{ "type": "URL", "indicator": "https://www.curiosolucky.com/dos/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.curiosolucky.com/dos/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4008596334, "indicator": "https://www.curiosolucky.com/dos/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6750e1e2ad0568f66faeff19", "name": "Rockstar 2FA: A Driving Force in Phishing-as-a-Service (PaaS)", "description": "This analysis explores the Rockstar 2FA phishing-as-a-service kit, focusing on real-world email campaign examples. It highlights various techniques used by attackers, including the abuse of legitimate services for FUD (Fully Undetectable) links, such as Microsoft OneDrive, OneNote, Dynamics 365, Atlassian Confluence, and Google Docs Viewer. The use of QR codes in phishing attempts and the insertion of stolen email threads to inflate message size are also discussed. The article emphasizes the multi-stage nature of these attacks and the importance of caution when dealing with emails sent through trusted platforms.", "modified": "2024-12-05T10:21:03.427000", "created": "2024-12-04T23:12:34.427000", "tags": [ "rockstar", "phishing", "email campaigns", "Phishing-as-a-Service" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-phishing-as-a-service-paas-noteworthy-email-campaigns/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-a-driving-force-in-phishing-as-a-service-paas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 21, "FileHash-MD5": 1, "FileHash-SHA1": 1, "domain": 22, "hostname": 8 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 386667, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "674b55edc418bf75230a675c", "name": "PhaaS Toolkit Rockstar 2FA Facilitating Advanced AiTM Attacks on Microsoft 365", "description": "Cybersecurity threats continue to evolve, and phishing attacks remain a persistent challenge. The recent emergence of the Rockstar 2FA phishing-as-a-service (PhaaS) toolkit has heightened concerns, as it empowers cybercriminals to launch sophisticated attacks with minimal technical expertise.", "modified": "2024-11-30T18:14:05.007000", "created": "2024-11-30T18:14:05.007000", "tags": [ "rockstar", "strong", "trustwave", "paas", "aitm server", "august", "microsoft", "figure", "demo", "aitm", "test", "storm", "phoenix", "antibot", "june", "honeypot", "email" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-a-driving-force-in-phishing-as-a-service-paas/" ], "public": 1, "adversary": "Email", "targeted_countries": [ "Australia", "Singapore" ], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 48, "domain": 12, "hostname": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "547 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-a-driving-force-in-phishing-as-a-service-paas/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-phishing-as-a-service-paas-noteworthy-email-campaigns/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 53 }, "other": { "adversary": [ "Email" ], "malware_families": [], "industries": [], "unique_indicators": 73 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/curiosolucky.com", "whois": "http://whois.domaintools.com/curiosolucky.com", "domain": "curiosolucky.com", "hostname": "www.curiosolucky.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6750e1e2ad0568f66faeff19", "name": "Rockstar 2FA: A Driving Force in Phishing-as-a-Service (PaaS)", "description": "This analysis explores the Rockstar 2FA phishing-as-a-service kit, focusing on real-world email campaign examples. It highlights various techniques used by attackers, including the abuse of legitimate services for FUD (Fully Undetectable) links, such as Microsoft OneDrive, OneNote, Dynamics 365, Atlassian Confluence, and Google Docs Viewer. The use of QR codes in phishing attempts and the insertion of stolen email threads to inflate message size are also discussed. The article emphasizes the multi-stage nature of these attacks and the importance of caution when dealing with emails sent through trusted platforms.", "modified": "2024-12-05T10:21:03.427000", "created": "2024-12-04T23:12:34.427000", "tags": [ "rockstar", "phishing", "email campaigns", "Phishing-as-a-Service" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-phishing-as-a-service-paas-noteworthy-email-campaigns/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-a-driving-force-in-phishing-as-a-service-paas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 21, "FileHash-MD5": 1, "FileHash-SHA1": 1, "domain": 22, "hostname": 8 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 386667, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "674b55edc418bf75230a675c", "name": "PhaaS Toolkit Rockstar 2FA Facilitating Advanced AiTM Attacks on Microsoft 365", "description": "Cybersecurity threats continue to evolve, and phishing attacks remain a persistent challenge. The recent emergence of the Rockstar 2FA phishing-as-a-service (PhaaS) toolkit has heightened concerns, as it empowers cybercriminals to launch sophisticated attacks with minimal technical expertise.", "modified": "2024-11-30T18:14:05.007000", "created": "2024-11-30T18:14:05.007000", "tags": [ "rockstar", "strong", "trustwave", "paas", "aitm server", "august", "microsoft", "figure", "demo", "aitm", "test", "storm", "phoenix", "antibot", "june", "honeypot", "email" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-a-driving-force-in-phishing-as-a-service-paas/" ], "public": 1, "adversary": "Email", "targeted_countries": [ "Australia", "Singapore" ], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 48, "domain": 12, "hostname": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "547 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.curiosolucky.com/dos/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.curiosolucky.com/dos/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780319754.448288 }