Friday, January 24, 2025
HomeCyber Security NewsNew Tycoon 2FA Phishing Kit Attacking Microsoft 365 & Gmail Users

New Tycoon 2FA Phishing Kit Attacking Microsoft 365 & Gmail Users

Published on

SIEM as a Service

Follow Us on Google News

Hackers use 2FA (Two-Factor Authentication) phishing kits to overcome the additional security layer provided by 2FA. 

These kits typically mimic legitimate login pages and prompt users to enter their credentials along with the one-time passcodes generated by their authenticator apps or sent via SMS.

Through proactive threat hunting, Sekoia analysts uncovered a new and widespread Adversary-in-The-Middle (AiTM) phishing kit called Tycoon 2FA in October 2023. 

This Phishing-as-a-Service (PhaaS) platform has been actively used by multiple threat actors since at least August 2023 to conduct effective phishing attacks. 

Continuous monitoring revealed Tycoon 2FA as one of the most prevalent AiTM kits, with over 1,100 associated domains identified between late October 2023 and late February 2024.

Technical Analysis

Phishing using QR codes increased in October 2023. Many AiTM phishing pages shared similarities like:- 

  • Deobfuscated scripts
  • CloudFlare Turnstile for protection
  • Specific CSS resources
  • WebSocket for data exfiltration
Email attachments redirecting users to Tycoon 2FA phishing pages (Source – Sekoia)

Using urlscan.io, researchers identified hundreds of similar phishing pages in October 2023 by searching for specific CSS filenames.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, which helps you to quantify risk accurately:

The pages retrieved resources from codecrafterspro[.]com, which appeared central.

Other associated domains like codecrafters[.]su and devcraftingsolutions[.]com hosted phishing resources with a “Powered by TycoonGroup” login panel. 

The tycoongroup[.]ws domain promoted Tycoon as the “best 2FA bypass phishing platform”, linking this infrastructure to the Tycoon 2FA phishing platform.

Login page of Tycoon 2FA administration panel (Source – Sekoia)

Researchers analyzed the victim-facing interactions without access to Tycoon’s source code.

It uses AiTM, with an attacker server hosting the phishing page, relaying inputs to the legitimate service, prompting MFA, and capturing session cookies after successful MFA. 

The stolen cookies allow bypassing MFA by replaying the session, even if credentials were changed. The key operations of Tycoon are outlined below.

Main operations specific to the Tycoon 2FA phishing kit (Source – Sekoia)

There are a total 7 stages and here below we have mentioned them:-

  • Stage 0 – Spreading phishing pages
  • Stage 1 – Cloudflare Turnstile challenge
  • Stage 2 – Email extractor
  • Stage 3 – Redirection page
  • Stage 4 – Fake Microsoft authentication login page and sockets
  • Stage 5 – 2FA relaying
  • Stage 6 – Final redirection

The Tycoon 2FA phishing kit harvests credentials via fake Microsoft pages, with a C2 server collecting data over WebSockets.

The latest version added stealth tactics like only providing malicious resources after solving a CloudFlare challenge, using randomized URLs, and filtering traffic to evade analysis. 

While previous versions used characteristic filenames for core functionality, the new changes make tracking more difficult. 

However, Sekoia found heuristics correlating legitimate resource names, C2 response data size and resource lengths to continue monitoring the evolving Tycoon 2FA infrastructure.

Tycoon 2FA became widespread, and the developer enhanced stealth capabilities in the recent version.

With its ease of use and low price, it gained popularity among threat actors. 

Sekoia identified over 1,200 associated domain names since August 2023 and believes the Tycoon Group operations are highly lucrative, expecting Tycoon 2FA to remain a prominent threat in the AiTM phishing market in 2024.

IoCs

  • 0q5e0.nemen9[.]com
  • 25rw2.canweal[.]com
  • 35fu2.ouchar[.]ru
  • 4343w.jgu0[.]com
  • 43rw98nop8.m1p8z[.]com
  • 4m2swl.7e2r[.]com
  • Cybersecurity Threats5me78.methw[.]ru
  • 6j312.rchan0[.]com
  • 77p3e.rimesh3[.]com
  • 8000n.uqin[.]ru
  • 8uecv.gnornamb[.]com
  • 98q5e.ructin[.]com
  • 9c43r.theq0[.]com
  • 9oc0y2isa27.demur3[.]com
  • beacon.diremsto[.]com
  • bloggcenter[.]com
  • buneji.fiernmar[.]com
  • e85t8.nechsha[.]com
  • ex1uo.rhknt[.]ru
  • explore.atlester[.]ru
  • fiq75d.rexj[.]ru
  • fisaca.trodeckh[.]com
  • galume.aricente[.]com
  • gz238.uatimin[.]com
  • horizon.sologerg[.]com
  • jp1y36.it2ua[.]com
  • k348d.venti71[.]com
  • kjlvo.ningeona[.]com
  • kjsdflwe.nitertym[.]ru
  • l846d.ferver8[.]com
  • libudi.oreversa[.]com
  • n29k4.ilert[.]ru
  • n9zph.lw8opi[.]com
  • o6t94g.3tdx2r[.]com
  • oo99v.coqqwx[.]ru
  • p1v12.17nor[.]com
  • pmd8ot6xhw.3qjpc[.]com
  • q908q.refec7[.]com
  • r298y.sem01[.]com
  • rlpq.tk9u[.]com
  • roriku.orankfix[.]com
  • tlger-surveillance[.]com
  • tnyr.moporins[.]com
  • wasogo.shantowd[.]com
  • x12y.restrice[.]ru
  • xrs.chenebystie[.]com
  • xva.tjlpkcia[.]com
  • zaqaxu.dthiterp[.]ru
  • zekal6.tnjxb[.]com
  • zemj4f.ymarir[.]ru

Cryptocurrency Wallet Address

  • 19NReVFKJsYYCCFLq1uNKYrUqQE2bB4Jwx used by Saad Tycoon Group

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

PayPal Fined $2 Million Fine For Violating Cybersecurity Regulations

The New York State Department of Financial Services (NYDFS) has imposed a $2 million...