[Storm-1747] Tycoon Phishing Service Email Analysis

on

Malware Sample Analysis

Extracted Phishing IOCs

  • Email Attachment (HTML file): 190374 pdf.Dhudnall....html

    • EML Hash (SHA-256): 558f05937b1afcdce82b106599db2707428541abd040a009293b614293ac6d68
    • Attachment Hash (SHA-256): b3fe13c613f5c22e5211af8c576694800f8831d7f60d6e9863b40c4b54276320

  • Malicious URLs:

    • https://bumblebeeclub.net/res444.php?2-68747470733a2f2f717a372e6763637678676d6f752e636f6d2f394d684370472f-leech
      • This URL is obfuscated by the script source, likely to track or uniquely identify the victim and evade detection.
    • https://activationmail-setupmailvalidationonlineaosaiaosuaos.es/#[email protected]

  • Observed Domains:

    • bumblebeeclub.net
    • gccvxgmou.com
    • ijmzazonz.com
    • ntowardr.ru
    • activationmail-setupmailvalidationonlineaosaiaosuaos.es

Behavioral Analysis and Observations

  • Phishing Server Response:
    Attempts to revisit the malicious URL led to a connection refusal, likely due to prior access from the Any.Run sandbox environment. The analysis indicated a phishing landing page that was part of the Tycoon phishing service (identified by Any.Run as Storm-1747).



  • Script Behavior:
    The embedded scripts leech parameter contained the target's email address ([email protected]), suggesting personalized phishing attacks.

  • Suspicious DNS Requests (Captured on Any.Run):

    • bumblebeeclub.net
      • IPs:
        • 103.83.194.55 (Host4Geeks LLC)
        • 69.49.245.172, 69.49.235.200 (Newfold Digital Inc.)
    • qz7.gccvxgmou.com
    • mtnimqtjydyz7nkctxouk6uyee5ybsgemlbi9gt4vje9qeagvq.ijmzazonz.com
    • 7gtfyocih2xkvijotdo5jgcrb2jvcuwbtkdi7fi49wy6ocgit1no.ntowardr.ru

Most observed domains were routed through Cloudflare, suggesting the use of a proxy to mask the phishing infrastructure.

Email Header Analysis

  • Email Body: Appeared to be empty, likely to evade basic email filters.
  • DMARC Authentication: Failed

  • Mail Server: Email sent from an uncommon server, suggesting potential abuse or compromise.

  • Mail Flow Rule Exploitation:
    • The organization appears to have a mail flow rule setting emails from mbanc.com to a -1 spam confidence level, effectively bypassing Microsoft Defender’s checks. Recommendation: Never use -1 spam confidence levels; use a higher value to avoid security gaps.

Conclusion

This phishing campaign exhibits characteristics of a targeted attack, leveraging obfuscated scripts and encoded URLs to track victims and personalize attacks. The use of Cloudflare and non-standard hosting services indicates an attempt to obscure the phishing infrastructure. Immediate steps should be taken to block identified IOCs and review mail flow rules for potential vulnerabilities.

Comments

Post a Comment