Major US Financial Institutions Imitated in Advanced Geodo/Emotet Phishing Lures that Appear More Authentic by Containing ProofPoint URL Wrapped Links

By Darrel Rendell, Mollie MacDougall, and Max Gannon

Cofense IntelligenceTM has observed Geodo (also known as Emotet) malware campaigns that are effectively spoofing major US financial institutions in part by including legitimate URLs wrapped in Proofpoint’s (PFPT) TAP URL Defense wrapping service. This adds an air of legitimacy to the casual observer, designed to increase the chances of malware infection.

Figures 1 and 2 provide examples of the template and URL wrapping. Cofense Intelligence assesses the improved phishing templates are likely based upon data pilfered with a recently updated scraper module to spoof US financial institutions so effectively.

Figure 1: email template spoofing a major US financial institution

Figure 2: Proofpoint’s URL Wrapping service appearing within this campaign

After a month-long hiatus, Geodo returned on November 6th, 2018 with upgrades to its spamming module, supplementing existing capabilities – namely contact list and signature block theft – with functionality enabling the theft of up to 16KB of raw emails and threads. Although the exact reason for this module upgrade was unclear, Cofense Intelligence assessed it would either be used to bolster the actors’ social engineering efforts, using the stolen data to refine Geodo phishing templates, or for direct revenue generation – selling the raw message content to the highest bidder.  Today, it appears the initial prediction was correct.

The campaign observed on November 13th was, in many ways, a standard Geodo campaign: messages distributed en masse to targets across the globe, spoofing a known and trusted organization, containing URLs (Table 1) pointing to Word documents containing hostile macros (Table 2). When executed, these macros retrieve a fresh sample of Geodo from one of five compromised web servers and execute it on the machine. As has become increasingly common with Geodo campaigns, the malware functioned as a downloader for other payloads, in this case retrieving a sample of IcedID.

IcedID shares some basic behavior with TrickBot—another prolific banking trojan turned multipurpose botnet. However, IcedID targets both investment and financial institutions as well as several bank holding companies many of which even TrickBot does not target, as TrickBot is much less focused on investment banks or smaller US commercial banks. An example of an IcedID spoofed login page for a regional US bank can be seen in Figure 3.

Figure 3: a spoofed login page for a regional bank that led to a Geodo and subsequent IcedID payload

Geodo has always been a formidable botnet and continues to grow. During tracking, we have seen at least 20,000 credentials added to the list of credentials used by the botnet clients each week along with millions upon millions of recipients. The introduction of this new module has had clear and dramatic effects on the sophistication and efficacy of this social engineering effort. In July, Geodo began including more sophisticated phishing lures, imitating US banks and including graphics that made the emails look less generic and more convincing.

This most recent campaign demonstrated a shocking improvement from that initial upgrade, demonstrating the value of the email scraping module. Considering that where Geodo goes, TrickBot often follows, we are concerned that this type of module will show up in other malware campaigns. The new inclusion of ProofPoint URLs wrapped with URL Defense adds an additional false sense of security to a user and may indicate the malware scraped the wrapped URLs from a compromised user.

Several members of the Cofense Intelligence team discussed Geodo in a recent open customer call. Any customers who were unable to attend are welcome to email mark.adams@cofense.com for a recording.

Cofense is also offering a complimentary Domain Impact Assessment, powered by the Cofense Research and Intelligence teams, for any organization that may be affected by this Geodo update. Learn more here.

Table 1: Payload URLs observed during this campaign

Table 2: Files associated with this campaign

Table 3: Command and Control infrastructure identified during this campaign

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Named a Leader in the 2018 Gartner Magic Quadrant for Security Awareness Computer-Based Training

Company recognized as a Leader for third consecutive year*

LEESBURG, VA. – November 16, 2018 – Today Cofense, the leading provider of human-driven phishing defense solutions world-wide, announced it was named a leader in Gartner’s November 2018 Magic Quadrant for Security Awareness Computer-Based Training. Cofense has been recognized as a leader for three consecutive years.

