A sophisticated phishing campaign with Tycoon 2FA Phish-kit has been identified, leveraging Amazon Simple Email Service (SES) and a series of high-profile redirects to steal user credentials. The attack chain, meticulously designed to evade detection, involves multiple stages and utilizes various compromised domains and services.
The email typically contains two empty PDF files as attachments and a message from Docusign stating, “You have received a document to review and sign.” Despite sometimes failing SPF and DKIM checks, these emails can still appear credible due to the compromised source.
Redirects and Obfuscation
-
clicktime.symantec.com – Rewritten Email link
-
away.vk.com – Social media redirect abuse
-
brandequity.economictimes.indiatimes.com – News outlet redirect abuse
-
jyrepresentacao.com – Custom unconditional target-domain-masking redirect
-
t4yzv.vereares.ru – Custom conditional redirect
-
challenges.cloudflare.com – Turnstile Cloudflare Challenge
The phishing engine utilizes several content delivery networks and services to store and serve scripts and other resources:
-
code.jquery.com – jQuery script storage
-
cdn.socket.io – Socket script storage
-
github.com – Randexp script storage
-
dnjs.cloudflare.com – Crypto-js script storage
-
httpbin.org – External IP lookup service
-
ipapi.co – IP information service
-
ok4static.oktacdn.com – Static CDN Storage
-
aadcdn.msauthimages.net – Brand logo storage
Phishing Engine and Command and Control (C2)
A sophisticated engine and C2 server manage the core of the phishing operation:
The engine code is split and obfuscated using XOR and the obfuscator.io service. Communication with the C2 server is encrypted using AES in CBC mode, ensuring data security for the attackers.
-
v4l3n.delayawri.ru – Attackers’ C2 server
-
keqil.ticemi.com – Tycoon 2FA phish-kit’s core engine
The attackers use a custom communication protocol to send stolen user data to their C2 server, located at v4l3n.delayawri.ru . The protocol involves two requests:
According to the ANY RUN analysis, The phishing engine communicates with the C2 server in two stages:
After entering the victim’s email, the attackers send a request to the C2 server with the format: /<email>/<item>/<app>/<ipapi response data> . The server responds with a JSON object containing a status message, interface elements, a unique ID (UID), and a token.
-
Request:
/<email>/<item>/<app>/<ipapi response data> -
Response (JSON):
"message":<status>, <interface elements>, "uid":<uid>, "token":<token>
After entering the victim’s password, the attackers send a request to the C2 server with the format: /<token>/<password> . The server responds with a JSON object containing a status message, interface elements, a description, and a token.
-
Request:
/<token>/<password> -
Response (JSON):
"message":<status>, <interface elements>, "description":<description>, "token":<token>
All communication with the C2 server is encrypted using AES in CBC mode.
Compromised Domains
Several third-level domains of Indiatimes.com have been compromised, hosting a redirector script ( /etl.php ):
-
auto.economictimes.indiatimes.com
-
b2bimg.economictimes.indiatimes.com
-
cfo.economictimes.indiatimes.com
-
cio.economictimes.indiatimes.com
-
energy.economictimes.indiatimes.com
-
realty.economictimes.indiatimes.com
-
static.economictimes.indiatimes.com
-
telecom.economictimes.indiatimes.com
-
ciso.economictimes.indiatimes.com
-
brandequity.economictimes.indiatimes.com
Security experts recommend not relying solely on SPF and DKIM checks to validate emails, as the source email may be compromised. Users are advised to be cautious of emails containing unexpected attachments and verify links’ legitimacy before clicking.
This sophisticated phishing attack chain highlights the importance of being vigilant when receiving emails with suspicious links or attachments. Users are advised to be cautious when clicking on links from unknown sources and to never enter sensitive information into phishing forms.
To stay safe online, users can search for any suspicious domains or IP addresses using ANYRUN’s public database of samples, tagged with #phishing , #amazon-ses , and #tycoon .
