Cyber attackers constantly refine their evasion methods. That’s what makes threats, including phishing, increasingly hard to detect and investigate.
Kits like Tycoon 2FA regularly evolve with new tricks added to their arsenal. They slip past defenses and compromise companies, demonstrating great adaptivity in modern cyber threats.
Let’s review three key evasion techniques of Tycoon 2FA using ANY.RUN Interactive Sandbox.
Technique #1: Use of Different CAPTCHAs (reCAPTCHA, IconCaptcha, etc.)
Instead of using a single CAPTCHA system per threat, Tycoon 2FA cycles through different providers, such as reCAPTCHA, IconCaptcha, and custom CAPTCHAs.
This rotation challenges signature-based detection systems and bot-driven analysis tools. They aren’t able to consistently bypass this evasion technique.
For example, in the following analysis session of Tycoon 2FA, previously used custom CAPTCHA was replaced with reCAPTCHA:
View analysis
reCAPTCHA used in Tycoon 2FA, as shown in ANY.RUN sandbox
Other providers, like IconCaptcha, have been detected earlier, too (e.g. in a submission dated April 7, 2025).
Speed up and Simplify Detection with Proactive analysis in ANY.RUN’s Interactive Sandbox -> Sign up today
Technique #2: Browser Fingerprinting
Using this technique, Tycoon 2FA phishing kit can distinguish real users from environments for analysis.
Fingerprinting stands for collecting detailed info on user’s system, such as screen parameters, time zone, browser details, etc.
Based on this data, the threat decides whether to go on with phishing content or to redirect the user to a legitimate page. This significantly reduces detection risk by disarming sandbox-based defenses.
In the case below, opening the phishing link leads to a page that requests image element and executes Base64-encoded script in case of an error:
View analysis
Suspicious onerror handler in image element
If we decode the script with CyberChef, it will reveal that it’s meant to collect:
- Browser data, such as screen parameters, browser/platform name, URL, host, protocol, console properties, and document body.
- Info on time zone, JavaScript runtime internals, iframe checks, and graphical interface properties.
- Other technical information.
Code used to collect browser properties
Gathered data in JSON is then inserted into an invisible form and sent to the attacker’s server via a POST request.
The server analyzes the fingerprint data and returns a response with a Location header. There are two possible outcomes based on the specifics of received data:
- Redirection to a Legitimate Page: If gathered info indicates that something’s off, e.g., there signs of a sandbox, the user is redirected to a legitimate site like Emirates, Tesla, or SpaceX website.
- Redirect to Phishing Page: Otherwise, if the environment seems genuine, the user is directed to the Tycoon 2FA Stage 1 phishing page.
Technique #3: Obfuscation via Encryption
While earlier versions of Tycoon2FA relied on simpler obfuscation like Base64 or XOR, more recent samples employ AES encryption for payload obfuscation. This complicates detection significantly.
Static analysis becomes much more difficult, especially when hard-coded keys and initialization vectors (IVs) are embedded in the code.
In this sample, we can observe that the Tycoon2FA uses AES encryption for payload obfuscation, not just for uploading/downloading stolen and service data in the final stages of execution:
View analysis
Obfuscation via encryption in code
Even though otherwise the execution chain is similar to previously known, AES-level obfuscation requires much more effort for reverse engineering and detection.
Live Webinar on New Malware Tactics
Learn more about the latest, most relevant TTPs and find out how to detect them efficiently at the webinar by ANY.RUN.
Join us on Wednesday, September 17 at 3:00 PM GMT.
New Malware Tactics: Cases & Detection Tips for SOCs : Register for webinar
Conclusion: Breaking Down Evasion Tactics With ANY.RUN
These evasion techniques are just a small portion of all constantly evolving TTPs used by threat actors. Traditional solutions that rely too much on automation and signature-based analysis are proven to be inefficient against them.
You can see better results with in-depth behavioral, interactive, not automated, analysis. That’s what ANY.RUN delivers with its sandbox:
- Interactivity in Real Time: Analyze malware from its very core by observing and investigating its behavior in action.
- Fast Results: See verdicts and identify malware families in under 40 seconds upon the launch to cut your analysis time to mere minutes.
- Detailed Behavior Analysis: Gain clear visibility into modern threat tactics, techniques, and procedures for thorough investigation.
- Efficient Automation: Detonate threats hands-free with Automated Interactivity and cut your workload by automating time-consuming routine tasks.
In-depth Research and Proactive defense for SOC teams : Try ANY.RUN
Source link