Phishing Emails with .COM Extensions Are Hitting Finance Departments

Cofense IntelligenceTM has seen a substantial uptick in the use of .com extensions in phishing emails that target financial service departments. In October alone, Cofense Intelligence analyzed 132 unique samples with the .com extension, compared to only 34 samples analyzed in all nine months preceding. Four different malware families were utilized.

The .com file extension is used for text files with executable byte code. Both DOS (Disk Operating System) and Microsoft NT kernel-based operating systems allow execution of .com files for backwards compatibility reasons. The .com style byte code is the same across all PE32 binaries (.exe, .dll, .scr, etc.) within the DOS stub. The subject lines and email contents of the phishing emails (Figure 1) suggest that the threat actor is targeting financial service departments. The .iso file attachment mentioned in the email contents is an archive containing a .com1 executable.

Figure 1: Email Content Suggests Targeting of Financial Services Department

If you’re a Cofense PhishMe™ customer, you can use this same lure in your phishing simulations. Look for the template we’ve created, “Overdue Invoice – LokiBot.” It conditions employees to report phishes trying to deliver the Loki Bot information stealer malware. (More on Loki Bot and other malware below).

The two most popular subject line themes we’re seeing use the lures “payment” and “purchase order.” Threat actors are likely carrying out these campaigns to target employees with financial information stored on their local machines, which explains the use of information-stealing malware as the campaigns’ payloads.

Figure 2: Subject Line Categories used in .COM Campaigns

Our analyses showed that the email subject lines were specific to the malware payloads they delivered. For example, the “payment” subject-emails delivered more AZORult information stealer, while the “purchase order” subject-emails most often delivered the Loki Bot information stealer and the Hawkeye keylogger. It is possible that different actors are distributing the unique malware families via .com files. Or, perhaps the same group is responsible and assesses which lures are most appropriate for different malware and the information they target.

Most commonly, .com payloads are directly attached to a phishing email without any intermediary delivery mechanism. However, some campaigns did include an attachment that contained such an intermediary dropper: often the attachment was weaponized to exploit a CVE or a malicious macro, which would deploy a .com payload onto the endpoint. As network defenders become increasingly aware of this direct-attachment delivery, Cofense Intelligence expects to see an increase in intermediary delivery of malicious .com files, wherein a “dropper” attachment will arrive with the phish and subsequently load the weaponized .com file onto the end point.

Figure 3: Malware Families Delivered using .com Extensions.

Loki Bot, AZORult and Hawkeye made up the far majority of malware delivered in the campaigns we analyzed, whereas Pony accounted for a very small percentage. The combination section refers to the attachment utilizing a vulnerability within a document to deploy a .com payload on the endpoint as mentioned above.

The malware families delivered with the .com extension also revealed a trend with their Command and Control (C2) communication. The samples of .com binaries that delivered AZORult communicated exclusively with domains hosted by Cloudflare. Cloudflare was also the predominant host for Loki Bot with over 75% of its C2 domains hosted with that service. It is likely that Cloudflare is not hosting the actual C2, but in fact being used as a domain front. “Domain fronting” is a technique that allows for the connection to appear to go to one domain when it is actually going to another. This is achieved by connecting securely to one domain and then passing in the target domain via the HTTP host header value. By using Cloudflare, which is typically trusted by most organizations, the attackers are able to circumvent blocks that might be put in place. Cloudflare recently changed its policies to disallow its use for malicious hosting, yet the service has continued to be used by attackers for malicious redirection.

Figure 4 below shows the C2’s for Loki Bot, AZORult, and Pony that were hosted on Cloudflare compared to every other domain hosting service provider. Hawkeye keylogger stood apart in communicating with unique email domains.

Cofense Intelligence estimates that we’ll see an increased adoption of malware using the .com extension. Similar campaigns will likely expand to other industries that have monetizable data, like the healthcare and telecommunication sectors. An increased use of the .com extensions can be harmful to enterprise networks if organizations are not prepared for it, and once they are, another file extension will surge in popularity in a constant effort to stay ahead of the defense.

