H-Worm and jRAT Malware: Two RATs are Better than One

When threat actors bundle two or more malware families in one campaign, they gain broader capabilities. Cofense Intelligence™ recently analyzed a phishing campaign delivering both jRAT and H-Worm remote access trojans. jRAT, aka the Java Remote Access Trojan, has the primary role of remotely controlling a victim’s machine. H-Worm, also known as Houdini Worm, operates as a remote access trojan but has worm-like capabilities, such as propagating itself on removable devices like a USB.

Using a generic phishing lure pertaining to an invoice, the email below contains two attached .zip archives: one with a VBScript application and the other a .jar Java application.

Figure 1: Phishing lure delivering jRAT and H-Worm

While the .jar file is a sample of jRAT, it also drops a copy of H-Worm on the infected machine. The VBScript file is tasked with downloading a Java Runtime Environment (JRE), if it is not already on the machine, which allows the .jar file to run. This VBScript file is a sample of H-Worm. The delivery is unusual compared to older analyses of H-Worm with jRAT, which typically consists of a single payload used to facilitate the infection of both H-Worm and jRAT (and sometimes H-Worm with other malware families).

Two RATs, One Infection

Disseminating two similarly functioning malware families in a single infection is not a new tactic. Threat actors do this to exfiltrate more valuable information and to carry out additional tasks that support further infection or monetization. Some of the functions and capabilities of H-Worm and jRAT are shown below.

Figure 2: Distinct functions and similarities of H-Worm and jRAT

Each remote access trojan serves a specific purpose, such as keylogging, monitoring audio or video, or modifying the registry. At the end of the day, the specific malware or number of malware families used in a single infection cycle does not matter to the threat actor as long as there is a better chance for a successful infection. In the end, all that matters to the threat actors is if they were able to exfiltrate the information they seek.

However, for many attackers, the outcome of a successful infection also relies upon the successful delivery of a phishing email. Threat actors will continue to develop new tactics, techniques, and procedures (TTPs) to lure their intended targets. The first step to avoid an infection like the one above is to recognize and report suspicious messages. Educating computer users to identify suspicious emails can help your organization stop an attack on your infrastructure.

Learn how Cofense PhishMeTM conditions users to recognize active phishing threats.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

 

America’s First: US Leads in Global Malware C2 Distribution

By Mollie MacDougall and Darrel Rendell

Cofense Intelligence™ has found that 27% of network Indicators of Compromise (IoC) from phishing-borne malware analysed during 2018 used C2 infrastructure located in, or proxied through, the United States—making the US the leader in global malware C2 distribution.

Map 1 details these observations. This does not indicate that US-based users are getting hit disproportionately, as threat actors are incentivised to host C2 infrastructure outside of their own country or countries with extradition agreements with their host nations to avoid arrest and/or extradition. However, C2 infrastructure is enormously biased toward compromised hosts, indicating a high prevalence of host compromises within the United States.

Map 1: All IPs, both resolved from domain and names and direct-connects, observed during 2018

Chart 1 reflects the top 5 data points observed in Map 1, calculated relative to one another.

Chart 1: Top 5 C2 location points across the globe, year-to-date 2018.

Maps 2 and 3 detail the juxtaposition in C2 locations between TrickBot and Geodo Tier 1 proxy nodes.

Map 2: TrickBot C2 distribution year-to-date 2018

Map 3: Geodo C2 distribution year-to-date 2018

At first glance, the contrast between Geodo and TrickBot may seem odd; Geodo overwhelmingly favors US hosts whereas TrickBot has a propensity toward Russian devices. However, Geodo uses networks of compromised web servers, running Nginx to serve as Tier 1 proxy nodes. More specifically, Geodo uses legitimate web servers as a reverse proxy, tunnelling traffic through these legitimate web servers to hosts on the true hidden C2 infrastructure. TrickBot, on the other hand, almost exclusively uses for-purpose Virtual Private Servers (VPSs) to host its nefarious infrastructure.

