Tycoon 2FA is an evolving Phishing-as-a-Service (PhaaS) platform that uses advanced anti-detection techniques to bypass two-factor authentication for Microsoft 365 and Gmail accounts. Its developers frequently update evasion methods such as obfuscation, browser fingerprinting, CAPTCHAs, and environment checks, complicating detection and investigation efforts. #Tycoon2FA #Microsoft365 #Gmail
Keypoints
- Tycoon 2FA leverages an Adversary-in-the-Middle approach, capturing session cookies to bypass 2FA for Microsoft 365 and Gmail.
- The phishing kit uses multiple layers of obfuscation and domain verification to evade automated analysis and sandbox detection.
- Recent updates include enhanced anti-debugging checks, keystroke interception, context menu blocking, and dynamic multimedia loading from legitimate CDNs.
- Newer evasion trends feature browser fingerprinting, rotating CAPTCHAs (Google reCAPTCHA, IconCaptcha), encrypted payload delivery, and extended redirect chains.
- The attack employs a “triangle” of Command-and-Control domains across several TLDs (.ru, .es, .su, .com, .net, .org) to control payload execution and data exfiltration.
- Some evasion techniques remain simplistic, such as the use of hardcoded encryption keys and standard obfuscation tools, suggesting partial amateur implementation.
- Effective defense relies on behavioral analysis focusing on patterns of domain communication, resource loading, and session redirects rather than static signature detection.
MITRE Techniques
- [T1556] Credentials from Web Browsers – Tycoon 2FA captures session cookies after 2FA authentication to reuse sessions (‘…the server captures session cookies, allowing attackers to reuse the session and bypass security measures.’).
- [T1204] User Execution – The phishing pages trick victims into entering credentials on fake Microsoft Outlook login pages (‘…frontend mimics a Microsoft Outlook login page, designed to trick victims into entering their credentials.’).
- [T1040] Network Sniffing – Tycoon 2FA intercepts communication by acting as an Adversary-in-the-Middle via reverse proxy servers (‘…attackers set up a phishing page through a reverse proxy server…’).
- [T1059] Command and Scripting Interpreter – Use of JavaScript obfuscation and dynamic code execution via eval() (‘…invisible obfuscation … uses proxy object calls and getter methods to retrieve and execute code via eval().’).
- [T1562] Impair Defenses – Anti-debugging and anti-analysis methods including debugger timing checks, keystroke interception, and context menu blocking (‘…script intercepts keyboard shortcuts… disables right-click context menu… measures debugger launch time…’).
- [T1071] Application Layer Protocol – Use of HTTP/S POST and GET requests to communicate with C2 servers and exchange encrypted payloads (‘…sends POST requests to C2 server with encrypted data… receives JSON responses with ciphertext…’).
- [T1176] Browser Extensions – Browser fingerprinting techniques to detect sandbox and bot environments (‘…collecting browser environment details… sent to attacker’s server for validation checks…’).
Indicators of Compromise
- [URLs] Phishing and C2 domains – hxxps://stellarnetwork.sucileton.com/EQn1RAKa/, hxxps:///?<2nddomain>=<base64payload> (used in multi-stage redirects and payload delivery).
- [File Names] Captcha and obfuscation scripts – JavaScript files implementing Cloudflare Turnstile, Google reCAPTCHA, custom CAPTCHA scripts, and Base64 + XOR obfuscation routines observed throughout stages.
- [IP Addresses] Not specified explicitly; however, multiple TLDs including .ru, .es, .su, .com, .net, and .org are used for phishing and command domains.
- [Encryption Keys] Hardcoded AES keys and IVs such as ‘1234567890123456’ – used for payload encryption and data exfiltration.
- [Behavioral Patterns] Repeated communication with specific ‘triangle’ of C2 domains, loading of Okta CSS and distinct JavaScript/CSS web content.
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/tycoon2fa-evasion-analysis/
Views: 38