Threat Research

Newly Identified Phishing Campaigns by ANY.RUN Researchers – ANY.RUN Cybersecurity Blog

AnyRun

ANY.RUN researchers analyzed evolving Tycoon 2FA phishing campaigns that abuse compromised Amazon SES accounts and use layered redirects, fake errors, and legitimate-looking links to harvest credentials. The campaigns also leverage Freshdesk and SharePoint to host lure pages and PDFs, with encrypted C2 communications and obfuscated loaders to evade detection. #Tycoon #AmazonSES #Freshdesk #SharePoint #MicrosoftTeams #EconomictimesIndiatimes

Keypoints

  • Ongoing Tycoon 2FA phishing campaign using compromised Amazon SES accounts.
  • Phishing emails often contain empty PDF attachments and valid signatures.
  • Attack chain involves multiple redirects to obscure the final phishing domain.
  • New Tycoon variant uses fake error messages to trick users into entering credentials.
  • Phishing campaigns target US government organizations by impersonating Microsoft Teams.
  • Freshdesk is exploited to create lure pages with phishing links.
  • SharePoint is used to host PDFs with phishing links, making detection challenging.

MITRE Techniques

  • [T1566] Phishing – Attackers send emails with malicious links or attachments to trick users into revealing sensitive information. “Attackers send emails with malicious links or attachments to trick users into revealing sensitive information.”
  • [T1003] Credential Dumping – Attackers collect user credentials after victims enter them on phishing sites. “Attackers collect user credentials after victims enter them on phishing sites.”
  • [T1071] Command and Control – Communication with the C2 server is encrypted and uses various protocols for data exfiltration. “Communication with the C2 server is encrypted and uses various protocols for data exfiltration.”

Indicators of Compromise

  • [Domain] Attack chain / hosting domains – clicktime.symantec[.]com, donostain[.]com, and other related domains in the chain
  • [Domain] CDN / script storage domains – code.jquery[.]com, cdn.socket[.]io, and additional script-hosting domains
  • [Domain] C2 / phishing engine domains – muc7.lmfey[.]ru, dadb737ad11[.]jandeclek-shakerjd-djhsn[.]ru, and other C2-related domains
  • [Domain] GOV-targeting / list-hosting domains – hinifiejevyrinzelywbhj[.]pages[.]dev/list.txt, zatrdg[.]com
  • [Domain] Freshdesk / hosting pages – freshdesk[.]com (lure hosting via Freshdesk platform)

Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/phishing-campaigns-august-24/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint