Malware Delivery OLE Packages Carve Out Market Share in 2017 Threat Landscape

In the first quarter of 2017, PhishMe Intelligence has noted an increase in malware distributors utilizing OLE packages in order to deliver malware content to victims. This current trend was first noted in December 2016 with close association to the delivery of the Ursnif botnet malware. This technique abuses Microsoft Office documents by prompting the victim to double-click an embedded icon to access some content. These objects are used to write a script application to disk that facilitates the download and execution of a malware payload. This method adds to another iteration of techniques threat actors use to evade anti-analysis and sandbox environments and to successfully infect the intended recipient.

Dridex Threat Actors Reinvigorate Attacks with Sizable, Concurrent Campaigns

One of the most historically effective techniques for gaining new infections for the powerful Dridex botnet malware has been sizable sets of widely-distributed phishing email. While these large campaigns have been intermittent for several months, the past week’s Dridex distributions have shown a renewed vigor with several larger campaigns being launched both concurrently and repeatedly. Many of these campaigns return to well-used and previously-successful email templates and malware delivery tools that had seen earlier utilization in conjunction with both Dridex deliveries and the delivery of other malware tools.

On March 30, 2017 three distinct sets of phishing emails were identified as delivering the Dridex malware. Each was a rehashing of a previously-used phishing narrative. The emails analyzed for Threat ID 8692 pretended to represent communication from a travel agency based in the United Kingdom confirming the recipient’s vacation travel has been booked. Other emails, delivered concurrently, purposed to deliver a vaguely- described “confirmation” as analyzed in Threat ID 8693. Furthermore, Threat ID 8700 documents a set of messages purporting to deliver a notice that an image attachment was ready for sending in yet another vague phishing narrative. Examples of these messages can be seen in Figure 1.

Figure 1 – Examples of Dridex phishing emails from March 30, 2017

The message narrative used in these campaigns should be familiar to information security professionals following Dridex as they represent similar themes to earlier Dridex campaigns. The impersonation of small- and medium-sized firms based in the United Kingdom was previously a common theme among Dridex delivery emails. This preference in content may serve to indicate a preference for a population with which those emails are meant to have disproportionate appeal. However, it appears that these emails were still delivered globally. The other repeated narrative seen once again today is a vague informational message about the status of an image attachment that has been readied for sending. Similar narratives have been used a half-dozen times in the delivery of Dridex since July 2015.

While the Dridex botnet malware’s users are launching phishing campaigns with renewed vigor, their stories and tools have stayed the same. This provides a distinct advantage to threat intelligence users who have access to repositories of information on the tactics, techniques, and procedures related to earlier attacks. It also provides an advantage to organizations whose email users are prepared and empowered to identify and report suspicious emails. Empowered recipients of messages like these are able to recognize the lure and instead of becoming victims, can make a difference for their organization by reporting the email.

Emails based on the threats shown in this blog post are also available as templates in PhishMe Simulator.

For further information on the Threat ID’s mentioned in this post, PhishMe Intelligence customers can log into https://www.threathq.com.

For more information on PhishMe’s human vetted, phishing-specific threat intelligence request a demo today.

PhishMe End-to-End Phishing Mitigation Solution Delivers ROI, Operational Efficiency and Reduced Susceptibility

Before investing in any type of security solution, you need to know your money will be well spent.

That’s especially true for security professionals shopping for antiphishing solutions, hence why PhishMe commissioned Forrester Research, Inc. to research the effectiveness of PhishMe’s complete phishing defense solution among key customers.

W-2 Fraud – Tax Season and All Year Long

It’s the time of year when Taxes are on everyone’s mind – especially Phishers!

The stress of filing.  The stress of gathering all the documents.  The stress of reporting.  The stress of the deadline.  All of that on top of everything else you have to do this time of year makes tax time phishing a favorite and highly successful annual event for phishing scams. However, once the filing is completed, it doesn’t mean the campaigns will stop.  W2 and CEO fraud are timeless phishing campaigns that run all year long.

