Executive Summary
Researchers from Sekoia have released a report detailing an October 2023 discovery and subsequent analysis of a new Adversary-in-The-Middle (AiTM) phishing kit linked to the Tycoon 2FA Phishing-as-a-Service (PhaaS) platform, which had been active since at least August 2023. The latest version of Tycoon 2FA features enhanced stealth capabilities, potentially lowering detection rates by security products. Sekoia’s monitoring identified over 1,200 domain names associated with Tycoon 2FA since August 2023, and has released several domains to the public for security awareness and response.
Community Threat Assessment
By tracking Bitcoin transactions allegedly linked to the Saad Tycoon Group, Sekoia analysts anticipate Tycoon 2FA PhaaS to remain a significant threat in the AiTM phishing market in 2024. Due to the available public reporting of Tycoon 2FA and its analysis, and released Indicators of Compromise (IOCs), the RH-ISAC Intelligence Team assesses with high confidence that this campaign presents a relatively medium threat for organizations in the retail and hospitality sector. RH-ISAC recommends Core Members review the intelligence included in this report and the linked Sekoia report, which contains additional details regarding the campaign.
Members are also advised to review the IOCs, provided below, and ingest them into security systems promptly where applicable.
Technical Details
According to latest reporting, Tycoon 2FA attacks involve a multi-step process where the threat actor steals session cookies by using a reverse proxy server hosting the phishing web page, which intercepts the victim’s input and relays them to the legitimate service. Once the user completes the multi-factor authentication (MFA) challenge, and the authentication is successful, the server in the middle captures session cookies, Sekoia explains. This way, the attacker can replay a user’s session and bypass MFA mechanisms.
Sekoia’s report describes the attacks in seven distinct stages, as described below:
Stage 0 – Attackers distribute malicious links via emails with embedded URLs or QR codes, tricking victims into accessing phishing pages.
Stage 1 – A security challenge (Cloudflare Turnstile) filters out bots, allowing only human interactions to proceed to the deceptive phishing site.
Stage 2 – Background scripts extract the victim’s email from the URL to customize the phishing attack.
Stage 3 – Users are quietly redirected to another part of the phishing site, moving them closer to the fake login page.
Stage 4 – This stage presents a fake Microsoft login page to steal credentials, using WebSockets for data exfiltration.
Stage 5 – The kit mimics a 2FA challenge, intercepting the 2FA token or response to bypass security measures.
Stage 6 – Finally, victims are directed to a legitimate-looking page, obscuring the phishing attack’s success.
The latest version of the Tycoon 2FA phishing kit, released this year, has introduced significant modifications that improve the phishing and evasion capabilities. Key changes include updates to the JavaScript and HTML code, alterations in the order of resource retrieval, and more extensive filtering to block traffic from bots and analytical tools of security researchers.
Indicators of Compromise
The following IOCs, provided below by Sekoia, are provided for community awareness and ingestion:
0q5e0.nemen9[.]com
25rw2.canweal[.]com
35fu2.ouchar[.]ru
4343w.jgu0[.]com
43rw98nop8.m1p8z[.]com
4m2swl.7e2r[.]com
5me78.methw[.]ru
6j312.rchan0[.]com
77p3e.rimesh3[.]com
8000n.uqin[.]ru
8uecv.gnornamb[.]com
98q5e.ructin[.]com
9c43r.theq0[.]com
9oc0y2isa27.demur3[.]com
beacon.diremsto[.]com
bloggcenter[.]com
buneji.fiernmar[.]com
e85t8.nechsha[.]com
ex1uo.rhknt[.]ru
explore.atlester[.]ru
fiq75d.rexj[.]ru
fisaca.trodeckh[.]com
galume.aricente[.]com
gz238.uatimin[.]com
horizon.sologerg[.]com
jp1y36.it2ua[.]com
k348d.venti71[.]com
kjlvo.ningeona[.]com
kjsdflwe.nitertym[.]ru
l846d.ferver8[.]com
libudi.oreversa[.]com
n29k4.ilert[.]ru
n9zph.lw8opi[.]com
o6t94g.3tdx2r[.]com
oo99v.coqqwx[.]ru
p1v12.17nor[.]com
pmd8ot6xhw.3qjpc[.]com
q908q.refec7[.]com
r298y.sem01[.]com
rlpq.tk9u[.]com
roriku.orankfix[.]com
tlger-surveillance[.]com
tnyr.moporins[.]com
wasogo.shantowd[.]com
x12y.restrice[.]ru
xrs.chenebystie[.]com
xva.tjlpkcia[.]com
zaqaxu.dthiterp[.]ru
zekal6.tnjxb[.]com
zemj4f.ymarir[.]ru
