?? Tycoon 2FA Phish-kit attacks via compromised Amazon Simple Email Service accounts

???? Attack Chain:

Amazon-SES EML ?? CIS Social Network ?? India Times ?? Custom Redirector ?? Main Phish Engine ?? Email/Password Sent to C2

See example ↘?

https://app.any.run/tasks/6fa7c7d7-a8fb-4c5d-87fb-1531c95d1465/?utm_source=linkedin&utm_medium=article&utm_campaign=tycoon2fa&utm_term=300724&utm_content=linktoservice/

?? Initial Phishing Email

The phishing email originates from an Amazon-SES client and often includes a valid signature. The main characteristic of this email is that it contains two empty PDF files as attachments. In some cases, the emails fail to pass SPF and DKIM checks, but it is not recommended to rely solely on these checks as the source email may be compromised.

The email has a header from Docusign and the text: "You have received a document to review and sign."

?? The final link rewritten by Symantec Click-time URL Protection service:

Clicking the "Review Document" link gets the victim redirected through a long chain of redirects to keep the final phishing domain hidden to avoid raising suspicion. Let's trace the entire path, from the click in the email to the submission of the stolen user data, as it happens in the victim's browser.

?? Grouped lists of domains in the attack chain

Redirecting/Rejecting:?

clicktime .symantec .com – Rewritten Email link?

away .vk .com – Social media redirect abuse?

brandequity .economictimes .indiatimes .com – News outlet redirect abuse??

jyrepresentacao .com – Custom unconditional target-domain-masking redirect?

t4yzv .vereares .ru – Custom conditional redirect?

challenges .cloudflare .com – Turnstile Cloudflare Challenge?

?

Content Delivery Networks / Service:?

code .jquery .com – jQuery script storage?

cdn .socket .io – Socket script storage?

github .com – Randexp script storage?

dnjs .cloudflare .com – Crypto-js script storage?

httpbin .org – External IP lookup service?

ipapi .co – IP information service?

ok4static .oktacdn .com – Static CDN Storage?

aadcdn .msauthimages .net – Brand logo storage?

?

Phishing Engine and C2:?

v4l3n .delayawri .ru – Attackers’ C2 server?

keqil .ticemi .com – Tycoon 2FA phish-kit's core engine?

?? The main engine code is split into two parts and obfuscated in two ways - the first part with XOR, the second with the obfuscator[.]io service.

?? C2 Communication protocol

Request to C2 after entering victim's email: /<email>/<item>/<app>/<ipapi response data>

Response (JSON): "message":<status>, <interface elements>, "uid":<uid>, "token":<token>

Request to C2 after entering victim's password: /<token>/<password>

Response (JSON): "message":<status>, <interface elements>, "description":<description>, "token":<token>

?? All communication with C2 is encrypted using AES in CBC mode:

?? The list of compromised third-level domains of Indiatimes .com with the redirector script /etl.php installed:

auto .economictimes .indiatimes .com

b2bimg .economictimes .indiatimes .com

cfo .economictimes .indiatimes .com

cio .economictimes .indiatimes .com

energy .economictimes .indiatimes .com

realty .economictimes .indiatimes .com

static .economictimes .indiatimes .com

telecom .economictimes .indiatimes .com

ciso .economictimes .indiatimes .com

brandequity .economictimes .indiatimes .com

?? Domains identified using Threat Intelligence Lookup

?? See domains and associated sandbox sessions

?? Search ANYRUN sandbox’s public database of samples using these tags:

#phishing #amazon-ses #tycoon

? IMPORTANT: Do not enter your actual credentials into phishing forms inside the sandbox

Create your free sandbox account to analyze the latest threats with no limit ???