Full Report
Tales from the phishing factory with over 1.9K domains
Analysis Summary
# Tool/Technique: Tycoon Phishing Kit
## Overview
The Tycoon Phishing Kit is a sophisticated tool used for credential harvesting, identified as the number one malware family based on AnyRun's trend reporting at the time of the report. The analysis pivots from a single phishing attempt to uncover extensive infrastructure associated with this kit, spanning over 1.9K unique domains. The kit utilizes generic, theme-based landing pages for large-scale, high-volume campaigns, often employing automation and potentially DGA (Domain Generation Algorithm) principles, sacrificing uniqueness for volume.
## Technical Details
- Type: Tool (Phishing Kit)
- Platform: Web-based (Used to host credential harvesting sites)
- Capabilities: Credential harvesting, infrastructure-based pivoting via unique HTML titles and network fingerprints (Banner Hash, Header Hash), use of AI chatbot integration for initial redirection bypass.
- First Seen: Not specified in the text, but noted as the "number one malware family atm."
## MITRE ATT&CK Mapping
The primary focus of the Tycoon kit described is on initial access and credential theft.
- **TA0001 - Initial Access**
- **T1566 - Phishing**
- **T1566.001 - Spearphishing Attachment** (Implied initial delivery vector via email)
- **T1566.002 - Spearphishing Link** (Directly mentioned: URL used to bypass security controls)
- **TA0006 - Credential Access**
- **T1555 - Credentials from Key Stores** (Implied action after harvesting credentials)
## Functionality
### Core Capabilities
- **Credential Harvesting:** Primary function is to capture user credentials via impersonated landing pages.
- **Infrastructure Fingerprinting:** Relies on reproducible technical indicators such as specific HTML titles, Banner Hashes, and Header Hashes to discover related infrastructure.
- **Campaign Theming:** Employs several distinct, reusable landing page themes (Finquick, Desio Copilot, VoltGrid, Flowguide, TimberCraft) to group related phishing campaigns.
- **Volume over Uniqueness:** Automated deployment infrastructure suggests a strategy focused on high volume of domains rather than highly customized targets (indicated by heavy DGA use).
### Advanced Features
- **Redirection and Evasion:** Utilized a URL employing Cisco Secure Email link redirection (`secure-web.cisco.com`) to initially bypass security controls before hitting the credential harvesting site.
- **AI Chatbot Integration:** The primary credential harvesting URL initially featured an AI chatbot, which served as a unique fingerprint for pivot analysis when direct access was blocked or needed verification.
- **Campaign Inactivity Templates:** Switches to generic landing page templates when a specific campaign might be inactive or paused, redirecting visitors from the original harvest URL.
## Indicators of Compromise
The primary IOCs identified are infrastructure-based, derived from fingerprinting:
- File Hashes: Not detailed in the summary.
- File Names: Not detailed in the summary.
- Registry Keys: Not applicable/detailed.
- Network Indicators:
- Initial Redirect URL: `hxxps://secure-web-cisco-com/1pXh...G0R_BE/https%3A%2F%2Fkdc[.]lk%2Foffice%2F` (Defanged)
- Initial Harvest Domain: `scss[.]noriocha[.]biz[.]id` (Defanged)
- Pivoted Domains: Over 1,900 unique domains identified, with high concentration on `.sa` and `.ru` TLDs.
- Specific HTML Page Themes (Used as pivoting indicators):
- Finquick - Finance & Payments SaaS Landing (548 Domains)
- Desio Copilot – AI Workspace (895 Domains)
- VoltGrid | Clean Energy Solutions (585 Domains)
- Flowguide – Product Guide & Docs (880 Domains)
- TimberCraft | Premium Wood Construction (657 Domains)
- Behavioral Indicators: Reuse of generic text and images across themes (Finquick, Desio & VlotGrid overlap).
## Associated Threat Actors
- Threat actors utilizing the "Tycoon Phishing Kit." (No specific named APT/Group provided in the excerpt, only the tool family).
## Detection Methods
Detection methods suggested by the analysis include:
- **Signature-based detection:** Identifying known Banner Hashes and Header Hashes associated with the infrastructure.
- **Behavioral detection:** Monitoring for the signature redirects or the presence of specific AI chatbots preceding credential harvest pages.
- **YARA rules:** Could be developed based on the known text/image fingerprints of the 5 template themes.
## Mitigation Strategies
- **Security Control Review:** Ensure email security solutions (like Cisco Secure Email) are configured correctly to inspect or block suspicious link redirections, even if they use legitimate-sounding precursors.
- **Infrastructure Monitoring:** Monitor newly registered domains sharing common characteristics like specific TLD concentrations (`.sa`, `.ru`) or known header/banner hashes.
- **DGA/Automation Defense:** Implement security mechanisms sensitive to high volume DGA-style domain proliferation patterns.
## Related Tools/Techniques
- **DGA (Domain Generation Algorithm):** Heavily suggested use of DGA to support the high volume of infrastructure.
- **Phishing Kits:** Other commercial or open-source phishing kits that employ similar automated deployment and theme reuse strategies.