CTI Roundup: Tycoon Phishing-as-a-Service and TheMoon Malware Update

This week, CTI looks at a new adversary in the middle (AiTM) phishing kit associated with the Tycoon 2FA phishing-as-a-service (PhaaS platform). Next, CTI investigates a recent phishing email that delivered Agent Tesla malware. Finally, CTI explores a new variant of TheMoon malware botnet that has infected thousands of routers and IoT devices across 88 countries.

1. Researchers discover a new version of the Tycoon 2FA AiTM phishing kit

Researchers have discovered a new adversary in the middle (AiTM) phishing kit associated with the Tycoon 2FA phishing-as-a-service (PhaaS platform).

Tycoon 2FA has emerged as one of the most widespread AiTM phishing kits over the last few months. The latest Tycoon 2FA version, discovered in February 2024, has enhanced obfuscation and anti-analysis capabilities and new traffic patterns.

How Tycoon 2FA works

The latest Tycoon 2FA phishing kit relies on the AiTM technique. The attacking server hosts the phishing site, intercepts the input of victims, and sends this input to the legitimate service that will prompt the MFA request.

When the user completes the appropriate MFA challenge and authenticates, the server in the middle will capture the session cookies. These cookies enable the threat actor to replay a session, thus bypassing MFA.

• Stage 0: The attack begins with the distribution of phishing pages, often via redirections from URLs and QR codes. The Tycoon 2FA phishing kit gives its users templates of phishing pages along with decoy documents to be used in the emails themselves.
• Stage 1: After the user clicks on the phishing URL, they are redirected to a page that embeds a Cloudflare Turnstile challenge to prevent traffic from bots and analysts. Human interaction is necessary to complete the security challenge.
• Stage 2: JavaScript executes in the background before redirecting the user to another page. The HTML of this new page contains JavaScript that will extract the email address from the URL, if there is one, to customize the attack.
• Stage 3: This stage is also not visible to the user and redirects them to another page of the phishing domain.
• Stage 4: This stage presents a fake Microsoft authentication page and will fingerprint the user’s web browser, initiate a WebSocket with the C2 server, implement socket communications, capture and exfiltrate user inputs, and retrieve the final redirection URL.
• Stage 5: Stage 5 builds and displays the Microsoft 2FA page to the victim and will intercept the token to bypass security measures.
• Stage 6: The victim is finally redirected to a legitimate-looking page.

The biggest updates in this attack are the changes made to the JavaScript and HTML codes that are used for phishing. The pages in this version changed slightly and now retrieve the necessary resources in a different order, filtering unwanted traffic from bots and security analysts in the process.

Sekoia notes that there were similar deobfuscation functionalities between the old version and the new version, but that the overall structure changed. The biggest difference is in the enhancements made to various stealth tactics in which the malicious resources are not provided until the victim resolves the CloudFlare Turnstile challenge.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The changes in the latest version of Tycoon 2FA are primarily around improving stealth and evasion techniques. This effort suggests that the threat actor behind the phishing kit is looking to expand the kit’s capabilities, likely to gain popularity.

Sekoia reports that its scale of operations is substantial, with evidence of a range of cybercriminals currently leveraging Tycoon 2FA.

2. Phishing attack disguises keylogger as bank payment notice

In March, researchers discovered a phishing email delivering the Agent Tesla malware.

The emails themselves include a Windows executable that masquerades as a fraudulent bank payment notification, urging the victim to open it. The loader is capable of bypassing antivirus software and obtains its payload with the help of proxies to obfuscate its traffic.

The infection chain

This attack begins with a phishing email that pretends to be a notification from the victim’s bank. The attached archive file is a loader that employs various anti-analysis and detection evasion techniques before ultimately delivering the Agent Tesla infostealer, executing it entirely in memory.

The email delivery/loader

The phishing email pretends to be a fake bank payment notification with an attachment that looks like a payment receipt from a bank.

The attached tar.gz archive contains a malicious loader, which is compiled via .NET and hides its functionality with obfuscation and packing. When it initializes it will decrypt the configuration data it needs to operate. Trustwave has observed two different versions of the polymorphic loader.

Antivirus evasion/payload retrieval

The loader will patch the AmsiScanBuffer function to bypass the antimalware scan interface (AMSI) to evade malware scanning of in-memory content.

After this it will target a payload hosted at a specific URL and require a specific user-agent string to do so. One of the variants leverages an HTTP proxy server from an open-source list on GitHub to download the payload.

Once the payload is stored in memory the loader will use .NET’s reflection and assembly loading capabilities to invoke the main entry point of the payload and trigger the Agent Tesla malware.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Agent Tesla is a notorious malware that is commonly used by different threat actors and therefore delivered in a multitude of different ways.

This specific delivery of the malware is notable as its loader employs a range of obfuscation and anti-analysis techniques and ‘exhibits polymorphic behavior with distinct decryption routines.’

Trustwave believes that because of this, the loader could be used in the future to deploy different types of malware.

3. TheMoon malware targets ASUS routers

A new variant of TheMoon malware botnet has infected thousands of routers and IoT devices across 88 countries.

The malware is linked to the “Faceless” proxy service which uses the infected devices as proxies and routes traffic for threat actors looking to mask their activities. The latest TheMoon campaign, which in March, compromised over 6,000 ASUS routers in less than 72 hours.

What is TheMoon malware?

TheMoon first emerged in 2014 and has grown to over 40,000 bots — many of which are used in the notorious Faceless proxy service. Researchers believe TheMoon is growing Faceless by roughly 7,000 new users per week.

Black Lotus Labs identified a campaign beginning the first week of March 2024 that targeted 6,000 ASUS routers. Based on their analysis, it appears as though the threat actor targeted end-of-life devices.

Malware analysis

The attack began with a loader file that checks for the presence of certain shells. If none of the shells are identified, the file will stop. If one of the shells is identified, it will decrypt, drop, and execute the next stage payload. The binary will set up multiple iptables rules before setting up a thread to contact an NTP server, likely to confirm that the device has internet connectivity and is not a sandbox.

It will then cycle through a hardcoded list of IP addresses, establish a connection on port 15194, and send a hardcoded packet.

Researchers have identified two modules including a worm module and a file named .sox. The worm module attempts to spread itself by scanning an IP block looking for vulnerable targets. The .sox file, once executed, will embed functionality to modify iptables, allowing it to open additional ports and download other modules.

TheMoon/Faceless overlap

Black Lotus Labs identified an overlap between TheMoon and Faceless activity clusters. Looking at a period of 10 days, they found that roughly 80% of bots talking to Faceless C2s were also talking to TheMoon C2.

When a bot communicates with a Faceless server it will enroll in the Faceless proxy network. Researchers found that 30% of infections lasted for over 50 days while only 15% of devices were part of the network for less than 48 hours.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Cybercriminals are constantly looking for ways to stealthily carry out attacks and remain anonymous. In addition to things like VPNs, threat actors are now also looking towards proxy servers to hide their activities.

Black Lotus Labs believes this shift to proxy services could also be due to the increase in disruptions from law enforcement, heightening the need for threat actors to anonymize their traffic. It’s worth noting that many of the targeted device models are end-of-life, reemphasizing the risks associated with end-of-life technologies.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.