Full Report
This post is the first in a new series for the Barracuda Blog. Each of our Malware Brief posts will highlight a few different trending malware threats.
Analysis Summary
# Tool/Technique: Tycoon 2FA
## Overview
Tycoon 2FA is a Phishing-as-a-Service (PHaaS) platform designed to facilitate the theft of credentials, particularly targeting Gmail and Microsoft 365 accounts. Its key feature is its Adversary-in-the-Middle (AiTM) capability, allowing it to bypass Two-Factor Authentication (2FA) by capturing and reusing session cookies.
## Technical Details
- Type: Phishing Kit (Phishing-as-a-Service)
- Platform: Web application interaction (targets credentials for web services)
- Capabilities: Phishing page hosting, credential harvesting, AiTM session cookie capture and reuse, potential for subsequent malware delivery and reconnaissance.
- First Seen: August 2023
## MITRE ATT&CK Mapping
The primary focus of Tycoon 2FA is credential theft and session hijacking.
- **TA0001 - Initial Access**
- **T1566 - Phishing**
- T1566.001 - Spearphishing Attachment (Implied delivery mechanism if leveraged through email)
- **TA0006 - Credential Access**
- **T1555 - Credentials from Password Stores** (Session cookies captured by AiTM act as active credentials)
- T1555.003 - Credentials from Network Sessions (Session cookie capture/reuse)
## Functionality
### Core Capabilities
- Creation and execution of targeted phishing attacks using fake web pages.
- Harvesting of user credentials.
- Evasion of MFA mechanisms by acting as a Man-in-the-Middle (MITM).
### Advanced Features
- **AiTM Bypass:** Captures and reuses active session cookies, maintaining prolonged access even after the user changes their password.
- **Ease of Use:** Accessible to individuals with limited technical skill, sold via Telegram channels.
## Indicators of Compromise
- File Hashes: [Not specified in context]
- File Names: [Not specified in context]
- Registry Keys: [Not specified in context]
- Network Indicators: [Associated with C2/distribution infrastructure, sold via Telegram channels (e.g., @Tycoon\_Group, @SaaadFridi, @Mr\_XaaD)]
- Behavioral Indicators: Directing targets to fake login portals via URLs or QR codes; interception and reuse of authentication tokens/session cookies.
## Associated Threat Actors
- Tycoon Group
- SaaadFridi
- Mr\_XaaD (Known operators/vendors)
## Detection Methods
- Signature-based detection: [Not specified in context]
- Behavioral detection: Monitoring for abnormal session re-authentication attempts or requests originating from anomalous geographical locations shortly after a successful login. Traffic analysis for MITM proxy interactions on web traffic.
- YARA rules: [Not specified in context]
## Mitigation Strategies
- Implement strong, phishing-resistant MFA (e.g., hardware tokens).
- User training emphasizing awareness of URL authenticity and QR code scanning risks.
- Monitoring network traffic for unexpected proxy interactions or cookie-based session hijacking after initial legitimate authentication.
## Related Tools/Techniques
- Other PHaaS platforms.
- Adversary-in-the-Middle (AiTM) frameworks.
***
# Tool/Technique: Lumma (aka LummaC, LummaC2)
## Overview
Lumma is an infostealer distributed as Malware-as-a-Service (MaaS). It targets Windows systems (7 through 11) to find, gather, and exfiltrate sensitive data, including cryptocurrency wallet credentials and login information. It can also function as a malware loader.
## Technical Details
- Type: Infostealer (Malware-as-a-Service)
- Platform: Windows 7 – 11
- Capabilities: Data exfiltration (credentials, crypto wallet data), log collection, malware loading (secondary payload delivery).
- First Seen: August 2022
## MITRE ATT&CK Mapping
Lumma's primary goals center on stealing information from compromised systems.
- **TA0006 - Credential Access**
- **T1555 - Credentials from Password Stores** (Targets stored credentials and wallet data)
- **TA0010 - Exfiltration**
- **T1041 - Exfiltration Over C2 Channel**
- **TA0002 - Execution**
- **T1204 - User Execution** (Via phishing or fake software)
- **T1105 - Ingress Tool Transfer** (Functioning as a loader for other malware)
## Functionality
### Core Capabilities
- Collecting data logs from compromised endpoints.
