Threat Research

Exploring DNS Insights on Mamba: The Newest Player in AitM Phishing

CircleID

Summary:

Phishing remains a significant online threat, with cybercriminals continuously evolving their tactics. The Mamba 2FA malware has introduced adversary-in-the-middle capabilities, allowing it to circumvent multifactor authentication measures. Recent analysis revealed numerous indicators of compromise, including domain names and IP addresses linked to this malware.

Keypoints:

  • Phishing continues to be a major threat in the cybersecurity landscape.
  • Mamba 2FA malware can bypass multifactor authentication using adversary-in-the-middle techniques.
  • The Sekoia TDR Team identified 58 indicators of compromise related to Mamba 2FA.
  • Additional threat artifacts were uncovered, including registrant-connected domains and IP addresses.
  • Research findings and artifacts are available for download on the Sekoia website.

    • MITRE Techniques

  • Phishing (T1566): Utilizes deceptive emails or messages to trick users into revealing sensitive information.
  • Adversary-in-the-Middle (AitM) (T1557): Intercepts and manipulates communications between two parties to gain unauthorized access.
  • Credential Dumping (T1003): Extracts account login credentials from operating systems and software.
  • Domain Generation Algorithms (DGA) (T1483): Generates domain names to evade detection and maintain communication with compromised systems.

    • Phishing has been around for years, yet it still proves to be a major online threat. To continue profiting, cybercriminals must continuously adapt their techniques.

    Phishing malware Mamba 2FA, for instance, has been armed with adversary-in-the-middle (AitM) capabilities. This new feature allowed the malware to bypass multifactor authentication (MFA) measures like one-time passwords (OTPs) and app notifications.

    The Sekoia Threat Detection and Research (TDR) Team analyzed Mamba 2FA and identified 58 indicators of compromise (IoCs) comprising 45 domain names and 13 IP addresses. Our research team expanded the IoC list and uncovered additional threat artifacts, including:

    • 346 registrant-connected domains, two of which turned out to be malicious
    • 65 additional IP addresses, 51 of which turned out to be associated with various threats
    • One IP-connected domain
    • Six string-connected domains

    A sample of the additional artifacts obtained from our analysis is available for download from our website.

    Under the Mamba 2FA Hood

    As is our usual first step, we looked into the IoCs first beginning with a bulk WHOIS lookup for the 45 domain names. That revealed the following:

    • The domains were distributed among four registrars led by Hosting Concepts B.V. and WEBCC, which tied in first place with 19 domain IoCs each. NameSilo LLC came in second, accounting for six domain IoCs. Hello Internet Corp. with one domain IoC rounded out the list.

    • A majority of the domain IoCs, 40 to be exact, were created in 2024 while the remaining five were created in 2023.

    • They were spread across three different countries led by the U.S. with 35 domain IoCs. Six domain IoCs were registered in Malaysia while three in the Netherlands. One domain IoC didn’t have a registrant country in its current WHOIS record.

    • Twenty-seven domain IoCs had public registrant information in their current WHOIS records. Specifically, 13 each had registrant email addresses and names, and all 27 had registrant organizations.

    A bulk IP geolocation lookup for the 13 IP address IoCs, meanwhile, showed that all were geolocated in the U.S. but didn’t have ISP information in their A records.

    Mamba 2FA IoC List Expansion Results

    We jump-started our search for additional Mamba 2FA artifacts with Reverse WHOIS Search queries for the registrant email address, name, and organization we obtained from our bulk WHOIS lookup earlier. Using the parameters Advanced, Historic, and Exact match, we uncovered 346 registrant-connected domains after filtering out duplicates and the IoCs.

    Threat Intelligence API queries for the 346 registrant-connected domains revealed that two of them were associated with threats. The domain egensession[.]com, for instance, was tagged as an IoC for phishing and generic threats.

    After that, we ran the 45 domain IoCs on WHOIS History API and obtained 23 email addresses from their historical WHOIS records. Only two, however, were public.

    Of the public email addresses, only one had connected domains based on the results of our Reverse WHOIS API queries—the same email address that showed up in some of the domain IoCs’ WHOIS records earlier. As such, none of the email-connected domains remained when we removed duplicates, the IoCs, and the registrant-connected domains from our list.

    Next, we performed DNS lookups for the 45 domain IoCs and found 65 IP addresses after filtering out duplicates and the IoCs. Based on Threat Intelligence API queries for these additional IP addresses, 51 have already figured in various malicious campaigns.

    This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

    Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

    Source: Original Post

    Tags: EMAIL, DNS, PHISHING, CREDENTIAL, full