of a more recent FlowerStorm phishing web page; the algorithm producing the title and performance names makes use of a mix of two botanical-themed phrases

 

Whereas abuse of the Cloudflare CDN’s safety turnstyles has been current in different adversary-in-the-middle phishing kits, the construction of FlowerStorm and Rockstar phishing portals suggests at the least a standard ancestry.

Credential harvesting

The strategies utilized by FlowerStorm for communication bear shut resemblance to the earlier Rockstar2FA portals, with some minor variation within the area names and responses:

Widespread Fields

  FlowerStorm Rockstar2FA Commonality
PHP Communication Subsequent.php <numbers>.php Each talk to a backend server internet hosting a PHP file. Used for exfiltration and knowledge communication.
Electronic mail Validation “do”:

“test” for e mail validation

 “do”: “test” for e mail validation Each help e mail validation as a basic characteristic.
Login Occasion “do”: “login” for authentication “do”: “le” for authentication Each facilitate login operations.
Password “go”: comprises base64 encoded password “px”: comprises plaintext password Each talk passwords to backend server.
Session Monitoring “token” for session monitoring. “sec” for session monitoring Each present session monitoring tokens.

 

Area Registration and Discovery

The patterns of area registration and the detection of latest pages by means of URLScan submissions for each phishing kits’ infrastructure seem to comply with a definite sample, particularly when evaluating the area exercise and identification of the 2.

Figure 15: A chart plotting daily page detections for Rockstar2FA and FlowerStorm through the end of November 2024
Determine 15: A chart plotting every day web page detections for Rockstar2FA and FlowerStorm by means of the tip of November 2024

From October 1 to November 11 the peaks and valleys of FlowerStorm and Rockstar Decoy web page detections and area registrations comply with a remarkably comparable development, usually rising and falling in tandem. This habits may point out a shared infrastructure, overlapping operational targets, or coordinated timing between the 2 actions.
After November eleventh, the 2 patterns diverge:

  •  FlowerStorm begins to point out stronger unbiased peaks, particularly round November 22–26
  • Rockstar Decoy web page exercise dwindles considerably after November 11, which is in keeping with the ceasing of operations beforehand talked about.

FlowerStorm concentrating on

The general nature of FlowerStorm as a paid phishing service implies that FlowerStorm’s operators don’t select who will get focused for phishing assaults. That’s the choice of their clients. However an evaluation of what actors are doing as soon as they’ve entry to the system will be helpful for defenders.

Based mostly on our detection data for FlowerStorm, the overwhelming majority of the targets chosen by FlowerStorm customers (84%) are in the US, Canada, United Kingdom, Australia, and Italy. Organizations in the US have been essentially the most ceaselessly focused, with over 60% of circumstances related to organizations primarily situated inside the US. Canada was the following most focused nation, at solely 8.96%. General, 94% of the targets of FlowerStorm phishing makes an attempt Sophos has detected have been workers of North American and European organizations. Past these areas, Singapore, India, Israel, New Zealand, and the United Arab Emirates make up the remaining 5% of targets.

Figure 16: The ten countries most targeted by attackers using FlowerStorm, based on Sophos detections
Determine 16: The ten international locations most focused by attackers utilizing FlowerStorm, based mostly on Sophos detections
Figure 17: The ten business sectors most targeted by attackers using FlowerStorm
Determine 17: The ten enterprise sectors most focused by attackers utilizing FlowerStorm

 

Essentially the most closely focused sector is the service business, with specific deal with corporations offering engineering, development, actual property, and authorized providers and consulting.

 

Conclusions

We can not with excessive confidence hyperlink Rockstar2FA and FlowerStorm, aside from to notice that the kits replicate a standard ancestry at a minimal because of the comparable contents of the kits deployed The same patterns of area registration might be a mirrored image of FlowerStorm and Rockstar working in coordination, although it is usually  potential that these matching patterns have been pushed by market forces greater than the platforms themselves. The diverging exercise post-November 11might replicate:

  • A strategic pivot in one of many teams
  • A change in personnel impacting operations
  • A disruption in shared infrastructure
  • A deliberate decoupling of operations to keep away from detection

Moreover, the fast ramp-up of FlowerStorm has led to some errors and misconfigurations of their operations which have allowed them to additionally simply be disrupted. These errors have additionally supplied us with a chance to extra intently look at their back-end operations—which we are going to proceed to do.

A listing of indicators of compromise associated to FlowerStorm is offered on Sophos X-Ops’ Github repository.

Tags:

Related News

Toll sales space bandits proceed to rip-off by way of SMS messages

Toll sales space bandits proceed to rip-off by way of SMS messages

February 12, 2025
Teen on Musk’s DOGE Staff Graduated from ‘The Com’ – Krebs on Safety

Teen on Musk’s DOGE Staff Graduated from ‘The Com’ – Krebs on Safety

February 11, 2025

Latest Post

Toll sales space bandits proceed to rip-off by way of SMS messages

Toll sales space bandits proceed to rip-off by way of SMS messages

February 12, 2025
AWS Weekly Roundup: AWS Step Features, AWS CloudFormation, Amazon Q Developer, and extra (February 10, 2024)

AWS Weekly Roundup: AWS Step Features, AWS CloudFormation, Amazon Q Developer, and extra (February 10, 2024)

February 12, 2025
Rising Patterns in Constructing GenAI Merchandise

Rising Patterns in Constructing GenAI Merchandise

February 12, 2025
Nearshore Software program Improvement Information: Advantages, Finest Practices

Nearshore Software program Improvement Information: Advantages, Finest Practices

February 12, 2025
Sky Unveils New Sky Glass TVs – this is what you’ll want to know

Sky Unveils New Sky Glass TVs – this is what you’ll want to know

February 11, 2025
Teen on Musk’s DOGE Staff Graduated from ‘The Com’ – Krebs on Safety

Teen on Musk’s DOGE Staff Graduated from ‘The Com’ – Krebs on Safety

February 11, 2025