Threat Research

PhaaS the Secrets: The Hidden Ties Between Tycoon2FA and Dadsec’s Operations

LevelBlue-spiderlabs
PhaaS the Secrets: The Hidden Ties Between Tycoon2FA and Dadsec’s Operations

Since September 2023, Trustwave’s Threat Intelligence Team has monitored large-scale phishing campaigns using Phishing-as-a-Service platforms Dadsec and Tycoon2FA, revealing shared infrastructure and advanced evasion techniques. These platforms utilize Adversary-in-the-Middle attacks to bypass multi-factor authentication, employing custom payloads, decoy pages, and Cloudflare Turnstile challenges to deceive victims. #Dadsec #Tycoon2FA #Storm-1575

Keypoints

  • Tycoon2FA and Dadsec are PhaaS platforms active since 2023, sharing infrastructure and phishing kit components.
  • Large-scale campaigns deploying thousands of phishing pages have been identified, employing PHP payloads like “res444.php”, “cllascio.php”, and “.000.php”.
  • Phishing kits use Adversary-in-the-Middle techniques to intercept credentials and bypass MFA by capturing session cookies.
  • Advanced anti-analysis features include monitoring of penetration-testing tools, keystroke detection, and disabling right-click to evade detection.
  • Phishing pages integrate Cloudflare Turnstile CAPTCHA challenges and multiple decoy landing pages to improve credibility and evade bots.
  • Phishing URLs feature unique patterns with pre-specified victim usernames, often hosted on “.ru” domains using Cyber Panel hosting.
  • Encrypted communication using AES and PBKDF2 obfuscates data transmissions to command-and-control servers to prevent interception.

MITRE Techniques

  • [T1566] Phishing – Used extensive phishing emails to deliver malicious links and attachments impersonating Microsoft 365 login interfaces. (‘The attack begins with an email using various lures to entice the recipient into accessing a shared file, often including an HTML attachment.’)
  • [T1598] Phishing for Information – Deployed phishing pages to harvest credentials and multi-factor authentication tokens by impersonation. (‘Phishing kits provide a user-friendly interface with customizable phishing templates… to bypass multi-factor authentication (MFA).’)
  • [T1556] Modify Authentication Process – Employed Adversary-in-the-Middle (AiTM) attacks to intercept MFA tokens and session cookies. (‘The phishing kit leverages the AiTM… Once the user completes the MFA challenge… the attacker-controlled server captures session cookies.’)
  • [T1204] User Execution – Used socially engineered email attachments themed around HR, finance, or security alerts to entice victim interaction. (‘Some phishing HTML or PDF files use themes related to human resources, finance, or security alerts to entice victims.’)
  • [T1070] Indicator Removal on Host – Techniques such as disabling right-click context menus and keystroke detection were used for anti-analysis. (‘Enhanced anti-analysis features… such as disabling the right-click context menu on the browser for defense evasion.’)
  • [T1090] Proxy – The phishing kit used JavaScript Proxy-based objects to dynamically decode payloads for evasion. (‘This script uses JavaScript Proxy-based objects to dynamically decode invisible Unicode characters and execute payloads.’)
  • [T1112] Modify Registry – Use of obfuscated JavaScript, AES decryption routines, and Base64 encoding to conceal malicious code. (‘The phishing kit conceals its malicious code using a combination of Caesar cipher obfuscation and Base64 encoding.’)
  • [T1505] Server Software Component – Used Cyber Panel open-source hosting platform for phishing domains. (‘The domain leverages “Cyber Panel” an open-source web hosting platform.’)
  • [T1591] Gather Victim Host Information – Collected victim IP address, geolocation, user-agent, and browser data via Cloudflare Turnstile and injected scripts. (‘Turnstile Information Gathering… including IP addresses, referrers, and user agents.’)

Indicators of Compromise

  • [Domains] Phishing campaign domains – selligenttier.naylorcampaigns.com, 704movers.com, srciek0t8a31dz4.o4dnumvbqy.ru, americanwealthllc.com
  • [File Names] PHP payloads – res444.php, cllascio.php, .000.php as key components in phishing kits
  • [IP Addresses] Hosting infrastructure IPs linked to AS19871 (NETWORK-SOLUTIONS-HOSTING) supporting phishing pages
  • [URL Patterns] Phishing URLs with embedded Base64 encoded emails or randomized placeholders (e.g., 0x207c, 0x0442)
  • [Email Addresses] Pre-specified and Base64-encoded emails embedded within URL redirections to personalize phishing pages
  • [File Hashes] Multiple malicious HTML and PDF attachment hashes used in email campaigns (examples withheld but referenced)

Read more: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/phaas-the-secrets-the-hidden-ties-between-tycoon2fa-and-dadsecs-operations/