Barracuda Identifies Three Concerning Trends in Email-Based Cyber Attacks

Over the last month, Barracuda threat analysts have seen the following notable developments in email-based threats targeting organisations: New tools and tactics for the Tycoon 2FA phishing kit Invisible characters that help Cephas kit evade scanners and rules A sophisticated attack involving steganography (image-concealed malware) What’s New In Tycoon’s Toolkit Tycoon 2FA is a prominent […]

Exposure Management | Personal Security | Security Awareness | Threat Intelligence

Posted: Friday, Nov 14

KBI.Media
$
Barracuda Identifies Three Concerning Trends in Email-Based Cyber Attacks

Barracuda Identifies Three Concerning Trends in Email-Based Cyber Attacks

Over the last month, Barracuda threat analysts have seen the following notable developments in email-based threats targeting organisations:

New tools and tactics for the Tycoon 2FA phishing kit
Invisible characters that help Cephas kit evade scanners and rules
A sophisticated attack involving steganography (image-concealed malware)

What’s New In Tycoon’s Toolkit

Tycoon 2FA is a prominent and successful phishing kit that continues to be a serious threat to business despite being around since August 2023. Tycoon’s main goal is to steal login details from Microsoft 365 and, more recently, Google Workspace accounts. It tricks employees into handing over passwords and two-factor authentication codes.

What makes Tycoon dangerous is how often it changes. Each new version includes small but clever updates that help it to avoid detection by traditional security tools.

Here are some of the latest changes seen in recent versions:

CAPTCHA challenges: To appear more legitimate and to slow down automated security tools, Tycoon now includes different types of CAPTCHA tests, including image-based puzzles and “press and hold” challenges.
More realistic URLs: The latest web addresses mimic real login sequences, including OAuth2-style links and unique codes, making them harder to spot as fake.
Compressed code: The latest phishing pages use a method called LZString compression to shrink and hide large parts of the code. This code is then unpacked and run directly in the victim’s browser, making it harder for security tools to catch.
Dynamic execution: This means that the hidden code is only fully revealed and run once the page is loaded, helping it to stay under the radar.
To protect against such attacks: Implement security solutions that offer layered security controls. Look for ones that offer anti-phishing tools, adaptive authentication and continuous monitoring to help detect the kind of intercepting adversary-in-the-middle (AiTM) tactics used by threats like Tycoon 2FA.)

Cephas Kit Uses Invisible Characters to Block SScanners and Rules

Cephas is an emerging phishing kit first seen in August 2024. The code features a significant number of astronomy and bible-related comments.

What makes Cephas noteworthy is that it implements a distinctive and uncommon obfuscation technique. The kit obscures its code by creating random invisible characters within the source code that help it to evade anti-phishing scanners and obstruct signature-based YARA rules from matching the exact phishing methods.

To protect against such attacks: Enforce MFA for all users, especially for cloud services like Microsoft 365. Consider using phishing-resistant methods such as hardware security keys rather than SMS or app-based codes.

Stealthy Malware Hides In Images to Avoid Detection

Steganography is a sophisticated attack technique that involves hiding data inside something that looks harmless, such as an image. Unlike encryption, which hides data content, steganography hides the existence of data. This makes it much harder to detect.

Barracuda’s threat analysts recently spotted a phishing campaign leveraging steganography.

The attack starts with a phishing email that looks like a genuine business message, such as an order or pricing inquiry. In the samples analysed, the emails included links to files hosted on a popular and legitimate file sharing service.

However, the files are actually malicious JavaScript files that have been heavily disguised to make it hard for security systems to recognise them as dangerous.

When a user clicks on the link, the JavaScript file is downloaded. The file contains hidden code that’s been scrambled using special characters and encoding. Once unscrambled, it reveals a command that launches PowerShell, a built-in Windows tool often used by attackers to run code without leaving obvious traces.

This PowerShell command fetches a PNG image from another legitimate site. Hidden inside the image is the real malware, encoded in a way that makes it invisible to security software.

By hiding malware inside images and using trusted platforms, the attackers bypass many typical checks. The malware used in this phishing campaign also leverages several other sophisticated tricks to stay hidden:

It disguises its code with confusing names and scrambled text.
It runs commands in the background without showing any windows.
It avoids writing anything to disk and instead hides in the device’s memory, making it harder to trace.

This attack shows how everyday email threats are now using advanced and subtle techniques previously mainly associated with apex attackers like advanced persistent threats (ATPs).

Protect Against Such Attacks

Look for warning signs such as the appearance of unusually large media files or files containing duplicate content, as well as unexpected outbound traffic or traffic to unknown domains.
Strengthen your security with multi-modal AI-based email protection that includes heuristic and behavioural analysis and can correlate and analyse a wide range of text and visual data types — including URLs, documents, images, QR codes and more.
It is also worth blocking macros in documents by default and restricting the range of file types allowed through email and web uploads.

Further information is available here.