- Stealing login credentials and cryptocurrency wallet information.
- Exfiltrating sensitive data.
### Advanced Features
- Functionality as a loader to install additional types of malware onto the victim system.
- Wide availability and flexible pricing as an MaaS offering.
## Indicators of Compromise
- File Hashes: [Not specified in context]
- File Names: [Not specified in context]
- Registry Keys: [Not specified in context]
- Network Indicators: Infrastructure involved over 1,300 domains that were recently seized. (Specific current C2s are not provided but were associated with the defunct central command structure).
- Behavioral Indicators: Attempts to locate and read files related to browsers, wallets, and stored configuration files; establishing outbound connections for data exfiltration.
## Associated Threat Actors
- Various actors purchasing the Malware-as-a-Service.
## Detection Methods
- Signature-based detection: Known hashes or file names associated with Lumma executables.
- Behavioral detection: Monitoring for rapid file enumeration related to crypto assets or browser data, followed by outbound network connections associated with exfiltration protocols.
- YARA rules: [Not specified in context]
## Mitigation Strategies
- Regular patching and system hardening (especially for older Windows versions).
- Strict endpoint protection with behavior monitoring capabilities.
- Disrupting associated distribution vectors (e.g., monitoring Discord for malware distribution).
## Related Tools/Techniques
- Other infostealer malware families.
- Malware-as-a-Service distribution models.
***
# Tool/Technique: Quasar RAT
## Overview
Quasar RAT is a widely available, open-source Remote Access Trojan (RAT) that grants attackers complete control over infected Windows systems. It is often distributed via email spam campaigns disguised as benign documents.
## Technical Details
- Type: Remote Access Trojan (RAT)
- Platform: Windows (all versions)
- Capabilities: Remote file management, registry modification, keystroke/activity recording, remote desktop connections, silent execution.
- First Seen: Unknown (Open-source nature complicates initial dating, but analysis report mentioned is AR18-352A, suggesting analysis around 2018).
## MITRE ATT&CK Mapping
Quasar RAT enables comprehensive remote control and persistence on victim machines.
- **TA0002 - Execution**
- **T1204 - User Execution** (Via spam email attachment/loader in documents)
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (Customizable client/server can aid evasion)
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol** (Uses its own communication protocol)
- **TA0007 - Discovery**
- **T1083 - File and Directory Discovery**
- **TA0003 - Persistence, TA0004 - Privilege Escalation** (Registry alterations allow for establishing persistence)
## Functionality
### Core Capabilities
- Remote file system management on the infected machine.
- Establishing remote desktop connections.
- Recording user actions (keylogging/activity monitoring).
- Altering system registry keys.
### Advanced Features
- **Silent Operation:** Capable of running undetected for extended periods while under remote control.
- **Customizability:** Users can customize the client-side malware via the server-side GUI component to suit specific operational needs.
## Indicators of Compromise
- File Hashes: [Not specified in context]
- File Names: [Not specified in context, likely dropper/loader names depending on campaign]
- Registry Keys: Keys used to establish persistence (exact keys depend on customization).
- Network Indicators: C2 communications utilizing its proprietary protocol (specific IPs/domains not provided).
- Behavioral Indicators: Attempts to establish network connections for RDP or command relay; modifications to the Windows Registry that point to the malware loading on startup.
## Associated Threat Actors
- Unknown (Highly popular due to open-source availability, used by various financially or politically motivated groups).
## Detection Methods
- Signature-based detection: Signatures for known compiled versions of the open-source project.
- Behavioral detection: Detection of attempts to establish remote desktop sessions or perform extensive remote file system enumeration absent user interaction. Focus on registry modifications designed for persistence.
- YARA rules: Rules targeting known strings or structures within the Quasar RAT binary.
## Mitigation Strategies
- Email filtering and comprehensive sandboxing to neutralize attachments distributed via spam campaigns.
- Host-based intrusion detection systems (HIDS) to monitor for unauthorized registry modifications or unexpected outbound connections on non-standard ports or protocols.
- Application whitelisting to prevent execution of unauthorized binaries.
## Related Tools/Techniques
- Other open-source RATs (e.g., darkcomet, njRAT).
- General Remote Access Techniques (T1133, T1219).