TrickBot’s C2 distribution trends significantly more eastward—with a greater number of C2 locations in Eastern Europe and Russia. TrickBot campaigns almost always target Western victims. In June, Cofense Intelligence released a report detailing sustained, pernicious attacks against UK targets. TrickBot’s targeting of Western victims from Eastern-hosted C2 could be due to the lack of extradition agreements amongst those countries (Figure 1). Still, TrickBot does rely on some C2 locations in North America and Western Europe. This could alternatively be a strategic move wherein TrickBot uses regionally diverse C2 locations to make it more difficult to profile its infrastructure, to introduce uncertainty and help keep the hosts viable for the longest possible time. Chart 2 is a companion of Map 2, detailing TrickBot’s favored demographics.

Figure 1: Countries with which the US has extradition agreements.1

Chart 2: A breakdown of TrickBot’s C2 locations. Note: In the ‘Other’ category, 64% are Eastern (including Eastern European).

Looking Ahead

The scattering of C2 locations for Geodo and TrickBot demonstrates the vast infrastructure of two of the most pernicious malware currently distributed via phishing. This suggests that these malware families will almost certainly remain on the scene in the months to come. An avid network defender should take note that using geolocation to help differentiate legitimate traffic from potentially malicious traffic may not be as effective as it seems. In light of the case study above, it would be prudent to actively monitor the threat landscape from a reliable source and stay vigilant.

To learn more about 2018 Geodo and TrickBot activity, view the Cofense™ analysis.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

1 https://en.wikipedia.org/wiki/Extradition_law_in_the_United_States

 

Email Security Gateway (to Your Next Breach)

BY THE COFENSE PHISHING DEFENSE CENTER

Email is the most common attack vector in today’s threat landscape. Not only does email deliver over 92% of malware1, but by the end of 2017 the average user received 16 malicious emails per month.2 Cyber-criminals and APT actors abuse email to deliver malware or steal user credentials and other sensitive data. Because it is ubiquitous, email is an oft-targeted, massive attack surface.

Proofpoint and Mimecast Often Can’t Handle Simple Phishing Attacks

That’s why companies spend thousands to millions of dollars on security technologies, including secure email gateways. Let’s be clear: it is erroneous to claim these technologies prevent all threats. At Cofense™, we deal with hundreds of phish that bypass email gateways and lead to compromised user accounts.

Security solutions like Proofpoint and Mimecast routinely fail to stop phishing attacks while leaving customers with a false sense of security. We see this all the time, including attacks where Proofpoint and Mimecast failed to defang URLs as advertised. These services also routinely fail to stop basic phishing schemes, including some that use hosted services like Drive and Sharepoint; campaigns that use attachments to deliver malware or malicious links; and Business Email Compromise (BEC) attacks.

Below are a few of the many cases where we have seen Proofpoint and Mimecast let simple phishing attacks proceed without a fight.

Phishing Using Trusted Services

Cofense has often found that hyperlinks to traditionally trusted web services can easily make their way through firewalls and email gateways. Unfortunately, due to their low cost and free business models, services such as Google Drive, SharePoint, WeTransfer, and Dropbox are used by malicious actors to host files that contain embedded links to credential phishing sites. Email gateways are unable to access the embedded link and thus cannot check or block the link in question. See figure 1 below for an example of a PDF file with an embedded phishing link that was hosted on Google Drive:

Figure 1 – A common PDF containing a phishing URL

The text “Document.pdf (150.45 kb)” is a hyperlink to a shortened URL, which then redirects the victim to the “Smartsheet” branded phish seen in figure 2 below:

Figure 2 – A “Smartsheet” branded credential phish.

This phishing email made it through Proofpoint which failed to stop the attack due to the attacker’s evasion techniques. Luckily, the employee was well trained and reported the phish immediately.

Social Engineering, Business Email Compromise, & Vish

Some basic social engineering tactics can elicit a victim’s credentials without ever having to send malicious links or attachments to the user, making email gateways useless because there are no URLs to block.

Business Email Compromise is a common type of social engineering that tries to strike up a conversation with an employee in hopes of committing fraud, such as a fraudulent wire transfer or harvesting of company PII, as shown in Figure 3 below.

