A sophisticated phishing campaign with Tycoon 2FA Phish-kit has been identified, leveraging Amazon Simple Email Service (SES) and a series of high-profile redirects to steal user credentials. According to the Phishing sample analysis, The phishing attack begins with an email sent from an Amazon SES client. Communication with the C2 server is encrypted using AES in CBC mode, ensuring data security for the attackers. v4l3n.delayawri.ru – Attackers’ C2 server– Attackers’ C2 server keqil.ticemi.com – Tycoon 2FA phish-kit’s core engineThe attackers use a custom communication protocol to send stolen user data to their C2 server, located at v4l3n.delayawri.ru . Request: //Response (JSON): "message":, , "description":, "token":All communication with the C2 server is encrypted using AES in CBC mode.

Source: Economic Times July 31, 2024 14:18 UTC