Potential Misuse of Legitimate Websites to Avoid Malware Detection

Sometimes, common malware will attempt to gather information about its environment, such as public IP address, language, and location. System queries and identifier websites like whatismyipaddress.com are often used for these purposes, but are easily identified by modern network monitors and antivirus. It’s important to know, however, that everyday interactions with legitimate websites provide much of the same information and are not monitored because the interactions are legitimate. In other words, threat actors can bypass automated defenses by abusing legitimate websites that often cannot be blocked for business purposes.

First, cookies—easily accessible records of a user’s interactions with a webpage—are often stored on the local machine and can be accessed by malware.  Second, some servers include additional information about the local machine in the response header. Though this is not as easily accessible to the average computer user, it could be leveraged by malicious actors to gain information related to the local machine’s settings, location, operating system, public IP address, language, region, and unique identifiers.

This information about the local environment could be used to avoid directly querying the local machine, avoiding techniques that trigger automated defenses. For example, a malicious document could determine the region of an infected computer from wikipedia.org to bypass network monitoring systems looking for web traffic to identifier websites like whatismyipaddress.com and then download region specific malware that is tailored to combat the antivirus software used in that region.

What Information Can Be Derived

Wikipedia’s response headers highlight the wealth of valuable information available to a malicious actor (Figure 1). Here, the “set-cookie” field contains the cookie value, which includes the GeoIP of the browser, consisting of the country, city, and GPS coordinates. The “x-client-ip” in the header records the public IP address of the local machine (redacted).

Figure 1: A response header from Wikipedia

Google has a useful cookie to track if a user has accepted their terms of service. As seen in Figure 2, this small cookie contains the state of agreement, the country where the computer is located, and the language of the browser used.

Figure 2: Matching contents of Google’s CONSENT cookie

How This Information Is Used

Some of this information, such as the IP address, can be leveraged by threat actors to determine if the infected computer is within a certain IP range of particular interest, such as Amazon Web Services or Microsoft Azure. Other malware families will not run unless the infected machine is located in a specific country. Malware that downloads additional files uses many different sources to obtain a variety of information about the local environment including:

  • Using the location and language to determine what to deliver (as discussed in a prior blog)
  • Noting the operating system to determine what kind of malware to deliver
  • Determining the use of a VPN based on the IP address to decide whether to run

What Actions Look Suspicious

Automated systems and malware sandboxes often monitor a list of events that are rarely made by legitimate software. These events include system queries for information such as the system language, generating cryptographic key, or the operating system version, as well as network traffic. Certain language checks or domains appearing in network traffic will trigger alerts, as seen in Figure 3.

Figure 3: A moderate event alert from a Cuckoo sandbox execution

Avoiding Alerts When Seeking Valuable Information

By making web requests to legitimate websites, malware can obtain additional information about its environment while avoiding detection. Suspicious system calls or network traffic that might alert automated systems can be avoided by deriving information from these web requests. There is nothing inherently malicious about contacting legitimate websites, and no suspicions would be raised simply based on such contact.  Many of these checks can be done unobtrusively. This leads researchers to assume the malware is not functional rather than that it is detecting an analysis environment. For example, the same cookie shown in Figure 2 can also be used to detect a mismatch between the browser language and endpoint country (shown in Figure 4).

Figure 4: The endpoint is recorded as Germany (DE,) but the browser language is French(fr)

Potential Impact

This technique is not currently widely used, but offers several benefits to attackers and would be difficult for organizations to defend against. Websites such as Wikipedia and Google cannot simply be blocked, and current local and network defenses may not be able to distinguish traffic that is not inherently malicious. Although this does not disguise the connections that malware makes to its command and control hosts or payload servers, it does hinder analysis and allows an infection to progress further before it is detected.

Given the ease with which threat actors are able to bypass automated defenses by abusing legitimate websites and tools that often cannot be blocked for business purposes, it is imperative that individuals be trained to recognize the initial threat and to report it. Combining this training with human verified intelligence helps to ensure a successful defense strategy.

Learn how Cofense PhishMe™ helps thousands of organizations train users to spot and report phishing emails.

For more information on the abuse of legitimate websites for data exfiltration and malware delivery, as well as the abuse of Microsoft Utilities to avoid detection, see these previous Cofense™ blogs:  “Threat Actors Abusing Google Docs” and “Abusing Microsoft Windows Utilities.”


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Beware of payroll-themed phishing. Here’s one example.

Last week, the Internet Crime Complaint Center (IC3) published a public service announcement on cybercriminals disseminating payroll-themed phishing emails. These phishing emails, often imitating financial organizations, contain alluring content such as an enticing subject line or use social engineering techniques to convince targets that the email is from a legitimate source.

Cofense Intelligence™ has observed payroll-themed phishing lures requesting targets to view an embedded link or download an attached file. The emails typically deliver credential phishing links or malware that is tasked with stealing the target’s financial and personal credentials.

Recently, Cofense Intelligence analyzed a payroll-themed phish distributing the TrickBot malware, Figure 1. While the phishing lure is simple, it does entice the recipient to view the attached document by using an eye-catching subject line and a “confidentiality notice” to convince targets of its legitimacy.

Figure 1: A payroll-themed phishing email received by Cofense Intelligence

The email has an attached Microsoft Office Excel spreadsheet containing a hostile macro script used to download and run the TrickBot malware on the target’s machine. TrickBot targets multiple financial institutions and intercepts relevant internet traffic and exfiltrates it to the threat actors via the command and control locations. TrickBot can also make use of a large suite of plugins which enable it to inject into web browsers, steal email credentials, and operate as a worm, spreading laterally within a LAN via SMB exploitation.

See anything odd in this email?

While the sender’s address (redacted) was spoofed to look internal, there are still a few things that raise red flags. First, there’s no greeting or introduction. It just launches into the message. Second, given the subject’s importance the message is very bare-bones—a single incomplete sentence not even graced by a verb. Third, if you’re not in Payroll or some other part of Finance, why would you receive this? For most recipients, the context wouldn’t make sense.

It’s important to educate and empower users to recognize and report suspicious emails. The following tips will help your users avoid falling victim:

  • Attackers have the ability to make phishing emails look incredibly enticing. Verify that the email comes from a trusted source.
  • Pay attention to the language of the email and note any grammar mistakes.
  • Stay alert! Social engineering is a common technique used by attackers. Use caution if a suspicious email seems convincing.
  • Avoid re-using passwords.
  • Avoid sharing personally identifiable information (PII) over email.
  • Always make sure to verify if a website is legitimate.
  • If an email does seem suspicious, avoid interacting with the sender and instead report it!

To keep up with the latest phishing and malware developments, sign up for free Cofense Threat Alerts.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Ouch! Our Report Shows Why the Healthcare Industry Needs Better Phishing Defense

Cofense™ released new research last week on phishing in the healthcare industry. It’s one of those industries that routinely gets hammered by phishing and data breaches. In fact, according to Verizon’s most recent Data Breach Investigations Report, over a third of all breaches target healthcare companies1. One recently reported example: the phishing attack on the Augusta University healthcare system, which triggered a breach that may have compromised the confidential records of nearly half a million people.

None of this is surprising, considering that healthcare lives and breathes data. But our research also found this:

Healthcare lags behind other industries in resiliency to phishing.

This is a cross-industry comparison of healthcare and 20 other major verticals like financial services, energy, technology, and manufacturing. Healthcare’s ratio of email reporting vs. phishing susceptibility shows a meager resiliency rate of 1.34. By contrast, the energy industry’s rate is 4.01 and financial services’ is 2.52.

The Cofense report reveals lots more:

  • Further details on healthcare resiliency to phishing
  • The phishing simulations that fool healthcare employees the most
  • A breakdown of real phishing emails received by healthcare companies
  • A look at crimeware rates among select healthcare organizations

Cofense solutions are helping healthcare companies stop phishing attacks.

Our new report also examines how one healthcare company stopped a phishing attack in 19 minutes. The company uses Cofense solutions for phishing awareness and reporting, plus incident response and threat intelligence. Their complete, collaborative phishing defense prevented a costly breach.

Make sure you’re ready, too. View the report now!

To learn even more about healthcare and phishing, check out our Healthcare Resources Center where you’ll find videos, case studies, white papers, expert blogs, and more.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.


  1. Verizon, 2018.

Staying King Krab: GandCrab Malware Keeps a Step Ahead of Network Defenses

GandCrab ransomware is being rapidly developed to evade the cyber security community’s defense efforts, aid proliferation, and secure revenue for those driving the malware. Cofense Intelligence TM has identified a new campaign that is delivering GandCrab version 4.4, the newest iteration of this prolific ransomware. The developers of GandCrab are aware of the research analysis done on its past versions, and release new versions rapidly to negate the solutions. These malicious developers also release versions in direct correlation to specific security companies’ findings. In the last two months, the authors of GandCrab have released version 4, and subsequent 4.x releases to improve the ransomware’s capabilities.

The email-borne campaign bearing GandCrab v4.4 (analyzed by Cofense Intelligence) did not follow the usual trends of being delivered via Microsoft Office Macro attachment. The lures employed during these previous campaigns were typically enticing recipients to download an infected resume or subpoena. The emails were written in German and had an attached .zip archive that contained an executable sample of GandCrab v4.4. The email body follows previous campaign narratives and is depicted in Figures 1 & 2.

Figure 1: The email body written in German.

Figure 2: The email body translated to English.

Once executed, the GandCrab sample will then collect information about the machine and determine if it is a viable candidate for encryption. If the machine has been deemed acceptable, files that meet specific criteria are then encrypted. After encryption, GandCrab then drops the ransom note in each directory via a .txt file. Figure 3 is a ransom note example.

Figure 3: A GandCrab ransom note example.

The fourth version of GandCrab was released in July, only six months after the first sighting of GandCrab in the wild. This latest version is a drastic change from its predecessors. Focusing on speed of encryption, this version switches from using RSA-2048 to the Salsa20 encryption algorithm. Prior to the fourth version of GandCrab the sample would need to successfully check in with its Command and Control (C2) structure before beginning the encryption process. Figure 4 documents strings found in GandCrab. referencing the developer of the Salsa20 algorithm.

Figure 4: The creator of Salsa20 algorithm is shown in the memory strings.

Versions 4 and 4.1 saw the introduction of a mechanism designed to prevent GandCrab running on undesirable machines. These specific versions would create a hex string .lock file based on specific information being present on the machine and place it in the C:\ProgramData directory. The .lock file would be queried and, if it found the binary, would terminate itself without encrypting the endpoint. Another GandCrab kill-switch is triggered when the sample looks at the language packs installed on the machine. If GandCrab finds a Russian language pack or former Soviet Union language packs, it will terminate itself without encrypting the endpoint.

Another upgrade that came with versions 4 and 4.1 was the ability to encrypt file shares and attached devices. This is done through interaction with the System Volume Manager to detect these resources. This is a big update in weaponry because it gives this ransomware the ability to engulf a network with encrypted files. This version’s ability to encrypt file shares puts a greater emphasis on the mitigation and response techniques needed within a network. The encrypted files also get a new extension and are then appended with .KRAB, as well as the ransom notes being renamed to KRAB-DECRYPT.txt. Figure 5 shows the encrypted file system, as well as the ransom note placed on the Desktop.

Figure 5: The GandCrab ransom note placement and the .KRAB extensions.

GandCrab v4.1 had also shown new network traffic not previously seen with the older versions. This version will use a custom Domain Generation Algorithm (DGA) to create URLs and POST the information collected from the machine to the DGA created URL. These POSTs are not to a GandCrab C2 infrastructure, rather they are legitimate domains. However, some researchers have theorized that these POSTs might be the Proof-of-Concept (PoC) for a future feature yet to be fully utilized. Other researchers believe that these POSTs are meant to fill the network with false positive C2s. Figure 6 shows the multiple POSTs to DGA created URLs.

Figure 6: The network POSTs to the DGA created URLs.

Version 4.1.2 was created out of necessity because of the work done by AhnLab, Inc. and their vaccine software. AhnLab found that the .lock file could be impersonated and placed on the machine beforehand. By doing this, the GandCrab sample would find the .lock file and terminate itself, thus preventing it from successfully encrypting the machine. The vaccine provided by AhnLab was negated within four days by the ransomware developers by utilizing the Salsa20 encryption algorithm to create the .lock file. Less than one day later, AhnLab provided v2.0 of the vaccine. Two days later, a new variant of GandCrab was spotted which checked for a mutex instead. GandCrab v4.1.2 also added anti-sandbox techniques, such as checking the allocated memory and registry for indicators of a virtual environment.

The updated version 4.1.2 became the basis for v4.2+ and brought about a PoC weapon aimed at AhnLab. This PoC is source code that claims it can cause a Denial of Service (DoS) attack on the AhnLab anti-virus solution used on endpoints. The PoC claims that this can cause a Blue Screen of Death (BSOD) on the targeted system. GandCrab’s anti-sandbox techniques, as discussed above, were also removed in v4.2.1. Figure 7 shows the link to the PoC within the running memory.

Figure 7: The BSOD PoC link in the memory strings.

Version 4.3 was simply a re-compile and re-organization of the code as well as adding anti-disassembly techniques. Version 4.4, the latest version, was built upon previous versions with a few new features of its own. The latest version comes with a stealth mode which, when enabled, queries the information gathered. It then determines if any processes on the endpoint need to be terminated before GandCrab starts its infection. Most of the processes targeted for termination are anti-virus products and those which may hold handles to important files (such as database files) which GandCrab intends to encrypt. This allows for the sample to have a non-disruptive and stealth-like file encryption process. The latest version also comes with a self-kill switch. This version can create the .lock file and place it in the %ProgramData% directory before infection as a nod to AhnLab’s vaccine. If the .lock file is found, the sample then sleeps in the background indefinitely. Figure 8 shows the stealth mode strings in memory.

Figure 8: Stealth mode in the memory strings.

What You Can Do

As with any ransomware, especially GandCrab v4.4, you need to have the proper mitigation in place in case an endpoint on the network becomes encrypted. Proper mitigation involves having up-to-date software from the manufacturer; network segmentation from resources that are considered critical; re-occurring and tested backups of all business-critical data; an email security stack that can sanitize emails as they arrive to the end user; and a response plan that has been practiced and refined. Having these things in place can help you withstand a ransomware incident.

GandCrab blasted onto the scene in early 2018, and since then has made great strides in staying relevant in the shifting landscape. The latest rendition employs tactics, like offline encryption, that had not yet been seen by prior iterations. GandCrab v4 has been able to change and adapt to the mitigation tactics of the cyber security community within the span of two months. The developers of GandCrab have been able to quickly evolve their malware based on anti-virus research analysis, which allows for more effective and lasting infections for the ransomware operators. This rapid development cycle of ransomware is a new trend that could likely lead to more malware developers taking research analysis as constructive criticism, then making their samples more robust in the future.

To stay abreast of developments in malware and phishing attacks, sign up for free Cofense Threat Alerts.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Here’s a Free Turnkey Phishing Awareness Program for National Cybersecurity Awareness Month

So….it’s September and October is only a few weeks away. Have you started putting together your campaign for National Cybersecurity Awareness Month (NCSAM) yet? If not, you’re in luck – we’ve created a complimentary turnkey phishing awareness program for you to quickly launch and look like a super hero to your leader AND your organization! And best yet, these resources can be used all year round – BECAUSE security awareness goes beyond October. 

Cofense Advances as Best Tech Work Culture Finalist in Washington DC’s 2018 Timmy Awards

Tech in Motion announces top 10 local tech companies and opens public voting to determine winners

 LEESBURG, VA – September 17, 2018 – Tech in Motion Washington DC has chosen Cofense™ as a finalist for this year’s Best Tech Work Culture category as it prepares for the fourth Annual Timmy Awards, which recognizes the top workplaces for tech professionals in the Washington DC area. Cofense joins an elite list of this year’s finalists, including: Hustle, Mapbox, Ostendio and Securiport.

How to Protect Against Phishing Attacks that Follow Natural Disasters

By Aaron Riley and Darrel Rendell

With Hurricane Florence battering parts of the East Coast, here’s a reminder that phishing campaigns sometimes pretend to promote natural-disaster relief efforts in hopes of successfully compromising their target. Cofense IntelligenceTM has analyzed plenty of these campaigns, which are designed to entice the end user into credential theft or endpoint infection.