65 root domain indicators of compromise identified in growing campaign
DNSFilter researchers have discovered that the Tycoon 2FA phishing-as-a-service (PhaaS) platform has significantly expanded its operations, including surging use of Spanish (.es) domains. This expansion marks a strategic evolution in Tycoon 2FA’s infrastructure design, demonstrating enhanced obfuscation techniques and highly targeted subdomain usage patterns. Understanding this shift is critical for defenders aiming to disrupt these operations, as traditional detection methods may fail against such ephemeral and compartmentalized infrastructure.
Tycoon 2FA is a sophisticated PhaaS platform that has been active since August 2023, specializing in adversary-in-the-middle attacks to bypass multi-factor authentication. Tycoon 2FA’s infrastructure strategy relies on short-lived, burnable Fully Qualified Domain Names (FQDNs) hosted on longer-lived root domains, creating a two-tier system.
Cyber Technology Insights : FTI Consulting Expands Cybersecurity Capabilities in Australia with Natasha Passley
DNSFilter’s researchers analyzed 11,343 unique FDQNs and found:
Coordinated surge in Spanish domain infrastructure – 13 .es domains were activated simultaneously on April 7, and researchers have seen sustained activity using .es domains through June.
Enhanced obfuscation techniques –Tycoon 2FA continues to refine its evasion methods, using tactics like nested encoding schemes that go deep within encrypted blobs and implementation of Base91 encoding alongside traditional Base64.
Evidence of target-specific subdomain operations – Tycoon 2FA is likely using this approach, which entails creating or identifying subdomains within a larger domain name specifically tailored to a particular purpose, audience or target. Among the evidence of this is that 99.6% of subdomains received fewer than 10 total DNS queries.
Cyber Technology Insights : Zscaler Extends Zero Trust Platform to Enable Cellular Communications
DNSFilter researchers also identified 65 root domain indicators of compromise (IOCs), which will help network defenders implement more effective blocking strategies. Read the team’s full findings here.
Will Strafach, Head of Security Intelligence & Solutions, DNSFilter, said: “Our research underscores the fact that bad actors continue to evolve their methods and become more sophisticated. Our research into Tycoon 2FA gives enterprise security teams actionable intelligence to enhance threat detection and reduce dwell time by focusing on persistent root domains. To stay safer amid this surge, organizations need to implement wildcard domain blocking for all 65 root domains that DNSFilter found and monitor for subdomain pattern matching.”
Cyber Technology Insights : Suntory Global Spirits Chooses Globant to Build a Commercial Insights AI Agent
To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com
Source: prnewswire