Figure 3 – A Business Email Compromise attack initiation

Additionally, Cofense frequently observes vishing attacks. In one attack, (Figure 4) the vish impersonate a trusted company requesting a phone call to fix a non-existent issue with the victim’s account. These attacks allow threat actors to gain a victim’s account information over the phone or over email without ever using malicious content that could be blocked by an email gateway.

Figure 4 – A social engineering Vishing attack

Malicious Attachments

Fabricated invoices and receipts, password protected PDFs, and other malicious attachment schemes are all common phishing tactics. Because most automated solutions only screen links in the body of the message, these attached phish regularly waltz their way past email gateways.

Recently, a password protected PDF phishing campaign targeted Cofense customers and completely circumvented Proofpoint protection. This phish included the password to the attached document within the body of the email, urging users to open it upon receipt, seen in Figures 5 and 6 below.

Figure 5 – Content snippet of a phishing email including a document’s password.

After opening the password protected PDF, the user is confronted with a link to a credential phishing site.

Like the previous example, basic word documents with hyperlinks consistently bypass automated security solutions like Proofpoint and Mimecast, as seen in figure 6.

Figure 6 – A .docx file with an embedded phishing link

Companies that rely purely on automated gateway solutions consistently fail to stop phish embedded within attachments.

Weakness in their Strength

These email security gateways perform better when a malicious link is in the body of an email. However, we have observed cases where many of those emails bypass such gateways and reach the targeted victim. Following are some examples where either Mimecast or Proofpoint failed to rewrite the URL completely. Additionally, we will look at a very interesting example where Proofpoint did rewrite the URL completely but failed to block it, allowing the user to engage with the malicious website.

Proofpoint Examples

Figure 7 below shows the first example where the email gateway failed to correctly rewrite the URL:

Figure 7 – Banco do Brasil Email

The email above includes a link “INICIAR REGULARIZAÇÃO” that will redirect the user to a malicious website. A closer look at the HTML code of the email body (Figure 8) reveals that the href of the link brings the user to hxxp://50[.]63[.]162[.]13/dkng[.]html, which redirects again to hxxps://atualizacaocliente[./]info/loginseguro/Operador/.

Figure 8 – HTML Code of Banco do Brasil Email

The email gateway failed to rewrite the initial URL hxxp://50[.]63[.]162[.]13/dkng[.]html.

Figure 9 shows another example where the email gateway did not rewrite the URLs in the email:

Figure 9 – Example 2 Email

Investigating the HTML body of the email again reveals that the link in the email directs the user to hxxp://s1[.]sleove[.]com/id (Figure 10).

Figure 10 – Example 2 HTML Body

In both examples above, the email gateway failed to rewrite the URLs and replace them with a safe landing page for potential victims.

Mimecast

The following examples focus on Mimecast and demonstrate that Mimecast failed to rewrite the URL within the body of the emails (Figure 11, Figure 12, Figure 13).

Figure 11 – Mimecast Example 1

Figure 12 – Mimecast Example 2

Figure 13 – Mimecast Example 3

The Phishing Defense Center has analyzed all three emails mentioned above and identified that they are part of a Geodo campaign. Geodo, also known as Emotet, is a banking trojan which steals financial information and often enables other malware to be installed on the victim’s computer. Many of the URLs that Mimecast missed to rewrite are related to Geodo campaigns.

Proofpoint Rewrites but Does Not Block

While spot-checking the 1,095 cases where the gateway did rewrite the URLs, we have identified another issue: the gateway did rewrite the URL, but it did not block the URL, thereby allowing the user to browse to and interact with a malicious page. As clearly shown in Figure 14, the URL is appended with https://urldefense.proofpoint.com, which suggests that this customer uses Proofpoint as the email security solution.

Figure 14 – Proofpoint Email where URL was not blocked

However, a click on the rewritten Proofpoint URL directs the user to hxxps://olook[.]ml, a phishing page that is attempting to steal user credentials, as shown in Figure 15.

Figure 15- Phishing Page after clicking on rewritten Proofpoint URL

The submit button calls a JavaScript file which validates the input and if the input is accepted, sends the data to the attacker.