To stay ahead of the latest phishing and malware threats, sign up for free Cofense Threat Alerts.

  1. Filename: overdue payment.com MD5 hash: 8e6f9c6a1bde78b5053ccab208fae8fd

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Named a 2018 DC Inno ‘50 on Fire’ Innovation Leader

DC Inno Cites ‘Powerful Year’ of Growth and Product Expansion for Global Leader in Phishing Defense, Orchestration and Automation Solutions

When do you know your company’s on fire? One sign is the company you keep. DC Inno, an organization that promotes innovation and the entrepreneurial spirit in the DC, Maryland, and Virginia region, whose combined economy is one of the nation’s strongest and most diverse, named Cofense™ to its 2018 50 on Fire list of red-hot businesses.

October may be over – but phishing attacks never stop. Here’s how to make security awareness successful all year round.

Part 4 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 3 here.

As October comes to a close, so too does National Cybersecurity Awareness month. But not so fast – Security Awareness isn’t just about October. It’s all year long and it never stops, it’s ever evolving.

I developed this four-part blog series during National Cybersecurity Awareness Month to provide key industry insights and proven methodologies for building and enhancing your security awareness program. We started in week 1 with building a program strategy, followed up by discussing program content in week 2. Last week with focused on the alignment of the security awareness function with the organization. This week we’ll wrap up the series with some key findings published in the ISC2 Workforce Study. According to the report, lack of focus on security awareness is the top challenge for ensuring long-term security awareness program success.1

Figure 1, left and 2, right – Image source: https://www.isc2.org/Research/Workforce-Study

5 Ways to Bring Focus to Security Awareness Programs

As noted in the charts above, there are several reasons, all with fairly equal representation, as to why security awareness programs lack focus. I’m going to break down each of these reasons and explain how you can overcome that hurdle to bring more focus to your awareness programs.

  • Low security awareness among end users. This is a no-brainer. It’s important that security awareness programs are rolled out to everyone in the organization, not just select groups. While some programs start with training a few key groups to benchmark results, it’s important to get buy in to enroll the entirety of the organization to build resilience to attacks across all teams with on-going training.
  • Not enough skilled cybersecurity professionals available. This report cited end users – people – can lead to more security vulnerabilities*, so it’s no surprise to see that the security awareness function sits at the top of the chart as a much-needed area of expertise. Many organizations still assign this as a part time job function along with other security hats to wear, preventing focus. Instead, have a dedicated security awareness lead running the programs while working alongside other internal security professionals to ensure the programs remain well-rounded and effective.
  • Inadequate funding. Security awareness is a necessary and essential component to larger threat defense strategy and needs to be a budget priority in order to begin reducing your organization’s cybersecurity risk and building resiliency to today’s top threats. At some point, perimeter technologies will fail to stop a phishing attempt and it’s up to resilient, trained humans to recognize and report suspicious emails – thinking of this as a last line of defense is an area worth investing in.
  • Too much data to analyze. As more and more humans are enrolled and participating in security awareness program, that also means more data points to digest and analyze on the state of threat susceptibility, resilience, program participation and success. Identify and prioritize the key data sets needed to demonstrate the security posture of the organization and collaborate with security teams to report and analyze program trends to reflect changes in that security posture. This may include your organization’s phishing resilience and reporting rates, for example, compared with inflated metrics such as click rates or susceptibility rates.
  • Lack of management support/awareness. This is often one of the biggest hurdles in preventing a security awareness program from reaching its full potential and scope. Having management understand the necessity of security awareness as a foundational component of a strong threat defense strategy is key. An idea is to run a phishing simulation trial with key management members to understand how susceptible the organization is from the top down. Once management realizes how easy it is for a phishing email to replicate a real one, there might be more awareness and inclination to engage in security awareness practices than before.

You’ve Launched a Successful Security Awareness Program – How Do You Keep it Successful?

