The majority of events globally are caused by phishing, which continues to be the most common vector for cyberattacks in the constantly changing world of cyber threats.
The proliferation of affordable Phishing-as-a-Service (PhaaS) platforms such as Tycoon2FA, EvilProxy, and Sneaky2FA has exacerbated this issue, enabling even novice attackers to deploy sophisticated campaigns.
These services are continuously updated with new evasion techniques and expanded infrastructure, making detection increasingly challenging.
Novel Phishing Framework
Recently, researchers at ANY.RUN uncovered a previously undocumented PhaaS framework dubbed Salty 2FA, which exhibits unique characteristics distinguishing it from established kits.
Primarily distributed via phishing emails, Salty 2FA focuses on stealing Microsoft 365 credentials through a multi-stage execution chain designed to bypass detection and analysis.
While it shares some domain overlaps with threat clusters like Storm-1575 (associated with the Dadsec platform) and Storm-1747 (linked to Tycoon 2FA), its distinct infrastructure featuring compound .com subdomains paired with .ru domains and client-side behaviors set it apart as a standalone entity.
This framework’s name derives from its “salted” payloads, which incorporate noise like inspirational quotes to obscure static analysis, combined with advanced obfuscation methods such as Base64 encoding and XOR encryption using session-derived keys.
Salty 2FA’s execution begins with an initial “trampoline” script that initializes Cloudflare Turnstile for bot protection, followed by the delivery of an obfuscated entry script laden with filler content to complicate scrutiny.
Subsequent stages involve encrypted payload retrieval from .ru domains, rendering a fake Microsoft login page with dynamically generated element IDs accessed via jQuery, and anti-analysis mechanisms including keyboard shortcut blocking and debugger timing checks to detect sandbox environments.
Data exfiltration occurs through POST requests to endpoints like /<5-6_digits>.php, where stolen credentials are encoded with Base64+XOR and keyed to the victim’s session ID.
The framework excels in handling multiple two-factor authentication (2FA) methods such as push notifications, SMS, voice calls, and OTPs allowing adversaries to intercept and relay verification codes in real time, granting persistent access beyond mere credential theft.
Server responses in JSON format dictate page state transitions, from email prompts to 2FA processing, enhancing the phishing page’s realism and adaptability.
Evasion Strategies
Victims of Salty 2FA span diverse industries including finance, telecom, energy, consulting, logistics, and education, with targeted organizations in the USA, Europe, and beyond.
Common email lures mimic legitimate communications like voice messages, document access requests, or payroll amendments, often pre-filling victim emails via URL anchors.
Activity surged in June 2025, with potential precursors dating back to March-April, and continues to generate dozens of sandbox sessions daily.
Detection proves difficult due to mutable indicators; static IOCs like domains are unreliable amid constant code mutations.
Instead, behavioral patterns such as the .??.com + .ru domain chains, specific Cloudflare resource requests, and consistent resource loading from legitimate CDNs offer more reliable signatures.
Tools like ANY.RUN’s interactive sandbox facilitate real-time analysis, enabling MITM proxy captures to decrypt traffic and map execution flows, thus enriching IOCs and linking them to broader campaigns.
While Salty 2FA’s evasion techniques, including rotating CAPTCHAs and fingerprinting, position it as a formidable player akin to major PhaaS kits, its hardcoded elements and lack of advanced JavaScript exploitation reveal exploitable weaknesses.
Security teams are advised to prioritize behavioral heuristics over signatures for proactive defense, leveraging threat intelligence to monitor emerging variants.
Indicator of Compromise (IoCs)
| Category | IOCs |
|---|---|
| Domains | innovationsteams[.]com marketplace24ei[.]ru nexttradeitaly[.]it[.]com frankfurtwebs[.]com[.]de |
| URLs | hxxps[://]telephony[.]nexttradeitaly[.]com/SSSuWBTmYwu/ hxxps[://]parochially[.]frankfurtwebs[.]com[.]de/ps6VzZb/ hxxps[://]marketplace24ei[.]ru// hxxps[://]marketplace24ei[.]ru/790628[.]php |
| E-mail extracted IOCs | 153[.]127[.]234[.]4 51[.]89[.]33[.]171 191[.]96[.]207[.]129 153[.]127[.]234[.]5 izumi[@]yurikamome[.]com |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