Conclusion

These examples show that email gateways often fail to stop phishing threats. While both Proofpoint and Mimecast were successful in rewriting and blocking URLs, there were still many cases where those products did not or would not have prevented a compromise. Simply relying on email gateways to stop malicious emails can leave you with a false sense of security and can result in breaches.

Understanding the weaknesses in Proofpoint, Mimecast, and other automated gateway solutions can be the first step in learning how to better defend yourself. Only a holistic strategy will work against the full spectrum of phishing attacks your company sees.

To learn more about active phishing threats, view the Cofense State of Phishing Defense 2018 report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

  1. Verizon, Data Breach Investigations Report, 2018.
  2. Symantec, Internet Security Threat Report, 2018.

Security Awareness: Choosing Methods and Content that Work

Part 2 in our 4-part series in support of National Cybersecurity Awareness Month. You can read part 1 here. 

Last week we examined the importance of setting a strategy and goals for your security awareness program.

Now that you’ve selected the user behaviors you want to address, the next step is to think about methods and content to nudge users to the correct behaviors.

We live a fast-paced world of information overload. You have seconds to get your message across to engage your users. You need to choose proven learning methods and focus your educational content on the behaviors that matter most. More than anything, your training must be simple and to the point.

Simulations Are the Best Way to Teach the Right Behaviors

Everyone has a different style of learning and consuming information – video, newsletters, blogs, computer based training modules (CBT), etc. According to the National Training Laboratories (see charts below) people retain more information from simulations than any other method.

After years of enabling companies to run simulated phishing campaigns, we have a vast amount of data to support this method of learning. The experience of clicking and having that “Oh no, what just happened?” moment, is really how the recipient learns.

Running a simulated phishing attack IS the learning moment. It’s not the education presented during the campaign on the website or attachment. This is also supported by the data we see over the years of capturing how long the user stays on the page to read the education. They don’t – the largest segment of users falls in the 0-9 seconds range for “time spent on education.” Yet the data indicates a reduction in susceptibility rate and increase in reporting rate.

The data also supports the reduction in susceptibility as we look at the number of campaign it takes to reduce that click rate. When you’re trying to address perpetual clickers, increase the number of campaigns while shortening the time between campaigns. When increasing the number of campaigns, focus on the active threats in order to reduce the risk faster.

Source: 2015 Cofense Enterprise Resiliency Report

Focus Your Training on Real Threats

As you start to condition users to report real phishing emails, not just simulated phishes, you’ll want to focus on malicious emails that are getting through the spam filters. In other words, base your simulations on the real attacks your company sees. This will help your users quickly spot the real thing. The goal is to build a resilient workforce that can identify and report potential malicious emails quickly. This drives down the risk to the organization, allowing the security team to mitigate the risk and avoid an incident.

You will never get to a zero click rate. Phishers are too smart. They craft their emails to look like they’re part of your normal business processes, especially financial transactions. They also constantly change techniques to avoid controls that block their messages.

So, what does this all mean when we talk about educational content? If you’re focusing on behaviors that you’re looking to improve, you don’t want to hit users with content overload. Instead, create a plan for covering a theme to each quarter. Use this theme in your newsletters, videos, or learning modules. However, allow for flexibility to shift if a threat is now affecting your organization (HeartBleed, Meltdown, etc.).

Let’s take one more example of using content to nudge the user to the right path. It’s the example used in last week’s blog on program design—how to change users browsing behaviors. Presenting the user with a simple banner at the moment they’re exhibiting the wrong behavior, we can direct them to take the right action. You can adjust this banner as the behavior changes. Once you curb their habits to click through to unknown sites, your metrics may reveal category that needs to be addressed – such as software downloads.

Cofense recognizes that you have regulatory and compliance requirements to provide annual security awareness training to our organization. To help you focus your resources to elements of your program that actually make an impact, we provide a series of modules for FREE to any organization (even if you’re not a customer).

http://cofense.com/awareness-resources

In summary, keep your security awareness content simple with clear direction—and even better, fun and engaging—and you’ll soon be able to experience a shift in behavior!

