Full Report
Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands. DNS intelligence firm Infoblox is tracking the actor behind the PhaaS, the phishing kit, and the related activity under the moniker Morphing Meerkat. "The threat actor behind
Analysis Summary
# Tool/Technique: Morphing Meerkat Phishing Kit
## Overview
Morphing Meerkat is a Phishing-as-a-Service (PhaaS) platform used by threat actors to deliver highly targeted phishing campaigns. Its key feature is the dynamic serving of fake login pages that impersonate approximately 114 different brands by leveraging victims' DNS Mail Exchange (MX) records to identify their email service provider.
## Technical Details
- Type: Tool (Phishing Kit/PhaaS)
- Platform: Web-based delivery (targets end-user browsers)
- Capabilities: Brand impersonation (114+), dynamic content translation (12+ languages), anti-analysis features, DNS MX record abuse for provider profiling.
- First Seen: Tracking efforts documented around July 2024 onward.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link (Implied by distribution methods)
- TA0006 - Credential Access
- T1003 - OS Credential Dumping (Not directly applicable, but the goal is credential harvesting)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (Used for exfiltration via Telegram)
## Functionality
### Core Capabilities
- **Brand Spoofing:** Mimics logon pages for around 114 major brands.
- **DNS MX Record Abuse:** Queries the victim's MX records (via DNS lookups, possibly Cloudflare/Google DNS) to determine the email provider (e.g., Gmail, Outlook, Yahoo).
- **Dynamic Page Rendering:** Serves a login page tailored to the detected service provider, enhancing the phishing realism.
- **Fallback:** Defaults to a Roundcube login page if MX record resolution fails.
- **Multilingual Support:** Translates phishing content dynamically into over a dozen languages, including English, Korean, Spanish, Russian, German, Chinese, and Japanese.
### Advanced Features
- **Anti-Analysis Measures:** Implements restrictions against user interaction to hinder analysis:
- Disables mouse right-click context menus.
- Blocks keyboard hotkey combinations: Ctrl + S (Save Page) and Ctrl + U (View Source).
- **Obfuscation and Inflation:** Code is obfuscated and inflated to complicate security analysis and reverse engineering.
- **Distribution Infrastructure:** Leverages compromised WordPress sites and open redirect vulnerabilities on adtech infrastructure (like Google's DoubleClick) to distribute phishing links and bypass security filters.
- **Exfiltration:** Stolen credentials are often exfiltrated via Telegram APIs.
## Indicators of Compromise
- File Hashes: Not explicitly provided in the text.
- File Names: Not explicitly provided in the text.
- Registry Keys: Not applicable (web-based phishing kit).
- Network Indicators:
- Hosting Platform Abuse: Cloudflare R2 storage utilized for hosting landing pages.
- Exfiltration Channel: Telegram (API or bots).
- Behavioral Indicators:
- Abuse of open redirect functionalities on adtech domains (e.g., DoubleClick).
- Delivery of spam emails containing links to external, often compromised, infrastructure.
- Execution of scripts that perform DNS MX lookups on the target's email domain.
## Associated Threat Actors
- The specific threat actor is tracked by Infoblox and associated with the Morphing Meerkat infrastructure.
- Other actors documented using related campaigns or infrastructure (e.g., Forcepoint monitoring).
## Detection Methods
- Signature-based detection: Targeting known malicious file structures or C2 flows (though the kit is morphing).
- Behavioral detection: Monitoring network requests for suspicious DNS MX record lookups originating from compromised distribution points, or looking for attempts to disable right-click/keyboard shortcuts on dynamic landing pages.
- YARA rules: Not explicitly provided in the text.
## Mitigation Strategies
- **Email Filtering:** Enhance filters to detect links pointing to infrastructure known for hosting phishing content (e.g., URLs hosted on Cloudflare R2 for unexpected purposes).
- **DNS Security:** Monitor outbound DNS queries for abnormal behavior, especially attempts to resolve MX records for unrelated domains during email sessions.
- **User Training:** Educate users specifically about links originating from redirects, the danger of single sign-on pages served from unexpected domains, and how to recognize attempts to disable browser context menus.
- **Vulnerability Management:** Patch and secure WordPress installations being used for distribution and ensure adtech open redirects are mitigated.
## Related Tools/Techniques
- Phishing-as-a-Service (PhaaS) platforms.
- Abuse of open redirect vulnerabilities (CWE-601).
- Use of cloud storage services (like Cloudflare R2) for clandestine content hosting.