Summer Reruns: Threat Actors Are Sticking with Malware that Works

Let’s take a look back at this summer’s malware trends as observed by Cofense IntelligenceTM. Summer 2018 has been marked by extremely inconsistent delivery of TrickBot and Geodo, though volumes of lower-impact malware families like Pony and Loki Bot remained consistently high. What’s more, improvements to the delivery and behavior of Geodo and TrickBot accompanied the resurgence of two updated malware families—Hermes ransomware and AZORult stealer—in reaffirming a preference by threat actors to update previous tools instead of developing new malware.  Because threat actors will continue to improve their software to ensure a successful infection, it’s important to understand these potentially harmful attacks.

Recent Geodo Malware Campaigns Feature Heavily Obfuscated Macros

Part 3 of 3

As we mentioned in our previous overview of Geodo, the documents used to deliver Geodo are all quite similar. Each document comes weaponised with a hostile macro. The macros are always heavily obfuscated, with junk functions and string substitutions prevalent throughout the code. The obfuscation uses three languages or dialects as part of the obfuscation process: Visual Basic, PowerShell, and Batch.

Twin Trouble: Geodo Malware URL-Based Campaigns Use Two URL Classes

Part 2 of 3

As discussed in our prior blog post, URL-based campaigns – that is, campaigns that deliver messages which contain URLs to download weaponised Office documents – are by far the most prevalent payload mechanism employed by Geodo. Indeed, analysis of ~612K messages shows just 7300 have attachments; a trifling 1.2% of the total. The structure of the URLs falls into two distinct classes. Cofense Intelligence™ analysed a corpus of 90,000 URLs and identified 165 unique URL paths. There are two distinct classes of URLs employed by Geodo. A detailed breakdown of these URL structures follows. 

Into a Dark Realm: The Shifting Ways of Geodo Malware

The Geodo malware is a banking trojan that presents significant challenges. For starters, it conducts financial theft on a vast scale and enables other financially driven trojans. Also known as Emotet, Geodo has a rich history, with five distinct variants, three of which are currently active according to Feodo Tracker. Geodo’s lineage is incredibly convoluted and intertwined with malware such as Cridex as well as the later iterations known as Dridex.

This blog is the first of a CofenseTM three-part series on Geodo. Our analysis of Geodo focuses not on code analysis, rather on observed behaviours, infrastructure choices and proliferation. We note there has been an upward trend of education and government-based mail account credentials being compromised and used to further distribute Geodo. Further, we investigate message content and its focus on financial themes and narratives.

Future blogs will dive into the technical details of the URL structures prevalent in Geodo campaigns and will feature an in-depth analysis and deobfuscation techniques for the multi-layered macro code found within these documents.

Trends

Geodo has been steadily building momentum during 2018; after a quiet first quarter, campaigns involving Geodo have increased significantly both in frequency and density. Cofense Intelligence™ is seeing more consecutive days of campaigns, as well as more campaigns per day. Chart 1 details the year-to-date trends of Geodo as tracked by Cofense Intelligence.

Chart 1: The yearly trends of campaigns involving Geodo or its derivatives.

 A very recent change in Geodo’s behavior has seen the banking Trojan move away from its stealer roots and move towards the loader space. Recent campaigns have seen Geodo conditionally deliver either TrickBot or Zeus Panda, both of which would be considered competitors to Geodo’s banking functionality. The actors behind Geodo had been testing the water of competitor delivery as far back as March 26th, 2018, where a campaign delivering Geodo via weaponised Microsoft Office documents led to a further infection of Zeus Panda (See TID 11199). The authors of banking trojans are continually pushed to combat and overcome evolving financial security measures, such as Multi-Factor Authentication (MFA) and software-based security solutions. This arms-race could well be a motivator for the actors behind Geodo’s distribution having moved to the long-term revenue strategy of leasing out their botnet as a loader platform.

Geodo overwhelmingly favours an infection chain of:

Malicious URL → Downloaded Office Document → Macro → Geodo.

Geodo heavily favours both package delivery notices and financial institution-themed campaigns. Figure 1 is a world cloud based upon all Geodo campaigns observed by Cofense IntelligenceTM since tracking began. Figure 2 details campaigns observed strictly in 2018.

Figure 1: A word cloud generated from subject lines captured since tracking began.

