NordVPN Promotion

Home / Industry

A DNS Investigation of the Typhoon 2FA Phishing Kit

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

Bleeping Computer recently reported that a phishing-as-a-service (PhaaS) available in cybercriminal forums dubbed “Typhoon 2FA” has the ability to compromise Microsoft 365 and Google accounts even if users have two-factor authentication (2FA) enabled.

Sekoia security analysts uncovered the phishing kit back in October 2023 though they believe it has been active since at least August of that same year. Over time, they have been updating their Typhoon 2FA list of indicators of compromise (IoCs), which to date comprises 55 domains and 48 subdomains.

In a bid to know more about Typhoon 2FA, the WhoisXML API research team expanded the current list of IoCs and found:

  • 288 registrant email address-connected domains
  • 110 registrant organization-connected domains
  • 262 email-connected domains
  • 21 IP addresses, all of which turned out to be malicious
  • 137 string-connected domains
  • 3,223 string-connected subdomains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Closer Look at the Typhoon 2FA IoCs

As our usual first step, we subjected the 55 domains identified as IoCs (48 of which were extracted from the subdomain IoCs) to a bulk WHOIS lookup, which revealed that:

  • Their top 3 registrars were NameSilo LLC, which administered 22 of the domains tagged as IoCs; R01-RU, which furnished 12; and Internet Domain Service BS Corp., which provided eight. Gransy SRO, accounted for four domains, while Danesco Trading Ltd. accounted for two. Namecheap, Inc, PSI-USA, Inc., and REGTIME-SU accounted for one domain IoC each. Finally, one domain did not have registrar data in its current WHOIS record.
  • The domains classified as IoCs were created between 2023 (18 domains) and 2024 (36 domains), hinting that the Typhoon 2FA operators had a penchant for using newly registered domains (NRDs) in their campaigns. One domain named as an IoC did not have a creation date in its current WHOIS record.
  • A majority of the domains categorized as IoCs, 29 to be exact, were registered in the U.S. Seven domains identified as IoCs were registered in Pakistan and one each in Nigeria and the U.K. The registrant countries of two domains tagged as IoCs were redacted. Finally, 15 domains classified as IoCs did not have current registrant country data.

  • Four domains named as IoCs had registrant email addresses and names in their current WHOIS records, namely:
    • 3tdx2r[.]com
    • it2ua[.]com
    • lw8opi[.]com
    • tlger-surveillance[.]com
  • Eight domains categorized as IoCs had registrant organization names in their current WHOIS records, namely:
    • 3qjpc[.]com
    • 3tdx2r[.]com
    • canweal[.]com
    • it2ua[.]com
    • lw8opi[.]com
    • m1p8z[.]com
    • tlger-surveillance[.]com
    • tnjxb[.]com

A DNS Deep Dive to Find Typhoon 2FA Connected Artifacts

To further investigate possible ties other digital properties may have to Typhoon 2FA, we expanded the current list of IoCs.

First, we looked for domains that shared some of the domain IoCs’ registrant information using Reverse WHOIS Search and uncovered:

  • 288 registrant email address-connected domains based on their historical WHOIS records
  • 110 registrant organization-connected domains based on their historical WHOIS records

We then queried the 55 domains classified as IoCs on WHOIS History API and found 42 email addresses in their historical WHOIS records, 14 of which were public email addresses.

Next, we used the 14 public email addresses as Reverse WHOIS API search terms that led to the discovery of 262 email-connected domains after filtering out duplicates, the IoCs, and the registrant-connected (by email address, name, and organization) domains. A huge chunk of them seem to have been created using domain generation algorithms (DGAs) similar to the IoCs.

After that, we performed DNS lookups on the 55 domains categorized as IoCs that revealed they resolved to 21 unique IP addresses after removing duplicates.

A bulk IP geolocation lookup for the 21 IP addresses showed they were all geolocated in the U.S. A majority of them, 20 to be exact, were administered by Cloudflare, Inc., while one was furnished by Amazon.com, Inc.

Our Threat Intelligence API queries for the 21 IP addresses found that all were associated with various threats. In particular:

  • 15 were associated with phishing and generic threats
  • Four were connected to malware and command and control (C&C)
  • One was related to attacks, phishing, and generic threats
  • One was associated with phishing, malware, C&C, and generic threats

Reverse IP/DNS lookups for the 21 IP addresses revealed they were all shared hosts so we could not use any of them to find IP-connected domains.

So, we then trooped to Domains & Subdomains Discovery to uncover string-connected domains and subdomains resembling the IoCs.

  • Eleven of the text strings found among the domains named as IoCs appeared in 137 string-connected domains after duplicates, the IoCs, and the registrant- and email-connected domains were filtered out. They were:
    • 7e2r.
    • codecrafters.
    • codecrafterspro.
    • fourth.
    • ilert.
    • m1p8z.
    • rexj.
    • sem01.
    • tk9u.
    • tycoongroup.
    • uqin.
  • Eight of the text strings present in the subdomains categorized as IoCs were also seen in 3,223 subdomains. They were:
    • explore.
    • horizon.
    • libudi.
    • rlpq.
    • tnyr.
    • x12y.
    • xrs.
    • xrs.

Interestingly, some of the subdomains contained misspelled variants of popular brands like amazon (explore[.]amazonpi[.]betamazon[.]instructure[.]com), netflix (explore[.]amcway[.]ciostage[.]netfliz[.]ca), apple (explore[.]apjle[.]beta[.]instructure[.]com), gmail (horizon[.]mpk[.]grail[.]com), and salesforce (rlpq[.]j[.]scaleforce[.]net), which could be weaponized should threat actors discover they have been left dangling and insufficiently secured.


Our in-depth investigation of the Typhoon 2FA DNS infrastructure through an IoC list expansion analysis enabled us to uncover 4,041 potentially connected artifacts comprising 288 registrant email address-connected domains, 110 registrant organization-connected domains, 262 email-connected domains, 21 IP addresses, 137 string-connected domains, and 3,223 string-connected subdomains. It is also worth noting that all the 21 IP addresses the threat actors used were associated with various threats, specifically, C&C, malware, phishing, attacks, and generic threats.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

NordVPN Promotion