🪝 Since 2023, #Tycoon2FA has become the leading #phishing-as-a-service platform.

As a low-cost #AiTM #phishkit, it lets threat actors steal user credentials from numerous companies.

👨‍💻 Learn more and see attack analysis: https://any.run/malware-trends/tycoon/?utm_source=mastodon&utm_medium=post&utm_campaign=tycoon&utm_content=linktomtt&utm_term=270525
#cybersecurity #infosec

From #phishing kits to #ransomware — 3 technical breakdowns from #ANYRUN you should know:
👾 #Tycoon2FA
#Phishkit bypassing MFA on M365 and Gmail, used in targeted credential theft campaigns: https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=tech_articles&utm_term=220525&utm_content=linktoblog

👾 #Nitrogen
Ransomware group active since 2024, linked to attacks on U.S. financial institutions: https://any.run/cybersecurity-blog/nitrogen-ransomware-report/?utm_source=mastodon&utm_medium=post&utm_campaign=tech_articles&utm_term=220525&utm_content=linktoblog

👾 #Mamona
New ransomware with no exfiltration to C2, relying on fake leak threats: https://any.run/cybersecurity-blog/mamona-ransomware-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=tech_articles&utm_term=220525&utm_content=linktoblog

Read these detailed reports for actionable insights to protect your business 🚀

🎁 Explore #ANYRUN's Birthday offers: https://app.any.run/plans/?utm_source=mastodon&utm_medium=post&utm_campaign=tech_articles&utm_term=220525&utm_content=linktopricing/

#cybersecurity #infosec

⚠️ #Tycoon2FA is a rapidly evolving #phishkit bypassing 2FA on M365 & Gmail
🔹 Multi-stage execution chain
🔹 Dynamic code generation & #obfuscation for stealth
🔹 Browser fingerprinting for targeted execution

Analysis of 27 observed evasion techniques👇
https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=tycoon2fa_analysis&utm_content=linktoblog&utm_term=150525

#cybersecurity #infosec

🪝 #Tycoon2FA is a #phishkit widely used to steal employee credentials across dozens of industries.

We've documented the evolution of its evasion mechanisms over the past 6 months.

Discover analysis of 27 techniques found in the latest attacks 👇
https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=tycoon2fa_analysis&utm_content=linktoblog&utm_term=130525

#infosec #cybersecurity

🚨 Fake Booking.com phishing pages used to deliver malware and steal data
⚠️ Attackers use #cybersquatting, mimicking Booking website to create legitimate-looking phishing pages that trick users into executing malicious actions.
Leveraging #ANYRUN's interactivity, security professionals can follow the entire infection chain and gather #IOCs.

👨‍💻 Case 1: The user is instructed to open the Run tool by pressing Win + R, then Ctrl + V to paste the script, and hit Enter. This sequence of actions executes a #malicious script that downloads and runs malware, in this case, #XWorm.
Take a look at the analysis: https://app.any.run/tasks/61fd06c8-2332-450d-b44b-091fe5094335/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice

🔍 TI Lookup request to find domains, IPs, and analysis sessions related to this campaign:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522domainName:%255C%2522mktoresp.com%255C%2522%2520AND%2520domainName:%255C%2522booking.*.%255C%2522%2522,%2522dateRange%2522:30%7D%20%20

🎯 Use this search query to find more examples of this fake #CAPTCHA technique and enhance your organization's security response:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522commandLine:%5C%2522

👨‍💻 Case 2: In this scenario, threat actors aim to steal victims’ banking information. It’s a typical phishing site that mimics Booking website and, after a few steps, prompts users to enter their card details to ‘verify’ their stay.
See example: https://app.any.run/tasks/87c49110-90ff-4833-8f65-af87e49fcc8d/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice

📌 A key domain in this campaign, Iili[.]io, was also used by #Tycoon2FA #phishkit.
🔍 Use this TI Lookup query to find more examples:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522domainName:%255C%2522bzib.nelreports.net%255C%2522%2520AND%2520domainName:%255C%2522xpaywalletcdn.azureedge.net%255C%2522%2520AND%2520domainName:%255C%2522cdnjs.cloudflare.com%255C%2522%2520AND%2520domainName:%255C%2522xpaycdn.azureedge.net%255C%2522%2520AND%2520domainName:%255C%2522iili.io%255C%2522%2522,%2522dateRange%2522:180%7D%20

Investigate the latest #malware and #phishing attacks with #ANYRUN 🚀

#cybersecurity #infosec

🚨 #SMiShing phishkit targets victims in the US with fake parking payments (1/2 🧵)
⚠️ Media reports have highlighted widespread cases of parking payment fraud across the US, Canada, the UK, and other countries. #Phishing threats targeting smartphones are among the most dangerous scams in today's threat landscape.

By leveraging checks for distinctive features of mobile browsers, this type of phishing may not even work in desktop environments.

We’ve analyzed how this #phishkit, which we named BlockKnock, operates using the ANYRUN Interactive Sandbox.