Figure 2: Geodo campaign subject lines identified via tracking and botnet injection

Over time, Geodo has expanded from a propensity towards delivery-themed campaigns (spoofing companies like DHL, FedEx, and UPS), to Banking and financial narratives. However, this new focus does not preclude the tendency to spoof legitimate institutions, such as Bank of America and Chase bank. Chart 2 details the breakdown of campaigns throughout 2018, by [imitated] brand.

Chart 2: A breakdown of brands being spoofed by Geodo in 2018. Note: Generic Malware Threat is assigned to campaigns that do not imitate a legitimate entity or organisation. Note: the redacted entry is a large banking entity.

Delivery

Geodo is a self-perpetuating bot. Once running on a machine, it actively begins to spam copies of itself to a victim list retrieved during one of its many check-ins to a plethora of C2 nodes, as well as addresses harvested directly from local contact lists. Typically, the messages sent by an infected host will contain either a URL from which a potential victim can download a weaponised Office document, or it will have that type of document attached directly to the message.

Message Structure

Geodo uses a subtle marker to track which bots are delivering messages on behalf of the actor(s) behind the campaigns. The Message-ID field of each message contains an identifier which can potentially be used to identify which bot sent a particular message. At this moment, the structure of the message ID is:

Identifier.hash@domain

<20 numeric characters>.<16 hex characters>@<recipient domain>

A more literal example could be:

11223344556677889900.0123456789ABCDEF@recipient-domain.com

The identifier is a unique number assigned to each message as it is generated and sent by a bot. We have observed the identifier change as a bot progresses through its assigned list of recipients, then subsequent campaigns, as the bot becomes active again. Despite not changing linearly or sequentially, the general trend of these identifiers has seen the character count increase from 15 to 19-20.

There are several key pieces of data that can guide us toward some likely reasons for this behavior:

  1. The identifier ranges are not unique to each bot – multiple bots can have overlap within the same range.
  2. Identifiers do not always increment sequentially. This is true across multiple bots.
  3. Since tracking began, the identifier size has risen consistently from 15 bytes, up to 19-20 bytes.
  4. There are never any identifier collisions, even across different infections.

These four points lend credence to the supposition that these identifiers not only serve the functional purpose of a Message-ID (to act as a globally unique identifier of a message), but also allow the actors behind Geodo to track which bot is sending which message. By seeding recipient lists with attacker-controlled email addresses, it is possible to programmatically identify which bots are not sending messages as expected, and could be compromised, offline or otherwise in an undesirable state. With this information, attackers may be able to figure out which bots are legitimate infections, and which are researcher-controlled, thus giving them the capability to selectively send bogus templates or data to these compromised nodes.

The second part of the Message-ID structure is a 16 character hex string. As with the identifier, each hex string is unique to the message, meaning it is most likely a hash of some kind.

The final part of the Message-ID is simply the recipient’s own domain.

URLs

URL-based campaigns – that is, campaigns that deliver messages which contain URLs to download weaponised Office documents – are by far the most prevalent payload mechanism employed by Geodo. Indeed, analysis of ~612K messages shows just 7300 have attachments; a trifling 1.2% of the total. The structure of the URLs falls into two distinct classes. Cofense Intelligence analysed a corpus of 90,000 URLs and identified 165 unique URL paths.

There are two distinct classes of URLs employed by Geodo. A detailed breakdown of these URL structures will be discussed in an upcoming blog.

Chart 3: A breakdown of the top 10 URL tokens extracted from the 1000 most recently observed URLs.

A typical email from a URL-based campaign can be seen in Figure 3. Heavily contrasting TrickBot’s focus on social engineering, Geodo campaigns are fairly often lacking in any genuine attempt at brand imitation, beyond merely stating a name and perhaps a disclaimer.

Figure 3: An example of a Geodo email delivering a URL.

Figure 4 details the type of network activity that might occur, should a victim click on a link in one of these messages. When clicked, the user’s default browser is opened, and the download occurs directly. In the case of Google Chrome, the user typically will receive multiple warnings that the file being downloaded is hostile and requires multiple steps to allow the download to finish. Figures 5 and 6 details this process.

Figure 4: A Wireshark capture of the HTTP conversation after a live link is clicked.

Figure 5: A warning bar at the base of the Google Chrome browser warns the user the file is dangerous.

