Full Report
The Tycoon 2FA phishing kit is a sophisticated Phishing-as-a-Service (PhaaS) platform that emerged in August 2023, designed to bypass two-factor authentication (2FA) and multi-factor authentication (MFA) protections, primarily targeting Microsoft 365 and Gmail accounts. Utilizing an Adversary-in-the-Middle (AiTM) approach, it employs a reverse proxy server to host deceptive phishing pages that mimic legitimate login interfaces, capturing user credentials and session cookies in real-time. According to the Any.run malware trends tracker, Tycoon 2FA leads with over 64,000 reported incidents this year.
Analysis Summary
# Tool/Technique: Tycoon 2FA Phishing Kit
## Overview
The Tycoon 2FA Phishing Kit is a sophisticated Phishing-as-a-Service (PhaaS) platform that emerged in August 2023. Its primary purpose is to execute Adversary-in-the-Middle (AiTM) style phishing attacks to steal credentials and session cookies, specifically designed to bypass Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) protections on targeted accounts.
## Technical Details
- Type: Attack Tool / Phishing Framework (PhaaS)
- Platform: Web-based (Hosts on reverse proxy servers, leveraging services like Amazon S3 for hosting stages)
- Capabilities: Real-time session cookie and credential theft via AiTM, MFA code interception, organizational policy analysis, and advanced anti-analysis checks.
- First Seen: August 2023
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Via PDF, SVG, PPT delivery)
- T1566.002 - Spearphishing Link (Via email distribution)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Used for relaying stolen data and traffic)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.002 - Software Packing (Use of LZ-string compression)
- T1055 - Process Injection (Implied by in-memory execution after payload unpacking)
## Functionality
### Core Capabilities
- **Adversary-in-the-Middle (AiTM):** Employs a reverse proxy server to host deceptive login pages, allowing the attacker to intercept traffic between the user and the legitimate service.
- **MFA Bypassing:** Captures valid MFA codes entered by the user in real-time and relays them, achieving session access.
- **Targeting:** Primarily focuses on Microsoft 365 and Gmail (including organizational business accounts).
- **Data Harvesting:** Captures user credentials and session cookies in real-time.
### Advanced Features
- **Pre-Redirection/Anti-Detection Checks:** Implements multiple layers to filter out automated analysis:
- Domain Check: Verifies the source of the incoming request.
- CAPTCHA Check: Filters out bots.
- Bot/Scanning Tools Check.
- Debugger Check: Monitors for the presence of developer tools (e.g., active for > 0.1 seconds).
- User Agent Check: Blocks automated tools like PhantomJS or Burp Suite by redirecting to a blank page.
- **Dynamic Page Generation:** Uses boilerplate templates to dynamically generate fake login pages based on responses from Microsoft servers.
- **Organizational Policy Analysis:** Analyzes login error messages to tailor the attack and increase targeting precision.
- **Payload Obfuscation:** Utilizes JavaScript with base64 encoding and LZ-string compression for the first stage payload, followed by XOR cipher obfuscation for subsequent stages.
- **DOM Vanishing Act:** Malicious JavaScript removes itself from the Document Object Model (DOM) after execution, hiding traces from tools inspecting the page source code.
## Indicators of Compromise
* **File Hashes:** Not provided in the context.
* **File Names:** Not explicitly detailed, but associated delivery files include PDF documents, SVG files, and PowerPoint (PPT) presentations.
* **Registry Keys:** Not provided in the context.
* **Network Indicators:**
- Distribution vectors include links hosted on compromised Amazon S3 buckets (e.g., s3.ap-northeast-3[.]amazonaws[.]com).
- Delivery platforms include Mailchimp tracking links.
- Dropbox and Canva are mentioned as platforms used in the spreading mechanism.
* **Behavioral Indicators:**
- Installation of a CAPTCHA challenge.
- Execution of obfuscated JavaScript that uses LZ-string decompression.
- Attempts to detect active debuggers based on keyboard events.
- Successful session cookie capture via reverse proxy interaction.
## Associated Threat Actors
The article refers to "Tycoon threat actors" generally, indicating it is a Phishing-as-a-Service platform potentially used by various unaffiliated groups.
## Detection Methods
* **Signature-based detection:** Signatures targeting the specific compressed/obfuscated JavaScript payloads.
* **Behavioral detection:** Monitoring for unusual JavaScript behavior such as DOM element removal immediately after loading, execution of base64/XOR-decoded code blocks, and checks designed to detect developer tools activity.
* **YARA rules:** Potential YARA rules could target characteristic strings within the obfuscated payloads referencing LZ-string or XOR decoding routines.
## Mitigation Strategies
* **User Education on Phishing Awareness:** Train users to identify suspicious URLs, grammatical errors, and the risks associated with opening malicious attachments (PDF, SVG, PPT).
* **Strengthen Authentication:** Deploy robust MFA methods that are phishing-resistant (e.g., FIDO2/WebAuthn, certificate-based methods) rather than one-time-passwords (OTP) susceptible to AiTM relay.
* **Implement Anti-Phishing Solutions:** Utilize advanced tools capable of modern AiTM detection and blocking.
* **URL Filtering:** Implement strong controls to block access to known malicious domains or URLs hosted on public cloud storage utilizing suspicious subpaths.
## Related Tools/Techniques
* **AiTM Phishing Kits:** Similar technologies used to bypass MFA, such as EvilProxy, Cluster, and various other reverse proxy-based phishing frameworks.
* **MFA Phishing:** General techniques focused on capturing temporary session cookies across platforms.