New Tycoon 2FA Phishing Kit Raises Cybersecurity Concerns

Written by

A new phishing kit dubbed Tycoon 2FA has raised significant concerns in the cybersecurity community. 

Discovered by the Sekoia Threat Detection & Research (TDR) team in October 2023 and discussed in an advisory published today, the kit is associated with the Adversary-in-The-Middle (AiTM) technique and allegedly utilized by multiple threat actors to orchestrate widespread and effective attacks. 

According to Sekoia's investigation, the Tycoon 2FA (two-factor authentication) platform has been active since at least August 2023. Since its discovery, the firm has been actively monitoring the infrastructure associated with Tycoon 2FA.

The analysis revealed the kit has emerged as one of the most prevalent AiTM phishing kits, with over 1,100 domain names detected between October 2023 and February 2024.

The Tycoon 2FA phishing kit operates through several stages to execute its malicious activities effectively. 

Initially, victims are directed via email attachments or QR codes to a page featuring a Cloudflare Turnstile challenge designed to thwart unwanted traffic. Upon successful completion, users encounter a fake Microsoft authentication page, where their credentials are harvested.

Subsequently, the phishing kit relays this information to the legitimate Microsoft authentication API, intercepting session cookies to bypass Multi-Factor Authentication (MFA).

Read more on similar attacks: MFA Bypass Kits Account For One Million Monthly Messages

In today's advisory, Sekoia said it identified a new version of Tycoon 2FA in February 2024 that features significant changes to its JavaScript and HTML codes, enhancing its phishing capabilities. Notably, it reorganizes resource retrieval and expands traffic filtering to thwart bot activity and analysis attempts.

Compared with the previous version, notable alterations include:

  • The initial HTML page, akin to stage 1, retains its function but excludes the Cloudflare Turnstile challenge.

  • The subsequent payload, named in a recognizable pattern, incorporates elements of both stage 4 (fake login page) and the new version's stage 1 (Cloudflare Turnstile challenge). Unnecessary mathematical operations in deobfuscation are omitted.

  • Formerly separate JavaScript downloads are consolidated into stages 4 and 5. These stages now handle 2FA implementation and data transmission.

  • Stealth tactics are refined, delaying malicious resource provision until after the Cloudflare challenge resolution. URLs are now randomly named.

  • Additionally, the kit adapts to evade analysis by identifying and bypassing various traffic patterns, including those from datacenters, Tor, and specific bot User-Agents.

Sekoia also warned about potential connections between Tycoon 2FA and other known phishing platforms, suggesting shared infrastructure and possibly shared code bases.

"Through studying the Bitcoin transactions allegedly attributed to Saad Tycoon Group, Sekoia analysts believe that the Tycoon Group operations are highly lucrative," added the advisory. "We expect the Tycoon 2FA PhaaS to remain a prominent threat within the AiTM phishing market in 2024."

What’s hot on Infosecurity Magazine?