A sophisticated phishing campaign with Tycoon 2FA Phish-kit has been identified, leveraging Amazon Simple Email Service (SES) and a series of high-profile redirects to steal user credentials. The attack chain, meticulously designed to evade detection, involves multiple stages and utilizes various compromised domains and services.
According to the Phishing sample analysis, The phishing attack begins with an email sent from an Amazon SES client. These emails often include a valid signature, adding a layer of legitimacy.
The email typically contains two empty PDF files as attachments and a message from Docusign stating, “You have received a document to review and sign.” Despite sometimes failing SPF and DKIM checks, these emails can still appear credible due to the compromised source.
Redirects and Obfuscation
According to ANY.RUN report, Upon clicking the “Review Document” link, victims are redirected through a complex chain of URLs to obscure the final phishing domain. The initial link is rewritten by Symantec Click-time URL Protection service, leading to a series of redirects:
- clicktime.symantec.com – Rewritten Email link
- away.vk.com – Social media redirect abuse
- brandequity.economictimes.indiatimes.com – News outlet redirect abuse
- jyrepresentacao.com – Custom unconditional target-domain-masking redirect
- t4yzv.vereares.ru – Custom conditional redirect
- challenges.cloudflare.com – Turnstile Cloudflare Challenge
You can see domains and associated sandbox sessions by searching “commandLine:”/etl.php?url=” AND domainName:”.economictimes.indiatimes.com” here at Threat Intelligence Lookup by creating a free account.
The phishing engine utilizes several content delivery networks and services to store and serve scripts and other resources:
- code.jquery.com – jQuery script storage
- cdn.socket.io – Socket script storage
- github.com – Randexp script storage
- dnjs.cloudflare.com – Crypto-js script storage
- httpbin.org – External IP lookup service
- ipapi.co – IP information service
- ok4static.oktacdn.com – Static CDN Storage
- aadcdn.msauthimages.net – Brand logo storage
Phishing Engine and Command and Control (C2)
A sophisticated engine and C2 server manage the core of the phishing operation:
The engine code is split and obfuscated using XOR and the obfuscator.io service. Communication with the C2 server is encrypted using AES in CBC mode, ensuring data security for the attackers.
- v4l3n.delayawri.ru – Attackers’ C2 server
- keqil.ticemi.com – Tycoon 2FA phish-kit’s core engine
The attackers use a custom communication protocol to send stolen user data to their C2 server, located at v4l3n.delayawri.ru. The protocol involves two requests:
According to the ANY RUN analysis, The phishing engine communicates with the C2 server in two stages:
After entering the victim’s email, the attackers send a request to the C2 server with the format: /. The server responds with a JSON object containing a status message, interface elements, a unique ID (UID), and a token.
- Request:
// - /
/ - /
- Response (JSON):
"message":, , "uid": , "token":
After entering the victim’s password, the attackers send a request to the C2 server with the format: /. The server responds with a JSON object containing a status message, interface elements, a description, and a token.
- Request:
// - Response (JSON):
"message":, , "description": , "token":
All communication with the C2 server is encrypted using AES in CBC mode.
Create your free ANY.RUN account to analyze the latest threats with no limit
Compromised Domains
Several third-level domains of Indiatimes.com have been compromised, hosting a redirector script (/etl.php):
- auto.economictimes.indiatimes.com
- b2bimg.economictimes.indiatimes.com
- cfo.economictimes.indiatimes.com
- cio.economictimes.indiatimes.com
- energy.economictimes.indiatimes.com
- realty.economictimes.indiatimes.com
- static.economictimes.indiatimes.com
- telecom.economictimes.indiatimes.com
- ciso.economictimes.indiatimes.com
- brandequity.economictimes.indiatimes.com
Security experts recommend not relying solely on SPF and DKIM checks to validate emails, as the source email may be compromised. Users are advised to be cautious of emails containing unexpected attachments and verify links’ legitimacy before clicking.
This sophisticated phishing attack chain highlights the importance of being vigilant when receiving emails with suspicious links or attachments. Users are advised to be cautious when clicking on links from unknown sources and to never enter sensitive information into phishing forms.
To stay safe online, users can search for any suspicious domains or IP addresses using ANYRUN’s public database of samples, tagged with #phishing, #amazon-ses, and #tycoon.
Try all features of ANY.RUN Sandbox for free for a detailed analysis and to see if the phishing attack is in action – Request a 14-day trial