📌 Setting the external IP to the United States and adjusting the browser to match the screen resolution of an iPhone 14 Pro Max successfully bypassed the checks, revealing the phishing page content. Use ANYRUN’s interactive environment for targeted investigations: enable residential proxies and use browser dev tools for in-depth analysis.

Take a look at the analysis: https://app.any.run/tasks/951d75e9-4d90-40f5-90cd-bf24dc5b6a69/?utm_source=mastodon&utm_medium=post&utm_campaign=parking_smishing&utm_content=linktoservice&utm_term=030225

The phishing page engine communicates with the #C2 server via the WebSocket protocol using the following fields:
⤴️ Client request
action: Client message type
uuid: Current session identifier
data: Client-side JSON request encrypted using AES-CBC and encoded in #Base64
siteCode: Phishing page type

⤵️ Server response
type: Server message type
data: Server-side JSON response encrypted using AES-CBC and encoded in Base64

AES key: bda1ba0338a0de9203b8f80fe81d9fd4

#cybersecurity #infosec

🚨 ALERT: Fake #YouTube links redirect to #phishing pages
Using the Uniform Resource Identifier authority (URI), phishers obfuscate links and place a legitimate resource address, like http://youtube, at the beginning of URLs to deceive users and make the link appear authentic and safe.

📌 The attackers are also abusing other services. We’ll keep monitoring and sharing the details with you, so your company can make effective decisions to address the threat.

Take a look at the example and gather #IOCs:
https://app.any.run/tasks/ace1b2b4-1c1a-4669-a3fc-231d473bc3b9/?utm_source=mastodon&utm_medium=post&utm_campaign=uri_phishing&utm_term=090125&utm_content=linktoservice

👨‍💻 Use this search request to find more sandbox sessions and improve the precision and efficiency of your organization's security response:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=uri_phishing&utm_content=linktoti&utm_term=090125#%7B%2522query%2522:%2522commandLine:%255C%2522youtube.com%2525%255C%2522%2522,%2522dateRange%2522:180%7D

Technically, the URI Scheme replaces the userinfo field (user:pass) with a domain name: foo:// <user:pass> @ domain . zone

📝 Attributes
#Storm1747 domain infrastructure — checkers, redirectors and main pages — has a standard template for #Tycoon 2FA #phishkit installed.
The technique of replacing userinfo is also employed by various other phishing kits, such as #Mamba 2FA and #EvilProxy.

🚀 Analyze and investigate the latest #malware and phishing threats with ANYRUN

🎯 Analysis of the latest LogoKit #phishkit
⚠️ LogoKit is a comprehensive set of #phishing kits, known for using services that provide company logos and screenshots of target websites

➡️ The background is retrieved via request to a website screenshot service, using the following template:
hxxps://thum[.]io/get/width/<DPI>/https://<Domain>

➡️ The company's logo is fetched from a legitimate logo storage service:
hxxps://logo.clearbit[.]com/<Domain>

Example: https://app.any.run/tasks/1362e3bd-72a9-44a3-9128-5919fb6a6fd9/?utm_source=mastodon&utm_medium=post&utm_campaign=logokit&utm_term=051224&utm_content=linktoservice

📌 The domain chain is led by a decoder-redirector:
hxxps:// asiangrocers [.]store/fri/?haooauvpco=bWlubmllQGRpc25leS5jb20

It is a fake Asian food store website built on a WordPress template, with a domain age of around four years. The template contains email addresses filled with typos

🔄 The decoder-redirector shields the page from analysis and redirects the victim to the actual phishing page

In this case, the real content of the #phish page and the associated scripts are hosted on the #Cloudflare Pages platform. They are stored in the assets/ folder, which contains styles, images, and scripts

🚨 Three scripts with random 10-character names are designed to protect the page from analysis and send stolen data to the threat actors:
assets/js/e0nt7h8uiw[.]js
assets/js/vddq2ozyod[.]js
assets/js/j3046eqymn[.]js

The stolen authentication data is sent to a remote Command and Control (#C2) server controlled by the attackers via an HTTP POST request containing the following parameters:
fox=<E-mail>&con=<Password>

👨‍💻 Take a look at another sandbox session:
https://app.any.run/tasks/8a95135f-1339-491e-8762-d874d9970602/?utm_source=mastodon&utm_medium=post&utm_campaign=logokit&utm_term=051224&utm_content=linktoservice

🚀 Hurry up to get ANYRUN's #blackfriday deals: get a license bundle, double your TI Lookup search requests, or get a custom offer
🔗 https://app.any.run/plans/?utm_source=mastodon&utm_medium=post&utm_campaign=logokit&utm_term=051224&utm_content=linktoplans

Phishers Capitalize on Headlines with Breakneck Speed - Marking a pivot from COVID-19 scams, researchers track a single threat actor through the evolution... https://threatpost.com/phishers-capitalize-headlines-speed/160249/ #infrastructureanalysis #mostrecentthreatlists #voterregistration #amazonprimeday #phishinglures #websecurity #proofpoint #rebranding #branding #phishing #phishkit #telegram #whatsapp #paypal #covid #fraud