Figure 6: The user is required to click “Keep Dangerous File” followed by “Keep anyway” before Chrome will release the quarantined file.

Despite Chrome doing an admirable job of identifying some of the malicious documents, the permutations employed by the Geodo actors allows a significant number of documents to pass by unnoticed. Further stymying the malicious actors’ efforts: the downloaded documents are tagged with a “MotW” — or “Mark of the Web” – which, as seen in Figure 7, can potentially require further engagement by the recipient to finally get the file opened. A ZoneID of 3 indicates that the file is from the Internet Zone.

Figure 7: The downloaded documents are tagged with a Mark of the Web.

Attachments

Although comparatively rare, Geodo campaigns occasionally deliver attachments instead of malicious URLs, but the narratives and themes used for these campaigns do not noticeably differ. Figure 8 shows an example of a message from an attachment-based campaign. This campaign used a generic theme with no identifiable company or entity being imitated.

Figure 8: An example message from an attachment-based, Geodo campaign.

Digging into a corpus of ~7500 filenames (examples of which are presented in Table 1) shows a very distinct set of naming conventions. These can mostly be described by a regular expression, with a few caveats.

Table 1: Example filenames used during very recent Geodo campaigns.

The naming structure bears very close resemblance to certain segments of URLs, described in detail in the next blog in this series. Although drawing any conclusions from this would be fallacious, it could potentially be used to predict the structure of a successor campaign.

Weaponised Office Documents

Regardless of which vehicle was used as the transport medium, the documents are invariably, intuitively similar. Each document comes weaponised with a hostile macro. The macros are always heavily obfuscated, with junk functions and string substitutions prevalent throughout the code. The obfuscation uses three languages or dialects as part of the obfuscation process: Visual Basic, PowerShell, and Batch.

An upcoming blog will provide an in-depth analysis of the deobfuscation techniques for the multi-layered macro code found within these documents.

Self-Propagation

The general behaviour of Geodo has been covered in extreme depth both by Cofense and the greater InfoSec community, so we will not rehash those analyses here. Rather, we will focus on Geodo’s ubiquitous spamming capabilities and the methods it uses to facilitate such behaviour.

Geodo is a modular trojan, which means most of its functionality is abstracted away from the core code and placed in external files that can be selectively imported and executed. One such example is the “spam” module. This module facilitates not only the distribution of spam, but also the validation of stolen credentials.

Geodo has two primary means of obtaining credentials. One way is retrieving a list along with the spam module. The other harvests accounts from the local machine, using a variety of external utilities. When new accounts are discovered, their credentials are validated before any attempt is made to communicate them. Figure 9 shows the credential validation phase of the spam process.

Figure 9: The credential validation phase. Each set of credentials is validated before it is used to send spam messages.

If a set of credentials is validated, spam messaging begins in earnest. Figures 10 and 11 show a Wireshark capture of a bot testing credentials before delivering messages to multiple recipients. These recipients are chosen from a large pool of email addresses containing hundreds of thousands, perhaps millions of addresses. It is unlikely that any bot ever receives a complete list of recipient addresses, meaning the sheer number available to Geodo is staggering.

Figure 10: A Wireshark capture of Geodo testing a set of credentials, before using them to authenticate and begin sending the current template.

Figure 11: Geodo iterates through its recipient list and continues to send phishing messages, using the same session.

Geodo is in constant contact with its C2 hosts. Geodo comes hardcoded with anywhere from 30-45 IP addresses, each pointing to a compromised (or, in some cases, outright malicious) web server. Most of these use Nginx as a reverse proxy to forward connections onto the actual command and control hosts. Figure 12 shows an approximate interpretation of this infrastructure.

Figure 12: An approximate representation of the Geodo infrastructure. It should be noted that there’s a high chance the proxies are tiered or layered; this representation defines a single-layer proxy configuration.

As part of its communications with the C2 infrastructure, Geodo is constantly polling for updates, commands, or instructions. Threat actors behind Geodo frequently deploy new email templates, updated C2 lists, and other module specific instructions or data. In the case of the spam module, we have actively observed Geodo launching spam campaigns against yet unseen victims in addition to new, stolen credentials. This type of information exchange is very unlikely to be unidirectional. To keep the recipient and credential lists fresh and relevant, Geodo must communicate dead recipients, bad credentials, or bad hosts.  Geodo has also been directly observed updating passwords for usernames as they become available. This type of information exchange allows the Geodo actors to automatically adjust their lists in as near real-time as is feasible, but it does open the botnet up to vulnerabilities.