Recommended reading: If you’re looking to expand your knowledge on how to create content and simple messaging for your program, I suggest getting a copy of Made to Stick, Why Some Ideas Survive and Others Die, by Chip and Dan Heath.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Report Reveals 10 Percent of User-Reported Emails Across Key Industries are Malicious, Over Half Tied to Credential Phishing

The 2018 State of Phishing Defense Report highlights top phishing email subjects and industries most susceptible and resilient to phishing attacks

Leesburg, VA – October 11, 2018 – Cofense™, the leading provider of human-driven phishing defense solutions worldwide, today released the findings of their report, “The State of Phishing Defense 2018: Susceptibility, Resiliency, and Response to Phishing Attacks” which reveals today’s top phishing attacks and how companies can effectively manage those risks.

Phishing Enables Domestic Violence. Education Can Help Stop It.

According to estimates, approximately 760 people, or more than two per day, are killed by their partners. Most of the victims are women.1  Making matters worse, abusers use “stalkerware” to track their victims online, cutting off sources of income, isolating them from friends and family, and otherwise trying to control every aspect of their lives.

Building a Security Awareness Program? Start with Strategy and Goals

Part 1 of a 4-part series on building and maintaining a security awareness program, in support of National Cybersecurity Awareness Month.

In 2011, I began my journey into security awareness. At that time, there were limited resources and most programs were still compliance focused. Even though I had previously spent 5 years in IT compliance, I knew this wasn’t the right approach to get users to learn or care about security. I kept telling the director that owned the role, “Compliance focus is wrong –you have to market to the users.”

A Staggering Amount of Stolen Data is Heading to Zoho Domains

After last month’s brief domain suspension of Zoho—which resulted from an insufficient response to reported phishing abuse— Cofense Intelligence™ has uncovered Zoho’s connection to an extremely high number of keylogger phishing campaigns designed to harvest data from infected machines. Of all Keyloggers analysed by Cofense, 40% used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.

How to Orchestrate a Smarter Phishing Response

We’ve been talking a lot recently about phishing-specific SOAR (Security Orchestration Automation and Response). It’s a capability CofenseTM has pioneered to help you mitigate phishing emails faster and more efficiently. Recently, we examined automation, the ‘A’ in the acronym. Now let’s take a deeper look at the ‘O,’ orchestration.

Involve the Right Teams Faster with Cofense TriageTM

Like a symphony conductor waving a wand, your phishing response needs to engage the right teams at the right time. To make that happen, Cofense TriageTM starts by reducing noise with an advanced spam engine, removing benign emails your employees have reported and freeing security teams to focus on real threats.

We also have out-of-the-box integrations with almost two dozen leading security solutions, including:

View the complete list.

Our integrations make it possible, for example, to connect intelligence on a suspicious URL to logs generated by your firewall and end points. Or, an operator working within Cofense Triage can push details about a phishing campaign to the help desk.

For solutions Cofense Triage isn’t integrated with (yet), we have a new API. It syncs to SIEM solutions, ticketing systems, threat intelligence system, and even sandboxing tools, so you can examine reported emails for overt threats or links to compromised servers. Email headers, which are often spoofed in phishing, can be examined too. And even the full text of the message, rendered but not actually assembled to protect the IT teams working within our solution, can be read and displayed.

Our fully documented REST API can pull information on individual emails, entire clusters (phishing campaigns), attachments, reporters, integrations, health stats and more. You can use it the preprocessing stage to notify teams of malicious attachments at soon as they’re reported.

This release also extends syslog alerting with Cofense Triage. With syslog enabled, Cofense Triage can send out alerts to other systems. Syslog alerts can be used to share information like the cluster velocity, operational SLA alerts, platform health, ingestion health and triage recipe monitoring.  This enables Cofense Triage to share alerts across the entire incident response team.

Automation is great—it’s a must in today’s world. But orchestration makes it work all the more effectively. Put the two together and your phishing defense wins. To learn more about Cofense Triage, sign up for a live 1:1 demo.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.