Threat actors employ Tycoon 2FA kits to pilfer your data

Cybercriminals leverage 2FA (Two-Factor Authentication) phishing kits to bypass the added security layer provided by 2FA.

These kits typically replicate genuine login interfaces and prompt users to input their credentials alongside the one-time passcodes generated by their authenticator apps or sent via SMS.

In October 2023, through proactive threat detection, Sekoia analysts uncovered a newly pervasive Adversary-in-The-Middle (AiTM) phishing kit named Tycoon 2FA.

Since at least August 2023, this Phishing-as-a-Service (PhaaS) platform has been actively utilized by various threat actors to execute successful phishing campaigns.

How do the Tycoon 2FA attacks work?

The utilization of QR codes for phishing surged in October 2023. Numerous AiTM phishing pages exhibited common traits, including:

Deobfuscated scripts
CloudFlare Turnstile employed for protection
Utilization of specific CSS resources
Employment of WebSocket for data exfiltration

Using urlscan.io, researchers identified hundreds of similar phishing pages in October 2023 by searching for specific CSS filenames.

The pages sourced resources from codecrafterspro[.]com, indicating its centrality.

Related domains such as codecrafters[.]su and devcraftingsolutions[.]com hosted phishing materials featuring a login panel marked “Powered by TycoonGroup.”

The tycoongroup[.]ws domain endorsed Tycoon as the “premier 2FA bypass phishing platform,” establishing a link to the Tycoon 2FA phishing platform.

Researchers analyzed victim-facing interactions without accessing Tycoon’s source code. Tycoon employs AiTM, with an attacker server hosting the phishing page, relaying inputs to the legitimate service, prompting MFA, and capturing session cookies post successful MFA.

Stolen cookies permit MFA bypass via session replay, even if credentials are altered. Key operations of Tycoon are summarized below.

There are a total 7 stages and here below we have mentioned them:-

Stage 0 – Spreading phishing pages
Stage 1 – Cloudflare Turnstile challenge
Stage 2 – Email extractor
Stage 3 – Redirection page
Stage 4 – Fake Microsoft authentication login page and sockets
Stage 5 – 2FA relaying
Stage 6 – Final redirection

The Tycoon 2FA phishing kit gathers credentials through counterfeit Microsoft pages, with a C2 server gathering data via WebSockets.

Recent updates incorporate stealth measures like requiring resolution of a CloudFlare challenge before providing malicious resources, employing randomized URLs, and filtering traffic to elude analysis. Unlike earlier versions, which utilized identifiable filenames, these alterations render tracking more challenging.

However, Sekoia discovered heuristics linking authentic resource names, C2 response data size, and resource lengths to persistently monitor the evolving Tycoon 2FA infrastructure. Despite its widespread adoption, the developer has bolstered the kit’s stealth capabilities in the latest iteration.

Due to its affordability and user-friendly interface, Tycoon 2FA has gained traction among threat actors.

Sekoia has identified over 1,200 associated domain names since August 2023, indicating the profitability of Tycoon Group operations. They anticipate Tycoon 2FA to remain a significant threat in the AiTM phishing market throughout 2024.