It is plausible that researchers could poison the entire botnet from just a few hosts. Researchers could monitor the credentials being used by each bot, then create an account on the infected device that matches the username but contains a bad password. When the bot attempts to verify the authenticity of the new password and connects to a researcher-controlled SMTP host to accomplish this, the researcher’s host responds that authentication has been successful. Geodo will not only go ahead and begin spamming out phishing emails (as demonstrated in Figures 10 and 11), but it will also report the updated credentials to the C2 infrastructure. These bad credentials will propagate throughout the botnet and, potentially, cause large scale interruptions to its activity.

At the time of analysis, Cofense has tracked ~31,000 credential sets in a very short time. Charts 4 through 6 show multiple interpretations and permutations of this data.

Chart 4: Compromised credentials by Top-Level-Domain (TLD).

Chart 5: Compromised Credentials by Second-Level-Domain (SLD).

Chart 6: Compromised credentials by domain.

Beyond being interesting purely as data points, tracking the domains to which the compromised credentials belong allows us to actively see where outbreaks are succeeding. Spikes for certain TLDs (such as .edu) might indicate the actors are targeting students and educators. A rise in occurrences of .gov.uk SLDs (Second-Level Domains) could indicate the targeting of UK-based government agencies.

For many reasons, Geodo is a hugely problematic trojan. Its primary distribution method contributes an enormous amount of daily spam and phishing volumes. Not only does it engage in financial theft, but also enables additional finance-driven trojans. It can spread laterally across a network and steal credentials from a large array of software – further perpetuating the spam problem. Staying on top of these threats means employing timely, pertinent, and high-fidelity training to help users become familiar with this prolific threat. Security in depth means the ability to know not only “what”, but also “who.”

For a look behind and a look ahead at major malware trends, view the 2018 Cofense Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Continues to Drive Automation into Anti-Phishing Programs

New Playbooks Allows Strategic Automation of Phishing Simulations

Leesburg, VA – August 23, 2018 – On the heels of launching a phishing-specific SOAR (Security Orchestration, Automation and Response) platform, Cofense™, the global leader in phishing defense and attack disruption, has now added automation to its flagship product line for phishing simulations. With this update, Cofense PhishMe™ users can now strategically plan and automate the delivery of their phishing simulation programs using built-in playbooks.

As organizations find themselves with fewer skilled cybersecurity resources, automation of key functions is critical to the ability to maintain a robust and effective phishing defense program. The use of playbooks has become a popular way to allow organizations to customize and schedule specific tasks or processes normally performed manually by an administrator.

“At Cofense we believe in automation as a way to relieve security operators of the repetitive tasks to allow them to focus on strategic, intelligent decision-making,” said Rohyt Belani, Co-founder and CEO of Cofense. “Playbooks are meant to allow both managed services providers and our end clients the ability to choose various programs just like one does on a treadmill in a gym, so they don’t need to focus on the metaphorical tasks of having to change speed and incline but can instead focus on designing and tracking the appropriate success criteria and presenting them appropriately to senior management.”

Cofense PhishMe playbooks are built-in to the administrator view and allow for easy creation and management of phishing simulation programs. Playbooks will automatically create, schedule, and launch templates, over the course of the year, based on customer selected criteria and send automated email reminders to users based on program activity and status.

The new automated playbooks provide tremendous time and cost savings for organizations. For example, customers can leverage automated playbooks to create twelve complete phishing scenarios to run over the course of one year in only fifteen minutes, which would previously take three hours to generate manually – resulting in a 91% reduction in operational time spent on generating scenarios. The process also allows our customers and partners to leverage the knowledge the Cofense team has garnered in serving 400 of the Fortune 1000 in building their anti-phishing defenses, as each of the playbooks inherently embody these lessons learned.

Phishing simulations mimic real-life phishing email threats but provide a safe environment in which employees can fail and learn how to instinctually identify real threats in the future. Programs are designed to challenge users of various training levels and by role. Playbooks allows the program administrator to consider the various groups within an organization and to customize and schedule up to 12 months of conditioning training.

With the addition of Cofense PhishMe Playbooks and other recent enhancements including Board Reporting, accurate Microsoft attachment tracking and mobile Cofense Reporter™, Cofense continues to innovate and lead the market in phishing simulation.

