The Tycoon 2FA platform is a Phishing-as-a-Service (PhaaS) tool that enables cybercriminals to easily launch sophisticated phishing attacks targeting two-factor authentication (2FA).
It provides a service that simplifies the process for attackers. and offers an intuitive interface, allowing for the creation of customized phishing templates that mimic legitimate 2FA requests.
Tycoon 2FA also integrates automated features, streamlining the delivery and management of phishing campaigns, which significantly lowers the barrier to entry for launching large-scale and effective 2FA phishing attacks that pose a serious threat to organizations and individuals.
Dynamic analysis reveals that the HTML lure displays a fake voicemail page before redirecting the victim to an Outlook phishing site, while static analysis shows the HTML file contains a variable to store the victim’s email and a base64-encoded blob.
Decoding the blob reveals two parts: a base64-encoded HTML code for the fake voicemail page and JavaScript code, which is fetched from a remote server (disruptgive[.]com/res444.php) after a four-second delay, likely to execute malicious actions on the victim’s system.
An obfuscated JavaScript that contains a Base64-encoded string is returned by the PHP endpoint, which contains the values that are used for AES decryption, which are the key (B + D) and IV (C).
The Python script decrypts the JavaScript, revealing its purpose. The decrypted script checks for the presence of the character ‘#’ in the string “VBsazFxAoBQotTgF.”
Failing to find it, the script constructs a link to [https://mvz.nvkhytoypg](https://mvz.nvkhytoypg)[.]ru/9SIt8c/ concatenated with “VBsazFxAoBQotTgF,” and then replaces the page’s body with this link and simulates a click, effectively redirecting the user to the generated URL.
This phishing campaign leverages a multi-stage attack flow, where the initial stage involves enticing victims to click on malicious links, which redirect them to phishing pages designed to steal credentials that are hosted on various domains.
Through the process of analyzing the attack flow, security researchers were able to determine that the malicious scripts were delivered by the attackers through the use of a PHP file with the name “res444.php.”
Validin investigation revealed that this PHP file is used across multiple domains, indicating a shared infrastructure, and the attackers also employed a generic template for the phishing pages, providing another valuable clue for identifying related domains.
By combining these findings and searching for specific parameters within the PHP file, security researchers can effectively hunt for and disrupt the broader Tycoon 2FA infrastructure.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free