PhishMe Appoints Mel Wesley as Chief Financial Officer

Industry Veteran to Position PhishMe for Continued Global Expansion and Explosive Growth

Leesburg, VA – March 30, 2017 – PhishMe® (cofense.staging.wpengine.com), the leading provider of human-phishing defense solutions, appointed technology industry veteran Mel Wesley to head up its finance department as the company’s new Chief Financial Officer (CFO). As PhishMe’s CFO, Wesley will shepherd the company as it continues to grow aggressively, capitalizing on the burgeoning demand for its solutions that thwart cyber attackers in their tracks.

Tales from the Trenches:  Loki Bot Malware

LokiOn March 15, 2017, our Phishing Defense Center observed several emails with the subject line “Request for quotation” pretending to award Shell Oil Company contracts – a very targeted subject tailored to the receiver. As with most phishing emails, there is a compelling call to action for the receiver, in this case a contract award from a well-known organization. And, an added bonus unknown to the receiver, the emails also contained a malicious attachment designed to siphon data from its targets.

Included is an example of one of these emails along with basic Triage header information.

Each email analyzed contained instructions to open an attached .ace archive file that when decompressed revealed a Windows executable containing Loki Bot Malware.

Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.

The following Loki Bot executable was identified during our analysis.

Filename MD5 Size
shellOil.ace 5d70858b154c8b0eb205e84ca7f27a04 118,473
Shell Oil.exe 6a95ae2c90a4a3c5a2c1ce3eaf399966 245,760

Upon infecting a machine, this malware performs a callback to the following command and control host reporting the new infection and submitting any private data stolen during the infection process.

Command and Control URL IP Address Location
hxxp://elmansy.net/pdf/fre.php 118.193.173.208 China

The command and control domain ‘elmansy.net’ was created almost exactly a year ago on 2016-03-18 with the email address [email protected] The IP address reveals that the domain is being hosted out of Jiangsu, China.

Take Away

As always, PhishMe cautions our customers to be wary of emails requesting information or promising reward.  Specific to this sample, we recommend that customers be observant for emails containing the subject line “Request for quotation” or emails promising business with new or unknown businesses. PhishMe Simulator customers who feel this type of offer might be successful with its employees should consider launching simulations that follow this style of attack to further train their users.

Additionally, incident responders should consider blocking the domain and IP address mentioned above, as well as searching endpoint systems for the MD5’s if internal systems support it.

The Phishing Defense Center is the hub for our remotely managed PhishMe Triage services.  The fully staffed center manages all internal reported emails for a number of organizations.  All information shared has been cleansed of any identifiable data.

What is Actionable Intelligence?

Do you know what is actionable intelligence? Do you know the difference between threat intelligence and actionable intelligence? If not, read on.

The term actionable intelligence has joined the ranks of threat intelligence, big data and more words that are used in well-meaning ways, but are ultimately meaningless.

Don’t get us wrong, like many other vendors, we use these phrases to describe what we do. However, because there are so many companies out there using these terms with their own meanings attached to them, we feel the need to write this blog post and hopefully do right by the technology and service offerings that are transforming the way that we approach today’s cyber threats.

In fact, there was a recent LinkedIn discussion on this very topic. A LinkedIn user posted this question:

What exactly is “actionable intelligence”? I see a lot of start-ups being created by MBA persons who have no background or credentials in IT security. The product they offer for big fees is known as “actionable intelligence”. They are trying to duplicate for businesses what the NSA, CIA, FBI, and DHS are doing for, and within, the federal government. My question is: how can these companies have the manpower and the resources to provide services like the NSA, CIA, FBI, DHS. We all have heard of the failures in intel coming from the best intel services in the world, i.e. NSA, CIA, etc. Those big boys have failures. What should we expect from these start-ups and your companies that are jumping on the bandwagon.? And these companies do not know of the ordinary IT security practices like defense in depth, hardening systems. They are providing intelligence about the “bad guys”. How do they go about getting this intelligence? It is so secretive how does a CISO know if it is worth anything?

