Threat analysis by The RabitaNoor (RBTN) Cyber Research Center
Morphing Meerkat Phishing Kit Exploits DNS MX Records to Mimic 114 Brands
The goals of this document is to provide technical and strategic analysis of a much larger document, audio etc.
The document is a product of the RBTN - CYOI Pulpit
Photo by Yeshi Kangrang
Document Summary
The article discusses a new phishing-as-a-service platform called Morphing Meerkat, which uses DNS MX records to create fake login pages mimicking 114 brands. The threat actor exploits open redirects on adtech infrastructure and uses compromised domains for phishing distribution. Stolen credentials are distributed via Telegram. The phishing kit dynamically translates content into multiple languages and employs anti-analysis measures. Cloudflare R2 is used to host fake login pages, and the phishing messages are distributed using compromised WordPress sites and open redirect vulnerabilities on platforms like DoubleClick.
Analysis
Overview
Timestamp: 2025-03-27
Title: Morphing Meerkat Phishing Kit Exploits DNS MX Records to Mimic 114 Brands
Severity: High
The Morphing Meerkat phishing kit represents a sophisticated adversary leveraging DNS MX records to mimic 114 brands. The capability includes dynamic content translation and anti-analysis measures. The infrastructure involves compromised WordPress sites and Cloudflare R2 for hosting. Victims are targeted globally, with a focus on credential theft.
Adversary
Adversary: The threat actor behind Morphing Meerkat is sophisticated, leveraging DNS MX records and open redirects for targeted phishing attacks.
Motivation: Credential theft and data exfiltration
Sophistication: High
TTPs:
- Use of DNS MX records
- Exploitation of open redirects
- Dynamic content translation
Capability
Capability: The phishing kit can mimic 114 brands and dynamically translate content into multiple languages.
Tools: Phishing kit, Telegram
Evasion: Anti-analysis measures, Obfuscation
Infrastructure
Description: The infrastructure includes compromised WordPress sites, Cloudflare R2 for hosting, and Telegram for communication.
Domains: Compromised domains
Hosting Providers: Cloudflare
Communication Protocols: Telegram
Victim Profile
Targets: Victims are users of the 114 brands mimicked by the phishing kit, targeted globally.
Industry: Various
Assets: Email credentials
Data at Risk: Email credentials
Impact: High