Every day is a new beginning when it comes to cybersecurity. Threats and vulnerabilities are always changing – so your security awareness program needs to be able to nimble and fluid to mitigate those evolving threat vectors. Behavior improvements are ongoing and so should your security awareness programs. Organizations are constantly under attack as the threat actors continue to find ways to get past technical defenses of an organization, such as perimeter technologies and email gateways.

How do you keep your program aligned with the current threats? Reach out to your cyber threat intelligence or incident response teams. These teams are constantly researching the current threat landscape and identifying if and what impact it has on the organization. Download the latest white paper on cybersecurity or threat landscape. Read technical blogs from trusted cybersecurity solution providers to stay abreast of current news and threat trends. Another great resource is setting up Google Alerts for key words: phish email, data breach, malware, cyberattack, cybersecurity, Cofense™, awareness training, threat intelligence.

Jumpstart Your Efforts Today with Free Security Awareness Resources

Remember that building a program takes time to evolve and mature. Recognize small wins for the organization and continue to move forward to mature the program. Just as the threats are never ending, so too is the security awareness function.

As you set your priorities for the program, don’t forget that Cofense provides a wealth of training modules for free, which includes specific topics and compliance modules to meet your regulation requirements. If you’re just getting started on building your security awareness program, there are plenty of free security awareness resources available to you when you’re on a shoestring budget, including a turn-key security awareness program kit, posters, presentations and other resources to get you started.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

References:

1Source: “Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens,” (ISC)² Cybersecurity Workforce Study, 2018

*Source: “Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens,” (ISC)² Cybersecurity Workforce Study, 2018

 

Re: The Zombie Phish

By: Lucas Ashbaugh, Nick Guarino, Max Gannon

Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message.

This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish.

Not Your Average Phish
The Cofense™ Phishing Defense Center (PDC) has recently been defending against an extensive Zombie Phishing campaign against multiple clients. Fraudsters hijack a compromised email account, and using that account’s inbox, reply to long dead conversations with a phishing link or malicious attachment. Due to the subject of the email being directly relevant to the victim, a curious click is highly likely to occur.

These Zombie Phish appear to use automatically generated infection URLs to evade detection. No two links are the same. These links are hidden behind unassuming “error” messages in the body of the email, providing an appealing scheme for users to fall victim to. Thus far, the PDC has observed two common Zombie Phishing templates that lead to malicious links. These email campaigns can be seen in Figures 1 and 2.

Figure 1

Figure 2

Another common hallmark of this campaign is the use of the .icu top-level domain (TLD), however this could change in the future. Example domains identified during this campaign, which abuse the .icu TLD, can be seen in Figure 3.

Figure 3 shows .icu domains associated with these campaigns.

Already, many of these domains have been shut down by their domain registrar after receiving reports of domain abuse. Figure 4 shows a domain associated with this campaign and the data that is collected and displayed by the registrar.

Figure 4, Courtesy of http://whois.domaintools.com

Additionally, the PDC has observed these phish using official organizational logos to add legitimacy to fake login pages – an example of such can be seen in figure 5. The pages are designed to impersonate an online portal of the target, including the company’s logo, and even its favicon. The end goal is credential theft of the victim.

Figure 5

Finally, any victim that visits the malicious website is “fingerprinted” using the host’s IP address as an identifier and upon entering credentials is immediately redirected to the same spam website seen by other victims. This is often via links obfuscated using URL shorteners (such as hxxps://href[.]li/). If the same host attempts to visit the phishing link again the spoofed login page is skipped and instead you are forwarded directly to the spam page. This finger-printing and the URL shortener obfuscation helps the attackers keep a low profile and continue their campaign unabated.

