#malware evolution

In March, I reported on a major disruption headed by Europol and assisted by numerous security and law enforcement agencies. 300 domains associated with Tycoon2FA were seized, and at the time I stated that disruptions like this make it more difficult for malware platforms to reorganize themselves and start over. Difficult, but not impossible, and becoming less so every day.

On Thursday, Barracuda published an article on how Tycoon2FA has re-emerged – or at least its ecosystem has – under a number of new names. While the disruption did successfully curtail activity from the phishing-as-a-service provider, ultimately the infrastructure of the malware remained in place. In essence, the disruption took down the ‘brand’, not the product. What’s been observed by Barracuda’s researchers is behavior and toolkits known to be used by Tycoon2FA in other variants of adversary-in-the-middle attacks. They use the same keywords in coding commands, as well as the unique anti-analysis, anti-debugging and redirection capabilities. Several of them even keep the ‘2FA’ in their name.

There are reasons why disruptions can be incomplete. Phishing toolkits have evolved to resemble open source development. They use many of the same underlying codes, allowing them to be cloned, modified and/or redistributed into the larger environment of darkweb marketplaces. Threat actors also often maintain backups, meaning that seizure doesn’t capture or dismantle the source code. Or what continues in the interim after a major disruption is so ‘quiet’ and low level that it doesn’t trip any alerts until it’s well established again. Seizure doesn’t automatically revoke the access gained by stolen data like session cookies and authentication tokens either. Domain seizure does not mean the end of compromise when PhaaS threat actors are selling that data to their peers.

This isn’t the first time I’ve reported on a resurgence of a malware family. One of my very first reports was on the return of LummaStealer after disruption. In October, I talked about the sibling variant of Lactrodectus, YiBackdoor. And in January I reported on GoBruteForcer’s return after it integrated AI logic trees to expand its spray and pray tactics against legacy web server software. What’s old always finds a way to be new again.

Just this past Friday, in my report on vibeware, I paraphrased Jason Soroko of Sectigo, who said that defending against malware campaigns should be less about the construction (or in this case, the ‘brand’), and more about the behavior. It doesn’t matter what it’s called, what matters is what it does and how to stop it. And a single variant is just that. A variant. In order to truly eradicate a threat, one must take down every tendril of it, or it will just ‘grow’ back. It’s akin to combating stubborn weeds or, perhaps more aptly, a medication resistant infection. Barracuda’s article points out that security defenses need to look more broadly than individual players, because focusing detection on individual kits isn’t enough. They migrate too quickly, with proven techniques being inherited and refined by the next actor.

The solution to keeping phishing campaigns under control is mostly one of awareness. I don’t expect coordinated defense operations to account for every single copy, as that is a nearly impossible task considering backups are often not accessible remotely. Very rarely are these operations storming a physical location and taking servers apart by hand. But the entire point of threat detection is being vigilant, and keeping in mind that variants will pop up shortly thereafter should be part of the plan of action. The other side of this coin is the victim, whether that is past or future intended. Compromised credentials need to be changed, so that stolen data from successful incursions is rendered moot.

Reports like mine, and all those who publish them like Barracuda, are an important part of awareness too. But they only work if people are reading them, and thereby being proactive in their own security. I’ve said it before, and no doubt I’ll say it again: campaigns don’t end just because a vector has been closed. Threat actors will just find a new one.