Bleeping Computer recently reported that a phishing-as-a-service (PhaaS) available in cybercriminal forums dubbed “Typhoon 2FA” has the ability to compromise Microsoft 365 and Google accounts even if users have two-factor authentication (2FA) enabled.

Sekoia security analysts uncovered the phishing kit back in October 2023 though they believe it has been active since at least August of that same year. Over time, they have been updating their Typhoon 2FA list of indicators of compromise (IoCs), which to date comprises 55 domains and 48 subdomains.

In a bid to know more about Typhoon 2FA, the WhoisXML API research team expanded the current list of IoCs and found:

• 288 registrant email address-connected domains
• 110 registrant organization-connected domains
• 262 email-connected domains
• 21 IP addresses, all of which turned out to be malicious
• 137 string-connected domains
• 3,223 string-connected subdomains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Closer Look at the Typhoon 2FA IoCs

As our usual first step, we subjected the 55 domains identified as IoCs (48 of which were extracted from the subdomain IoCs) to a bulk WHOIS lookup, which revealed that:

• Their top 3 registrars were NameSilo LLC, which administered 22 of the domains tagged as IoCs; R01-RU, which furnished 12; and Internet Domain Service BS Corp., which provided eight. Gransy SRO, accounted for four domains, while Danesco Trading Ltd. accounted for two. Namecheap, Inc, PSI-USA, Inc., and REGTIME-SU accounted for one domain IoC each. Finally, one domain did not have registrar data in its current WHOIS record.

  

• The domains classified as IoCs were created between 2023 (18 domains) and 2024 (36 domains), hinting that the Typhoon 2FA operators had a penchant for using newly registered domains (NRDs) in their campaigns. One domain named as an IoC did not have a creation date in its current WHOIS record.

• A majority of the domains categorized as IoCs, 29 to be exact, were registered in the U.S. Seven domains identified as IoCs were registered in Pakistan and one each in Nigeria and the U.K. The registrant countries of two domains tagged as IoCs were redacted. Finally, 15 domains classified as IoCs did not have current registrant country data.

  

• Four domains named as IoCs had registrant email addresses and names in their current WHOIS records, namely:
  • 3tdx2r[.]com
  • it2ua[.]com
  • lw8opi[.]com
  • tlger-surveillance[.]com
• Eight domains categorized as IoCs had registrant organization names in their current WHOIS records, namely:
  • 3qjpc[.]com
  • 3tdx2r[.]com
  • canweal[.]com
  • it2ua[.]com
  • lw8opi[.]com
  • m1p8z[.]com
  • tlger-surveillance[.]com
  • tnjxb[.]com

A DNS Deep Dive to Find Typhoon 2FA Connected Artifacts

To further investigate possible ties other digital properties may have to Typhoon 2FA, we expanded the current list of IoCs.

First, we looked for domains that shared some of the domain IoCs’ registrant information using Reverse WHOIS Search and uncovered:

• 288 registrant email address-connected domains based on their historical WHOIS records
• 110 registrant organization-connected domains based on their historical WHOIS records

We then queried the 55 domains classified as IoCs on WHOIS History API and found 42 email addresses in their historical WHOIS records, 14 of which were public email addresses.

Next, we used the 14 public email addresses as Reverse WHOIS API search terms that led to the discovery of 262 email-connected domains after filtering out duplicates, the IoCs, and the registrant-connected (by email address, name, and organization) domains. A huge chunk of them seem to have been created using domain generation algorithms (DGAs) similar to the IoCs.

After that, we performed DNS lookups on the 55 domains categorized as IoCs that revealed they resolved to 21 unique IP addresses after removing duplicates.

A bulk IP geolocation lookup for the 21 IP addresses showed they were all geolocated in the U.S. A majority of them, 20 to be exact, were administered by Cloudflare, Inc., while one was furnished by Amazon.com, Inc.

Our Threat Intelligence API queries for the 21 IP addresses found that all were associated with various threats. In particular:

• 15 were associated with phishing and generic threats
• Four were connected to malware and command and control (C&C)
• One was related to attacks, phishing, and generic threats
• One was associated with phishing, malware, C&C, and generic threats

Reverse IP/DNS lookups for the 21 IP addresses revealed they were all shared hosts so we could not use any of them to find IP-connected domains.

So, we then trooped to Domains & Subdomains Discovery to uncover string-connected domains and subdomains resembling the IoCs.

• Eleven of the text strings found among the domains named as IoCs appeared in 137 string-connected domains after duplicates, the IoCs, and the registrant- and email-connected domains were filtered out. They were:
  • 7e2r.
  • codecrafters.
  • codecrafterspro.
  • fourth.
  • ilert.
  • m1p8z.
  • rexj.
  • sem01.
  • tk9u.
  • tycoongroup.
  • uqin.
• Eight of the text strings present in the subdomains categorized as IoCs were also seen in 3,223 subdomains. They were:
  • explore.
  • horizon.
  • libudi.
  • rlpq.
  • tnyr.
  • x12y.
  • xrs.
  • xrs.

Interestingly, some of the subdomains contained misspelled variants of popular brands like amazon (explore[.]amazonpi[.]betamazon[.]instructure[.]com), netflix (explore[.]amcway[.]ciostage[.]netfliz[.]ca), apple (explore[.]apjle[.]beta[.]instructure[.]com), gmail (horizon[.]mpk[.]grail[.]com), and salesforce (rlpq[.]j[.]scaleforce[.]net), which could be weaponized should threat actors discover they have been left dangling and insufficiently secured.

Our in-depth investigation of the Typhoon 2FA DNS infrastructure through an IoC list expansion analysis enabled us to uncover 4,041 potentially connected artifacts comprising 288 registrant email address-connected domains, 110 registrant organization-connected domains, 262 email-connected domains, 21 IP addresses, 137 string-connected domains, and 3,223 string-connected subdomains. It is also worth noting that all the 21 IP addresses the threat actors used were associated with various threats, specifically, C&C, malware, phishing, attacks, and generic threats.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.