Identity, Phishing, Threat Intelligence

Evasive Salty 2FA phishing framework targets multiple 2FA methods

A new Phishing-as-a-Service (PhaaS) framework dubbed Salty 2FA has been discovered by ANY.RUN researchers, according to a blog post published Tuesday.

The previously unidentified phishing framework uses an evasive, multi-stage method to steal credentials and make unauthorized logins by intercepting several two-factor authentication methods including SMS text-based, voice call-based and companion app/push notification-based 2FA.

Salty 2FA was first identified through its unique pattern of domain use, consisting of compound “.com” subdomains for its phishing pages chained with “.ru” domains for data exfiltration.

The attack chain begins with a Cloudflare Turnstile prompt, after which a JavaScript snippet hidden among HTML “filler noise” retrieves and decodes the next stage phishing page. ANY.RUN noted that the “filler” used specifically consisted of random inspirational quotes inserted as comments, designed to throw off static analysis tools.

JavaScript code elements, and even the body text of phishing pages, are obfuscated at each stage by the attacker using methods such as Base64 encoding and XOR encryption. Additionally, the logic for changing page states and collecting user inputs involves jQuery calls to page elements with identifiers that are dynamically generated rather than hardcoded.

Further evasion methods include blocking debugging/DevTools keyboard shortcuts and detecting execution delays after a debugger is triggered, which could mean code is running in a controlled environment, according to ANY.RUN.

The phishing payload communicates with the attacker’s server via HTTP POST requests that provide the current page state along with any information the victim has submitted, which is Base64 and XOR encoded with key parameters derived from the victim’s session identifier, ANY.RUN explained.

An analysis of possible page states found the framework was able to accommodate multiple 2FA methods including one-time passwords (OTPs) and push notifications from apps, OTPs delivered via SMS text, and mobile and office voice phone call verifications, as well as respond when the victim submits an incorrect password.

Salty 2FA targets Microsoft 365 credentials and has been seen in email campaigns against companies in sectors including finance, energy, healthcare, IT, environmental services and government, in the United States, Europe, LATAM, and India. The PhaaS tool appears to have potential ties to the threat group Storm-1575, which previously peddled a PhaaS platform known as Dadsec.

ANY.RUN says Salty 2FA sets itself apart through its obfuscation and anti-analysis methods, emphasizing a need for behavior-based detection rather than reliance on static indicators of compromise (IOCs).

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Account HarvestingBrute ForceCertificate-Based AuthenticationChallenge-Handshake Authentication Protocol (CHAP)CorruptionData MiningDeauthentication AttackDomain HijackingFault Line AttacksMorris Worm

You can skip this ad in 5 seconds