Threat Research

Tycoon 2FA: A Technical Analysis of its Adversary-in-the-Middle Phishing Operation – CYFIRMA

Cyfirma
Tycoon 2FA: A Technical Analysis of its Adversary-in-the-Middle Phishing Operation – CYFIRMA

Tycoon 2FA is a rapidly evolving Phishing-as-a-Service platform that leverages real-time Adversary-in-the-Middle techniques to capture credentials, session tokens, and bypass many legacy MFA methods via high-fidelity phishing pages for Microsoft 365, Gmail, and Outlook. CYFIRMA observed rapid infrastructure expansion, extensive domain rotation, advanced obfuscation (Base64, AES/RC4, dynamic JS), and Telegram-based distribution making it widely accessible to varied threat actors. #Tycoon2FA #ifelse.rlcozx.es

Keypoints

  • Tycoon 2FA operates as a subscription-based PhaaS sold via Telegram, enabling low-skill actors to deploy sophisticated AitM phishing campaigns.
  • The platform relays victim logins to legitimate services in real time to capture credentials, session tokens, and MFA responses, effectively bypassing SMS, TOTP, and push MFA.
  • Observed phishing flow includes CAPTCHA gating, email validation, password capture with immediate exfiltration, and a fake “Sign-In Blocked” decoy to delay victim response.
  • Infrastructure uses rapid domain rotation, multi-layered randomized endpoints, Base64-encoded/encrypted payloads, and cross-origin collection domains to evade static blocklists.
  • Technical evasions include dynamic JavaScript obfuscation, Unicode code hiding, browser fingerprint checks, CAPTCHA frontends, and shifts between AES and RC4 encryption.
  • Examples of malicious infrastructure: ifelse.rlcozx.es (cross-origin collector) and disposable subdomains like dragonfly.kooverou.sa.com, candy.dreajeacrio.sa.com, blanket.dreajeacrio.sa.com.
  • Recommended mitigations emphasize phishing-resistant authentication, stronger session controls, domain monitoring, detection of AitM indicators, and rapid incident response including session/token invalidation.

MITRE Techniques

  • [T1598 ] Phishing for Information – Use of high-fidelity phishing pages and email collection to harvest credentials and session tokens: ‘The platform delivers high-fidelity phishing pages for Microsoft 365, Gmail, and Outlook.’
  • [T1583.001 ] Acquire Infrastructure: Domains – Rapid registration and rotation of disposable domains and subdomains to host phishing pages: ‘thousands of disposable domains and multiple language-targeted phishing templates.’
  • [T1588.002 ] Obtain Capabilities: Tool – Subscription-based acquisition of the Tycoon 2FA toolkit via Telegram channels enabling low-skill actors: ‘Customers purchase temporary access to Tycoon infrastructure through Telegram channels.’
  • [T1566.002 ] Phishing: Spear phishing Link – Deployment of spear-phishing links directing victims to AitM phishing flows and CAPTCHA gates: ‘The page first displays a CAPTCHA challenge before revealing any phishing content.’
  • [T1189 ] Drive-by Compromise – Use of web-based phishing pages that interact with victim browsers to capture input and relayed authentication requests: ‘Tycoon dynamically generates these templates and can switch between Microsoft, Gmail, and Outlook.’
  • [T1027 ] Obfuscated Files or Information – Use of dynamic JavaScript obfuscation, Unicode-based code hiding, and encoded payloads to evade detection: ‘dynamic JavaScript obfuscation, anti-analysis features…Unicode-based code hiding.’
  • [T1027.010 ] Command Obfuscation – Encoded/encrypted URL paths and payloads (Base64, AES/RC4) to conceal malicious intent: ‘Base64-encoded and encrypted payloads’ and ‘shifts between AES and RC4 encryption.’
  • [T1036 ] Masquerading – Phishing pages mimic legitimate Microsoft login flows and error screens to deceive victims: ‘redirected to a highly accurate Microsoft login clone.’
  • [T1036.002 ] Masquerading: Right-to-Left Override – Use of deceptive presentation and Unicode tricks consistent with Unicode-based code hiding to disguise malicious content: ‘Unicode-based code hiding.’
  • [T1110 ] Brute Force – Credential harvesting and automated login attempts against targeted accounts after credential capture: ‘which typically attempts real-time login to Microsoft services to retrieve session tokens for MFA bypass.’
  • [T1539 ] Steal Web Session Cookie – Interception and theft of session tokens/cookies via real-time relay to bypass MFA: ‘intercept not only usernames and passwords but also session tokens and MFA responses.’
  • [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – Harvesting credentials entered into browser-based phishing forms and potentially extracting stored browser credentials: ‘The platform relays the victim’s login requests to legitimate authentication services in real time.’
  • [T1649 ] Steal or Forge Authentication Certificates – Manipulation of session authentication mechanisms implied by session token forging or reuse to maintain access: ‘session token manipulation’ and ‘Steal or Forge Authentication Certificates’ referenced in MITRE mapping.
  • [T1056.002 ] Input Capture: GUI Input Capture – Capturing GUI-entered credentials and MFA responses via the phishing web interface: ‘After an email is accepted, the victim is prompted for their password. Submitted credentials are immediately exfiltrated.’
  • [T1113 ] Screen Capture – Potential for screen capture or visual reconnaissance indicated by platform collection capabilities: ‘Collection’ techniques and high-fidelity deception enabling information capture of user interactions.
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Use of HTTP(S) web protocols for command-and-control and credential exfiltration to backend servers: ‘Command-and-control backend’ and web-based phishing flow.
  • [T1090 ] Proxy – AitM relay behavior acting as a proxy between victim and legitimate authentication services to mediate authentication and capture tokens: ‘relaying the victim’s login requests to legitimate authentication services in real time.’
  • [T1568.002 ] Dynamic Resolution: Domain Generation Algorithms – Rapid domain/subdomain rotation and algorithmic naming to avoid detection and maintain availability: ‘deliberately agile, maintaining persistent uptime through rapid domain rotation across diverse TLDs.’

Indicators of Compromise

  • [Domain ] Malicious phishing collection and relay domains – ifelse.rlcozx.es (cross-origin collector), dreajeacrio.sa.com subdomains (candy.dreajeacrio.sa.com, blanket.dreajeacrio.sa.com)
  • [Domain ] Malicious randomized subdomains – dragonfly.kooverou.sa.com (example of disposable subdomain)
  • [URL ] Malicious URL path used in campaign – https://ifelse[.]rlcozx[.]es/N@g38UiKmbi/ (collector endpoint)
  • [YARA Signature ] Detection rule strings – YARA rule contains ‘ifelse.rlcozx.es/N@g38UiKmbi’, ‘candy.dreajeacrio.sa.com’, ‘dragonfly.kooverou.sa.com’, ‘blanket.dreajeacrio.sa.com’
  • [Technique Artifacts ] Obfuscation/encryption indicators – Base64-encoded and encrypted payloads, AES/RC4 switching and 70+ character randomized endpoints (evidence of encoded URL paths and payloads)

Read more: https://www.cyfirma.com/research/tycoon-2fa-a-technical-analysis-of-its-adversary-in-the-middle-phishing-operation/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint