Threat Research

Tycoon 2FA Bypasses MFA via AiTM Phishing Kit

Cybereason
Tycoon 2FA Bypasses MFA via AiTM Phishing Kit

Tycoon 2FA is a Phishing-as-a-Service platform that uses an Adversary-in-the-Middle reverse proxy to capture credentials and session tokens from Microsoft 365 and Gmail logins, bypassing 2FA/MFA by relaying codes in real time. The kit uses obfuscated JavaScript, bot/debugger checks, hosted assets on services like Amazon S3, and dynamic templates to tailor attacks to organization-specific policies. #Tycoon2FA #Microsoft365 #Gmail

Keypoints

  • Tycoon 2FA is a Phishing-as-a-Service (PhaaS) launched August 2023 that focuses on bypassing 2FA/MFA for Microsoft and Gmail accounts via an Adversary-in-the-Middle reverse proxy.
  • The kit leverages multiple distribution vectors including PDFs, SVGs, PowerPoint files, emails, malicious websites, and hosting platforms like Amazon S3, Canva, and Dropbox.
  • Extensive pre-redirection checks (domain, CAPTCHA, bot/scanner, debugger) and timed bot checks are used to evade automated analysis and reduce detection.
  • Attack stages use layered obfuscated JavaScript (base64, XOR, CryptoJS/AES, LZ-string) with DOM Vanishing Act and debugger checks to load payloads and extract victim emails from URLs.
  • The attacker relays stolen credentials and MFA codes to the real Microsoft server, reads server responses, and dynamically serves matching login pages to the victim to maintain the illusion of legitimacy.
  • The kit analyzes error messages to infer organization-specific email/security policies, enabling highly targeted follow-up campaigns and credential abuse for lateral movement or data exfiltration.
  • Indicators and telemetry show high incidence (Any.run reports ~64,000 incidents), and the campaign’s infrastructure uses multiple hardcoded endpoints for data exfiltration and payload delivery.

MITRE Techniques

  • [T1192] Spearphishing Link – Tycoon uses phishing links distributed via PDFs, SVGs, PPTs and emails to lure victims (“The phishing links associated with the Tycoon 2FA campaign are distributed through … PDF documents … SVG Files … PowerPoint … Emails”).
  • [T1204.002] User Execution: Malicious File – Attackers embed or distribute malicious documents (PDF/PPT/SVG) that redirect to the phishing pages (“Attackers share these links using: PDF documents, SVG Files … PowerPoint (PPT) Presentations”).
  • [T1189] Drive-by Compromise – The kit hosts fake login pages on platforms like Amazon S3 and redirects victims to these pages (“The Tycoon threat actors are using Amazon S3 buckets to host the malicious fake login page”).
  • [T1608.002] Obfuscated Files or Information – The campaign uses base64, XOR, LZ-string compression and CryptoJS/AES encryption to obfuscate scripts and payloads (“The initial HTML page includes a JavaScript file with a base64-encoded payload … compressed using the LZ-string algorithm” and “encrypted using the AES algorithm and the CryptoJS library”).
  • [T1621] Multi-Factor Authentication Interception – Uses an Adversary-in-the-Middle reverse proxy to relay MFA codes and session tokens to bypass 2FA/MFA (“it employs a reverse proxy server … capturing user credentials and session cookies in real-time” and “prompts users to input their multi-factor authentication (MFA) code, which is then relayed to Microsoft’s servers in real-time”).
  • [T1566.001] Phishing: Spearphishing Attachment – Use of malicious attachments that redirect to phishing pages (PDF/PPT/SVG) to deliver the attack (“Attackers share these links using: PDF documents … PowerPoint (PPT) Presentations”).
  • [T1222] File and Directory Permissions Modification (web evasion) – DOM Vanishing Act removes scripts from the visible DOM to evade analysis (“the malicious JavaScript code removes itself from the Document Object Model (DOM) but the JavaScript is executed in the memory after leaving no visible trace”).
  • [T1036.005] Masquerading: Match Legitimate Name or Location – Uses Microsoft O365 graphics and boilerplate templates to mimic real login pages (“The first payload is the Microsoft O365 login graphics code. This is responsible for creating a realistic-looking Microsoft login page”).
  • [T1041] Exfiltration Over C2 Channel – Encrypted user data, credentials and session tokens are sent to attacker-controlled endpoints via POST requests (“This collected data … is then encrypted … and sent to an attacker’s endpoint via an AJAX POST request” and stolen credentials sent to attacker-controlled endpoints).
  • [T1203] Exploitation for Client Execution (script-based) – Malicious JavaScript executes in-browser to perform checks, decrypt payloads, and load follow-on components (“The script then uses the LZ-string library to decompress and execute the hidden payload” and multiple stages decrypt and execute payloads via global objects).

Indicators of Compromise

  • [Domain/URL] phishing/exfiltration endpoints and hosting – examples: qaok5hty3.vraudo.es (sample URL with embedded email), egk1w.onkttyhqjycn.es (hardcoded bot-check URI), and 3eJBE8eo5f13oigGmQkDKhEkKNK9c2TlnVZPVRc16Hnhi0G4kxTsXEf2gH[.]jgcrrouu[.]es (credential exfiltration endpoint).
  • [Cloud Storage] hosting locations – Amazon S3 bucket URL (s3.ap-northeast-3.amazonaws.com/…/index.html), plus references to Canva and Dropbox used to host content.
  • [File/Artifact Names] JavaScript/C2 paths and parameters – examples: /zcYbH5gqRHbzSQXiK8YtTbhpNSGtkZc6xbMyRBGazbWU8fjfq (C2 POST path), ../eypkDtn5lPJjyOMUrofhYfQwPk9fbGCAjUgZztc9dMlLdgv (form POST endpoint).
  • [Techniques/Signatures] obfuscation and crypto use – presence of base64-encoded payloads, LZ-string compression, XOR-obfuscated payloads, CryptoJS/AES encryption with hardcoded key/IV (key/IV example: 1234567890123456) mentioned in script behavior.

Read more: https://www.cybereason.com/blog/tycoon-phishing-kit-analysis

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint