Bah HumBUG: 5 Recent Holiday Phishing Samples You Need to Watch Out For

Along with more online shopping, correspondence, and travel, the holiday season sees an increase in phishing operators eager to capitalize on a more-active attack surface. With Thanksgiving tomorrow, Cofense Intelligence and the Cofense Phishing Defense Center have seen a bombardment of Thanksgiving-themed phishing lures this week. Threat actors use this inundation of emails to their advantage—hoping to trick anyone looking for a good deal or eager to partake in the season’s merriment.

Major US Financial Institutions Imitated in Advanced Geodo/Emotet Phishing Lures that Appear More Authentic by Containing ProofPoint URL Wrapped Links

By Darrel Rendell, Mollie MacDougall, and Max Gannon

Cofense IntelligenceTM has observed Geodo (also known as Emotet) malware campaigns that are effectively spoofing major US financial institutions in part by including legitimate URLs wrapped in Proofpoint’s (PFPT) TAP URL Defense wrapping service. This adds an air of legitimacy to the casual observer, designed to increase the chances of malware infection.

Figures 1 and 2 provide examples of the template and URL wrapping. Cofense Intelligence assesses the improved phishing templates are likely based upon data pilfered with a recently updated scraper module to spoof US financial institutions so effectively.

Figure 1: email template spoofing a major US financial institution

Figure 2: Proofpoint’s URL Wrapping service appearing within this campaign

After a month-long hiatus, Geodo returned on November 6th, 2018 with upgrades to its spamming module, supplementing existing capabilities – namely contact list and signature block theft – with functionality enabling the theft of up to 16KB of raw emails and threads. Although the exact reason for this module upgrade was unclear, Cofense Intelligence assessed it would either be used to bolster the actors’ social engineering efforts, using the stolen data to refine Geodo phishing templates, or for direct revenue generation – selling the raw message content to the highest bidder.  Today, it appears the initial prediction was correct.

The campaign observed on November 13th was, in many ways, a standard Geodo campaign: messages distributed en masse to targets across the globe, spoofing a known and trusted organization, containing URLs (Table 1) pointing to Word documents containing hostile macros (Table 2). When executed, these macros retrieve a fresh sample of Geodo from one of five compromised web servers and execute it on the machine. As has become increasingly common with Geodo campaigns, the malware functioned as a downloader for other payloads, in this case retrieving a sample of IcedID.

IcedID shares some basic behavior with TrickBot—another prolific banking trojan turned multipurpose botnet. However, IcedID targets both investment and financial institutions as well as several bank holding companies many of which even TrickBot does not target, as TrickBot is much less focused on investment banks or smaller US commercial banks. An example of an IcedID spoofed login page for a regional US bank can be seen in Figure 3.

Figure 3: a spoofed login page for a regional bank that led to a Geodo and subsequent IcedID payload

Geodo has always been a formidable botnet and continues to grow. During tracking, we have seen at least 20,000 credentials added to the list of credentials used by the botnet clients each week along with millions upon millions of recipients. The introduction of this new module has had clear and dramatic effects on the sophistication and efficacy of this social engineering effort. In July, Geodo began including more sophisticated phishing lures, imitating US banks and including graphics that made the emails look less generic and more convincing.

This most recent campaign demonstrated a shocking improvement from that initial upgrade, demonstrating the value of the email scraping module. Considering that where Geodo goes, TrickBot often follows, we are concerned that this type of module will show up in other malware campaigns. The new inclusion of ProofPoint URLs wrapped with URL Defense adds an additional false sense of security to a user and may indicate the malware scraped the wrapped URLs from a compromised user.

Several members of the Cofense Intelligence team discussed Geodo in a recent open customer call. Any customers who were unable to attend are welcome to email [email protected] for a recording.

Cofense is also offering a complimentary Domain Impact Assessment, powered by the Cofense Research and Intelligence teams, for any organization that may be affected by this Geodo update. Learn more here.

Table 1: Payload URLs observed during this campaign

Table 2: Files associated with this campaign

Table 3: Command and Control infrastructure identified during this campaign

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Named a Leader in the 2018 Gartner Magic Quadrant for Security Awareness Computer-Based Training

Company recognized as a Leader for third consecutive year*

LEESBURG, VA. – November 16, 2018 – Today Cofense, the leading provider of human-driven phishing defense solutions world-wide, announced it was named a leader in Gartner’s November 2018 Magic Quadrant for Security Awareness Computer-Based Training. Cofense has been recognized as a leader for three consecutive years.

Phishing Emails with .COM Extensions Are Hitting Finance Departments

Cofense IntelligenceTM has seen a substantial uptick in the use of .com extensions in phishing emails that target financial service departments. In October alone, Cofense Intelligence analyzed 132 unique samples with the .com extension, compared to only 34 samples analyzed in all nine months preceding. Four different malware families were utilized.

The .com file extension is used for text files with executable byte code. Both DOS (Disk Operating System) and Microsoft NT kernel-based operating systems allow execution of .com files for backwards compatibility reasons. The .com style byte code is the same across all PE32 binaries (.exe, .dll, .scr, etc.) within the DOS stub. The subject lines and email contents of the phishing emails (Figure 1) suggest that the threat actor is targeting financial service departments. The .iso file attachment mentioned in the email contents is an archive containing a .com1 executable.

Figure 1: Email Content Suggests Targeting of Financial Services Department

If you’re a Cofense PhishMe™ customer, you can use this same lure in your phishing simulations. Look for the template we’ve created, “Overdue Invoice – LokiBot.” It conditions employees to report phishes trying to deliver the Loki Bot information stealer malware. (More on Loki Bot and other malware below).

The two most popular subject line themes we’re seeing use the lures “payment” and “purchase order.” Threat actors are likely carrying out these campaigns to target employees with financial information stored on their local machines, which explains the use of information-stealing malware as the campaigns’ payloads.

Figure 2: Subject Line Categories used in .COM Campaigns

Our analyses showed that the email subject lines were specific to the malware payloads they delivered. For example, the “payment” subject-emails delivered more AZORult information stealer, while the “purchase order” subject-emails most often delivered the Loki Bot information stealer and the Hawkeye keylogger. It is possible that different actors are distributing the unique malware families via .com files. Or, perhaps the same group is responsible and assesses which lures are most appropriate for different malware and the information they target.

Most commonly, .com payloads are directly attached to a phishing email without any intermediary delivery mechanism. However, some campaigns did include an attachment that contained such an intermediary dropper: often the attachment was weaponized to exploit a CVE or a malicious macro, which would deploy a .com payload onto the endpoint. As network defenders become increasingly aware of this direct-attachment delivery, Cofense Intelligence expects to see an increase in intermediary delivery of malicious .com files, wherein a “dropper” attachment will arrive with the phish and subsequently load the weaponized .com file onto the end point.

Figure 3: Malware Families Delivered using .com Extensions.

Loki Bot, AZORult and Hawkeye made up the far majority of malware delivered in the campaigns we analyzed, whereas Pony accounted for a very small percentage. The combination section refers to the attachment utilizing a vulnerability within a document to deploy a .com payload on the endpoint as mentioned above.

The malware families delivered with the .com extension also revealed a trend with their Command and Control (C2) communication. The samples of .com binaries that delivered AZORult communicated exclusively with domains hosted by Cloudflare. Cloudflare was also the predominant host for Loki Bot with over 75% of its C2 domains hosted with that service. It is likely that Cloudflare is not hosting the actual C2, but in fact being used as a domain front. “Domain fronting” is a technique that allows for the connection to appear to go to one domain when it is actually going to another. This is achieved by connecting securely to one domain and then passing in the target domain via the HTTP host header value. By using Cloudflare, which is typically trusted by most organizations, the attackers are able to circumvent blocks that might be put in place. Cloudflare recently changed its policies to disallow its use for malicious hosting, yet the service has continued to be used by attackers for malicious redirection.

Figure 4 below shows the C2’s for Loki Bot, AZORult, and Pony that were hosted on Cloudflare compared to every other domain hosting service provider. Hawkeye keylogger stood apart in communicating with unique email domains.

Cofense Intelligence estimates that we’ll see an increased adoption of malware using the .com extension. Similar campaigns will likely expand to other industries that have monetizable data, like the healthcare and telecommunication sectors. An increased use of the .com extensions can be harmful to enterprise networks if organizations are not prepared for it, and once they are, another file extension will surge in popularity in a constant effort to stay ahead of the defense.

To stay ahead of the latest phishing and malware threats, sign up for free Cofense Threat Alerts.

  1. Filename: overdue payment.com MD5 hash: 8e6f9c6a1bde78b5053ccab208fae8fd

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Named a 2018 DC Inno ‘50 on Fire’ Innovation Leader

DC Inno Cites ‘Powerful Year’ of Growth and Product Expansion for Global Leader in Phishing Defense, Orchestration and Automation Solutions

When do you know your company’s on fire? One sign is the company you keep. DC Inno, an organization that promotes innovation and the entrepreneurial spirit in the DC, Maryland, and Virginia region, whose combined economy is one of the nation’s strongest and most diverse, named Cofense™ to its 2018 50 on Fire list of red-hot businesses.