Conversation Hijacking
The tactic of “conversation hijacking” itself is by no means new, fraudsters have been hijacking compromised email accounts to dish out malware and phish as replies to prior conversations for years now. This technique is still popular because it makes victims much more likely to click on links and download or open files because their guard is down when these are within conversations already in their inbox. An ongoing and currently in the wild example of this is the Geodo botnet which has a history of inserting itself into existing email threads to deliver malicious documents that in turn download a sample of Geodo or other malware like Ursnif. However, the effectiveness of this tactic can depend greatly on the content of the conversations, a response to an automated advertising email is less likely to result in an infection than a response to a help desk support thread such as the one seen in Figure 6. Cofense IntelligenceTM has seen several Geodo campaigns consisting of responses to automated advertising emails indicating that, in some cases, the campaigns consist of indiscriminate responses to all emails in an inbox. Given that the volume of these “conversation hijacking” campaigns is still comparatively low, the smaller scope of these emails is likely limited by the number of ongoing conversations. Certain types of accounts therefore are more likely to draw threat actors direct attention and to induce them to invest additional effort and time into developing unique phishing campaigns for those accounts.

Preventing Your Personal Zombie Apocalypse
The PDC has compiled these quick tips to avoid losing your credentials (or your brains) to a Zombie Phish:

  • Be alert for email subjects that may appear relevant but are from old conversations.
  • Watch out for the hallmark green “error” button (pictured above in figure 1).
  • Don’t trust attached documents simply because they are replying to a conversation.
  • Mouse over buttons or links in suspicious messages to check them for the “.icu” top-level domain.

Cofense’s Phishing Defense CenterTM has observed that these campaigns have become increasingly clever, to combat this, training employees to be able to spot these types of emails is key. You can put down your nail-bats and pitchforks – a properly trained workforce is what is needed to defend your organization against the Zombie Phish hordes.

Cofense offers comprehensive phishing training to arm your employees with the weapons they need to protect your organization. And if you need reinforcements to help against the hordes, the Cofense Phishing Defense Center is happy to do battle with you.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Indicators of Compromise:

Observed Domains
message-akbq[.]cdnmsgload[.]icu

id-Wdtd[.]cdnmsgload[.]icu

message-XPsO[.]cdnmsgload[.]icu

www-jaus[.]check256ssl[.]icu

www-gcgc[.]emailmobile[.]icu

www-wNZq[.]emailmobile[.]icu

message-ncvm[.]emailmobile[.]icu

message-fbfa[.]extmailread[.]icu

www-gwXs[.]fetchemailgo[.]icu

message-jkgj[.]fetchemailgo[.]icu

www-udzi[.]fetchemailgo[.]icu

www-DQcE[.]inboxloaderror[.]icu

message-rpaK[.]inboxloaderror[.]icu

id-jPXC[.]iosemail[.]icu

id-oexq[.]iosemail[.]icu

www-BEOb[.]iosemail[.]icu

id-hKHR[.]iosemail[.]icu

message-EQdH[.]loadcdnmsg[.]icu

www-IqMJ[.]loadcdnmsg[.]icu

message-kqif[.]loading8[.]icu

message-pzvv[.]loading8[.]icu

www-qtnt[.]loading8[.]icu

id-pjgx[.]loading8[.]icu

www-ZMZs[.]loading8[.]icu

www-YIjn[.]loading8[.]icu

message-spuj[.]mail-load[.]icu

www-stxs[.]msgmailweb[.]icu

message-cmmh[.]portalmail[.]icu

message-pcsf[.]secure2[.]icu

id-amjs[.]securemail1[.]icu

www-tesj[.]userclientmsg[.]icu

 

Observed IPs

198[.]46[.]131[.]54

192[.]3[.]202[.]53

“Brazilian Election” Themed Phish Target Users with South American-Targeted Malware, Astaroth Trojan

Threat actors attempted to leverage the current Brazilian presidential election to distribute the Astaroth WMIC Trojan to Brazilian victims. The emails had a subject line related to an alleged scandal involving Brazilian then-presidential candidate Jair Bolsonaro. Some campaigns impersonated a well-known Brazilian research and statistics company. Multiple delivery methods and geolocation techniques were used to target Brazilian users, who were encouraged to interact with the attached and downloaded archives containing .lnk files. These files downloaded the first stage of the Astaroth WMIC Trojan, previously spotted this year by the Cofense Phishing Defense Center and known to target South American users.

