Cybersecurity researchers are tracking a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that employs DNS over HTTPS (DoH) to avoid detection. By utilizing DoH, Morphing Meerkat conceals its malicious DNS queries within encrypted HTTPS traffic, making it challenging for traditional security tools to identify and block these phishing activities.
The attack begins when the victim clicks on a malicious link embedded in a phishing message. This link leads them through a series of open redirect exploits on ad tech platforms like Google DoubleClick, often leveraging compromised WordPress sites, fake domains, and free hosting services to mask the true destination.
Upon reaching the final phishing site, the phishing kit activates and queries the victim's email domain’s mail exchange (MX) record using DoH via Google or Cloudflare. This step helps determine the victim’s email provider so the attack can serve a spoofed login page that closely resembles the legitimate service. The email field is pre-filled with the victim’s address to make the page appear even more authentic.
Once the victim enters their credentials, the stolen data is immediately exfiltrated to the attackers through AJAX requests to external servers or PHP scripts hosted on the phishing site. In some cases, credentials are forwarded in real time using Telegram bot webhooks, allowing attackers to act quickly.
To ensure accuracy, the phishing kit displays an error message after the first login attempt, stating: “Invalid Password! Please enter the correct password.” This tactic encourages the victim to re-enter their credentials, helping the attackers verify the correct login details.
Finally, to avoid raising suspicion, the victim is redirected to the legitimate authentication page of their email provider, making them believe they simply mistyped their password. Meanwhile, the attackers now have access to the stolen credentials, which can be used for further exploitation.
Other than its use of DoH, two other key features of Morphing Meerkat include:
- Dynamic phishing content: The platform uses DNS MX records to identify the victim's email provider and then dynamically generates spoofed login pages that closely resemble those of over 114 brands, including Gmail, Outlook, and Yahoo.
- Multilingual capabilities: The phishing emails are crafted in multiple languages, such as English, Spanish, Russian, and Chinese, allowing the operation to target a diverse, global audience effectively.
Researchers believe that Morphing Meerkat has been active since at least 2020 but has managed to fly under the radar until now, likely due to its use of DoH.
Source: Bleeping Computer
Analysis
PhaaS kits such as Morphing Meerkat allow threat actors with limited technical skill and experience to engage in sophisticated phishing activities that they otherwise wouldn’t be able to. The kits effectively turn the average criminal into a cybercriminal, representing a significant threat to organizations and individuals worldwide.
While aspiring threat actors have multiple PhaaS kits to choose from, Morphing Meerkat appears to be the only platform that uses DoH to avoid detection. DoH is a technique more commonly associated with cybercriminal groups and nation-state actors who use it to enhance the stealth and efficacy of their operations, specifically when it comes to exfiltrating data from victims. For example, in May 2020, the Iranian-affiliated advanced persistent threat group OilRig (aka APT34), integrated an open-source tool named DNSExfiltrator into its toolkit, enabling covert data exfiltration over DoH channels. This adoption allowed them to encrypt DNS queries, thereby evading detection by traditional security measures.
Additionally, ChamelGang, a threat actor believed to originate from China, has employed a Linux-based malware implant known as ChamelDoH that leverages DoH for encrypted communication with command-and-control (C2) servers. Doing so facilitated operations such as data exfiltration and remote command execution while minimizing the risk of detection.
The strategic use of DoH by these actors and Morphing Meerkat highlights the evolving landscape of cyber threats and the continuous adaptation of malicious entities to leverage emerging technologies for stealth and efficiency.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats to related to PhaaS’s like Morphing Meerkat. Field Effect MDR users are automatically notified phishing related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Fortunately, phishing is a well-known attack vector and can be mitigated by implementing a combination of administrative security controls, such as phishing awareness training, with technical security controls, such as automatic scanning and URL stripping. However, in most cases, the difference between being compromised or not comes down to the recipient of the phishing email and whether they have the awareness not to fall victim to it.
Field Effect users are encouraged to submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.
Related Articles