← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Rockstar 2FA: A Driving Force in Phishing-as-a-Service (PaaS)
WHITE AlienVault 2024-12-04 Modified: 2024-12-05
53
IOCs
HIGH VOLUME
This analysis explores the Rockstar 2FA phishing-as-a-service kit, focusing on real-world email campaign examples. It highlights various techniques used by attackers, including the abuse of legitimate services for FUD (Fully Undetectable) links, such as Microsoft OneDrive, OneNote, Dynamics 365, Atlassian Confluence, and Google Docs Viewer. The use of QR codes in phishing attempts and the insertion of stolen email threads to inflate message size are also discussed. The article emphasizes the multi-stage nature of these attacks and the importance of caution when dealing with emails sent through trusted platforms.
rockstarphishingemail campaignsPhishing-as-a-Service
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (53)
All URL FileHash-MD5 FileHash-SHA1 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL https://lifestylesyncteche.pro/Ykiy/ 2024-12-05
URL https://pub-fe581134d7ae4857a97443270a27e0fa.r2.dev/0nedrive.html 2024-12-05
FileHash-MD5 fe581134d7ae4857a97443270a27e0fa 2024-12-05
FileHash-SHA1 c1191c405e82c32c645acb82f875fdd8fad29209 2024-12-05
URL https://54774675.rainblessings.pages.dev 2024-12-05
URL https://apexaurora.ru/SDoHg/ 2024-12-05
URL https://bytequestixo.pro/wWge/ 2024-12-05
URL https://cyberdynalumeo.ru/1RB3Y/ 2024-12-05
URL https://docsecureatt-docdrive-filedoc.pages.dev/ 2024-12-05
URL https://enterbuzztechscener.pl/pbtmx/ 2024-12-05
URL https://googlevoicesecrets.com/EHkslw5/auth/?_kx=lKiN48B6FuEu_OYp2PJPXw.Sdgjsn 2024-12-05
URL https://luthschoenmode.nl/winkel/generated/arull.php?7104797967704b536932307466507a53784b7a4d37494c79704b7a4d73723053744f314 2024-12-05
URL https://novatechies.cbg.ru/BUeEj/ 2024-12-05
URL https://payment-confirmation-to-your-bank-account-s-dabringhaus-licatec.packinqsystems.de/ 2024-12-05
URL https://pfremiumshirts.store/D91p/ 2024-12-05
URL https://saluminyum.com/secure/index.html 2024-12-05
URL https://swiftsparkmon.ru/F4CQo/ 2024-12-05
URL https://synthchromal.ru/Vc51/ 2024-12-05
URL https://urbanlifeinnolo.ru/KGgt 2024-12-05
URL https://vendantacoursessonu.ru/7VINm 2024-12-05
URL https://vidy-cloudy.com.pl/13SP 2024-12-05
URL https://vilug-onteroi.com.pl/RkHd/ 2024-12-05
URL https://www.curiosolucky.com/dos/ 2024-12-05
domain apexaurora.ru 2024-12-05
domain bytequestixo.pro 2024-12-05
domain cyberdynalumeo.ru 2024-12-05
domain enterbuzztechscener.pl 2024-12-05
domain entertaingadgetop.ru 2024-12-05
domain entertainmentcircuitss.ru 2024-12-05
domain fruechtebox-expresszsnu.ru 2024-12-05
domain googlevoicesecrets.com 2024-12-05
domain lifestreamtechho.ru 2024-12-05
domain lifestylesyncteche.pro 2024-12-05
domain luthschoenmode.nl 2024-12-05
domain pfremiumshirts.store 2024-12-05
domain quedi.adv.br 2024-12-05
domain recambioselecue.ru 2024-12-05
domain saluminyum.com 2024-12-05
domain swiftsparkmon.ru 2024-12-05
domain synthchromal.ru 2024-12-05
domain txjudge-mentsol.com.pl 2024-12-05
domain urbanlifeinnolo.ru 2024-12-05
domain vendantacoursessonu.ru 2024-12-05
domain vidy-cloudy.com.pl 2024-12-05
domain vilug-onteroi.com.pl 2024-12-05
hostname 2fwww.curiosolucky.com 2024-12-05
hostname 54774675.rainblessings.pages.dev 2024-12-05
hostname aynures-newsletter.beehiiv.com 2024-12-05
hostname docsecureatt-docdrive-filedoc.pages.dev 2024-12-05
hostname novatechies.cbg.ru 2024-12-05
hostname payment-confirmation-to-your-bank-account-s-dabringhaus-licatec.packinqsystems.de 2024-12-05
hostname system23cfb9.link.bmesend.com 2024-12-05
hostname www.curiosolucky.com 2024-12-05
References (2)
↗ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-phishing-as-a-service-paas-noteworthy-email-campaigns/ ↗ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-a-driving-force-in-phishing-as-a-service-paas/