To learn more about Cofense PhishMe or request a demo, please visit: https://cofense.com/product-services/simulator-2/

About Cofense

Cofense™, formerly PhishMe®, is the leading provider of human-driven phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise. To learn more, visit https://cofense.com/.

Another Holiday-Themed Phish: Eid al-Adha is the Pretext for an Agent Tesla Campaign

Holidays and global events provide timely material for threat actors to use as phishing lures. This technique is a common practice, and can sometimes be convincing to targets, especially just before a major holiday. On Sunday, August 19, 2018, Cofense Intelligence™ received an Eid-themed phishing email. Eid al-Adha, the Islamic festival/holiday, began this week.

5 Steps to Targeting Newbies with Phishing Awareness Training

When it comes to phishing awareness training, new hires need special attention. While most may know what phishing is, many won’t have received formal training in recognizing and reporting a phish. This chart shows sample data from a CofenseTM customer whose newbies struggled to spot phishing emails during simulation training.

Before they develop bad inbox habits, it’s important to welcome your brand-new users to your training program, especially if your company has fairly high turnover. Following are 5 tips to make the transition smoother and, ultimately, help your security teams stop phishing attacks.

Step 1: Announce and Set the Stage

The first email you’ll send to new hires won’t be a simulated phish. During their first week of employment, new hires should get an email announcing the program and letting them know they’ll be participating. You can ask HR to include this in the orientation materials new hires receive. Or you can send your own announcement—Cofense PhishMeTM offers a template complete with announcement tracking (when a user reads the email, etc.).

The announcement is one of the most important anti-phishing emails you’ll send, just as essential as the phishing simulations to follow. When they read this email, some newbies will react by thinking, “Um, what’s phishing?” So you’ll need to define it for them before talking about your training program. You don’t have to give an encyclopedic definition, just a couple of sentences about what phishing is, why it’s dangerous, and why users need to be trained to spot it.

You’ll also want to cover:

  • What the program entails—regular simulated phishes appearing in their inboxes, along with educational tips on what they did wrong and how to improve going forward
  • Tips on spotting a phishing email—here’s an example:

Also include:

  • The importance of reporting suspicious emails and how to do it
  • What happens after users report—how security teams close the loop

Step 2: Send the First Phishing Simulation

After 2 or 3 weeks of employment, it’s time for newbies to get their first simulated phish. Select a phishing scenario you use widely in training other employees. Make it an easy scenario, not anything technically difficult, and do the same for the accompanying educational content. You simply want new hires to learn what the phishing clues were and how to report them next time.

Here are 3 scenarios good for simulation newbies:

Pro tip: to simplify tracking in your overall program (for experienced users as well as new hires), use the same theme but vary the complexity. For instance, send new hires an easy “Over the Inbox Limit” phish and other users a more nuanced version of a fake internal message.

Step 3: Send Positive Reinforcement

During a group of new hires’ fourth week on the job, send an email to reinforce the what and why of your training. Begin by thanking new users for their participation, then quickly note some of the benefits: a more aware workforce, a more secure company, and valuable knowledge users can apply throughout their careers.

Be sure to include the educational content used in the first simulation. For users who fell susceptible, it will reinforce what they learned. For users who passed with flying colors, it will give them added knowledge to apply down the road.

Step 4 (Optional): Send a Second Simulation

Here you’re simply giving newbies another chance to practice, if you feel it’s needed. Use one of the simple scenarios shown in Step 2.

Pro tip: report on new hires’ progress separately from that of your other users. Besides learning exactly what you need to know about this at-risk group, you’ll get a more accurate picture of enterprise-wide performance. Because more experienced employees will handle simulations better, your enterprise metrics will look better with newbie numbers extracted.

Step 5: Graduation! Roll New Hires into Your Regular Phishing Awareness Training

Okay, no one ever really graduates from this kind of training. We’ll all be enrolled until email becomes extinct and phishing awareness is no longer needed. Until then, after 2 or maybe 3 initial phishing simulations, your new hires should be ready to receive the same simulations as everybody else.

In no time at all, the newbies won’t be new. But by then it will be time to train another batch of fresh recruits.

Learn more about building and maintaining an anti-phishing program—view our “Left of Breach” e-book.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.