Threat Actors Seek Your Credentials Before You Even Reach the URL

Cofense Intelligence™ has observed a phishing technique that takes a unique approach to illicitly obtain a target’s sensitive information. In a recent campaign, threat actors harvested victims’ credentials through a PDF window prompt rather than via a webpage—the more traditional credential phishing technique.

Cofense Intelligence obtained a phishing email that allegedly informs the recipient of an Amazon.de bill of sale. The German language email lure claims to deliver a tax invoice and requests the recipient to view the attached PDF. The PDF, also presented in German, specifies that the document cannot be opened in a browser and must be opened in Adobe Reader or Adobe Acrobat. When the PDF is opened in either Adobe Reader or Acrobat, the victim will be prompted through the PDF to enter their Amazon.de email address and password (Figure 1).

Figure 1:  The German-language PDF prompts the victim to enter their Amazon credentials (Note: The credentials entered in the screenshot are false and are used as an example.)

Once the credentials are accepted, the victim receives another pop-up window warning the victim that the PDF is attempting to open a webpage to panelessolaresparaguay[.]com (Figure 2).

Figure 2: The victim is required to click “Allow” in order to proceed to the next step

After clicking “Allow,” the PDF opens a browser window and directs the victim to a German Amazon phishing page, whose URL contains the email address entered in the PDF prompt in the path of the URL:

hxxp://sellercentral.amazon.de[.]347ty49h89ehg8ui7yt348[.]panelessolaresparaguay[.]com/step1[.]php?account=example@example(.)com

Figure 3 displays the first step in the German Amazon phishing page which has a loading image and a countdown informing the victim that a verification code has been sent to the recipient, yet Figure 3 does not specify the method by which the recipient will receive the code.

Figure 3: The PDF directs the victim to a German Amazon phishing page

When the page finishes loading, the victim is required to enter a code that was supposedly sent to the victim’s phone number, possibly in an attempt overcome Two Factor Authentication (2FA) (Figure 4). However, the phish never once prompts the victim to enter a phone number in this scam. The victim also has the option of clicking on what appears to be a link that would supposedly provide information on retrieving the code labeled “Haben Sie den Code nicht erhalten?” (English translation: “Did not you receive the code?”). Instead, the link does not direct the victim to another page and the victim is forced to enter any string of characters to proceed to the next step. Thus, it is more likely this is done not to overcome 2FA but to distract intended victims and leave them none-the-wiser that they exposed their credentials.

The following URL directs the victim to step 2:

hxxp://sellercentral.amazon.de[.]347ty49h89ehg8ui7yt348[.]panelessolaresparaguay[.]com/step2[.]php

Figure 4: The field will accept any information entered to proceed to the next page

After the victim enters a “code” and clicks the button to proceed to the next step, the page redirects the victim to the genuine Amazon Seller Central’s European website on Amazon.de, indicating the phishing scam is completed.

This credential phishing scam underscores a unique method of stealing login credentials before the victim is required to interact with a browser window. This is unusual given that most scams harvest credentials via a phishing webpage. In analyzing this campaign, Cofense Intelligence found that opening the PDF in non-Adobe applications will not display the login prompt and, because the PDF states the document cannot be opened in a browser, victims cannot interact with the PDF in Adobe PDF Online, an application used to edit PDFs in a browser.

The tactics, techniques, and procedures observed in this credential phishing scam highlight a unique method in which threat actors now steal their victims’ credentials. Credential phishing scams like the one above pose a serious risk to individuals and organizations and emphasize the importance of phishing awareness and education. Learn how Cofense PhishMeTM empowers users to recognize and report suspicious messages and avoid falling victim to costly phishing scams.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Where Do Security Awareness Programs Belong on the Org Chart?

Part 3 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 2 here.

For this blog series on building a security awareness program, we started in week 1 with how to build a strategy. Last week we discussed how to select and use content in your overall program and specifically your phishing program. This week we’ll focus on program alignment – in other words, where does the security awareness role report within an organization?