As the following definition from businessdictionary.com provides, actionable intelligence is not relegated to security; maybe that’s why ‘MBA person with no security credentials’ feel they can use it or may actually know something about it from usage in a different field:

“Any intelligence can be used to boost a company’s strategic position against industry peers. The acquired intelligence must be transferred into real actions which can be used to either launch a preemptive strike or prepare a counter strategy. Examples include the competitors’ price range, marketing budget, target demographic, advertising campaign and strengths over a company’s own product. Overly aggressive attempts to gather intelligence from competitors may be illegal and constitute corporate espionage.”

Now onto some of the other questions posited: Let’s get into the context of security. Here is one definition that’s pretty good:

“Actionable Security Intelligence is the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.”

Not perfect, but not bad.

As for the vendors’ size, not everyone in the market of ‘threat intelligence’ is small – by the way, the industry analyst group The 451 estimates there will be $1.2B in spending this year and IDC thinks spending will be $1.8B. Symantec, Cisco, Intel/McAfee, IBM and many other large traditional security vendors have acquired threat intelligence offerings.

As for the startups and whether or not they can compete, the question isn’t one about manpower as you refer to with major security agencies; instead it’s about their technology and its ability to provide value. If they can provide that value with one person their ‘actionable intelligence’ will be purchased. And yes, just like traditional defense in depth systems, threat intelligence is not a panacea for the woes of security. However, the reality of failures of current defense in depth, hardening and other current security techniques has to be acknowledged. Many organizations realize that ‘defending’ and ‘responding’ is no longer as effective as it used to be, and that being intelligence led is required. Why? The hackers, the bad guys, are winning more and more.

As for traditional security (defense in depth, hardening, Etc.), I don’t think anyone would ever suggest that you not use these and other network defenses. And these threat intelligence vendors don’t either. The traditional security systems and methods play a vital role in securing your network, even if they have their individual shortcomings. Their efficacy can be raised, however, when given the right kind of intelligence that has an immediate impact on network security. Threat intelligence can make these devices smarter and the security professionals who are too few and overworked, ‘smarter’ about how to stop and prevent attacks.

Cofense Intelligence 

Cofense intelligence provides the combination of actionable threat intelligence and the understanding of the correlation between phishing attacks and their motivators which helps your team prioritize, investigate, and respond.

Key Benefits:  

  • Timely, Accurate, and Actionable Phishing Threat Intelligence
  • Expert threat analysts to help operationalize threat intelligence and provide guidance
  • Attack analysis and context to help make rapid, informed decisions
  • Integrates with existing security solutions to speed phishing threat response

Cofense Intelligence is actionable because it is:

Consumable 

Cofense Intelligence delivers threat intelligence in multiple forms. Machine-readable threat intelligence (MRTI) follows industry standards for quick integration with your existing security devices. Analysis reports in PDF and HTML format are optimized for threat analysts and incident response teams.

Reliable 

Cofense Intelligence only notifies customers about confirmed threats that are vetted by our trained analysts, resulting in high-fidelity intelligence.

Timely 

MRTI is published throughout the day as new attacks are confirmed. Strategic analysis reports are published weekly. The investigation app is available 24x7x365.

Fresh 

Cofense Intelligence service derives threat intelligence from a variety of sources of malicious email and spam that are used to deliver dangerous payloads to your employees every day.

Contextual 

Cofense Intelligence publishes threat intelligence that shows how individual elements of an attack are related and the relationships between seemingly disparate attacks.

User-friendly 

We will help you operationalize the service and provide on-going support to make sure you are getting the most from the service.

With Cofense’s unique security intelligence you are armed with the weapons you need to identify, block, and investigate threats hitting your enterprise daily.

Ransomware Leads in Growth and Impact While Hackers Remain Committed to Data Theft

PhishMe’s 2016 Malware Year in Review analysis shows fast growth of Ransomware while hackers continue to quietly attempt to steal data

LEESBURG, VA – March 14, 2017: PhishMe Inc., the leading provider of human phishing defense solutions, today released findings showing that while Ransomware delivered the greatest impact and growth in 2016, threat actors continue to attempt data breaches and theft.