Phishing Campaigns are Manipulating the Windows Control Panel Extension to Deliver Banking Trojans

By Aaron Riley and Marcel Feller

CISO Summary

Recently, CofenseTM has seen phishing campaigns that bypass email security using a .cpl file extension attachment. .CPL is the file name extension for items or icons appearing in the Windows Control Panel. These file extensions are vital for most Control Panel tools to function, making endpoint threat mitigation extremely difficult.

After evading controls and successfully executing on the endpoint, the .cpl file downloads a second-stage payload, which is typically a banking trojan. According to Cofense IntelligenceTM, most of these phishing campaigns are aimed at South American inboxes. As part of security awareness training (see Cofense PhishMeTM), organizations should condition users to identify and report .cpl files to avoid network infection.

Full Details

The Cofense Phishing Defense Center (PDC) has captured multiple phishing campaigns using a .cpl file extension attachment to bypass email security measures and download a second stage payload, which typically is a banking trojan. Cofense Intelligence has analyzed these campaigns and found that the majority of them are targeting South American citizens. Furthermore, to successfully communicate with the Command and Control (C2) infrastructure, the endpoint needs to mirror a South American computer’s settings like IP address, time zone, language pack, and keyboard settings.

The .cpl file extension is used for Control Panel tools with executable byte code. The .cpl byte code is the same across all PE32 binaries (such as .exe, .dll, .scr) within the DOS stub and is executed by control.exe. These file extensions have been used with campaigns that deliver banking trojans, most notably Banload. Cofense IntelligenceTM customers can view an analysis of Banload by logging in here. Figure 1 shows an email campaign that is used to deliver a .cpl attachment. The email is in Spanish and claims to come from ‘Servicio de Impuestos Internos,’ the Internal Revenue Service of Chile.

Figure 1 shows the email campaign used to deliver .cpl attachments.

The .cpl file attached to this campaign acted as a first-stage downloader, facilitating the retrieval and execution of a secondary payload. Figure 2 shows the HTTP POST to the C2 infrastructure during the preliminary communication. This HTTP POST contains the machine and username of the infected endpoint and is appended with a number sequence known to the C2. Figure 3 shows the fingerprinting data within the form values posted to the C2.

Figure 2 shows the HTTP POST and GET traffic originating from the .cpl file.

Figure 3 shows the information gathered by the .cpl file to fingerprint the infected machine.

After the initial connection is successful, the binary then connects to a hardcoded payload location for the second stage. Notice in Figure 2 that there was a GET request for another payload. By effectively expanding the detection surface, this two-stage download and execution actually increases the likelihood of C2 interruption.

While analyzing the .cpl binaries’ network traffic, Cofense Intelligence identified a custom User-Agent string that can be turned into network alerts within a Security Event Information Management (SEIM) system. Figures 4 and 5 shows the two different user agents connecting to the same host. Based on packet analysis, these custom User-Agents would suggest the threat operators are limiting access to their C2 infrastructure.

Figure 4 shows the User-Agent for the HTTP POST.

Figure 5 shows that the User-Agent value is ‘LA CONCHA DE TU MADRE,’ a Spanish expletive whose cleaned-up meaning is ‘the shell of your mother.’ This User-Agent string lends further credence to the idea that the User-Agent string is used to mitigate access to the C2 infrastructure and help determine the stage of infection. However, leaving such an obvious indicator for the security infrastructure to identify gives the impression this was an amateur operator.

Figure 5 shows the User-Agent string for the GET request made by the .cpl file.

After execution, this .cpl attachment followed trends and called for the second-stage payload to execute a sample of OverByte ICS Logger. This keylogger was configured with multiple modules to target and gather banking information from the endpoint. Figure 6 shows the malware family name within the memory strings. Figure 7 shows the multiple modules configured within this binary.

Figure 6 shows the malware family name within the memory strings.

Figure 7 shows the multiple modules that were used to configure this binary.

This sample of OverByte ICS Logger went after banking information, specifically South American banks. The banking information gathered includes usernames, passwords, Personal Identification Numbers (PINs), and any element ID that was selected during the login process. Element IDs are unique identifiers that facilitate accurate targeting for JavaScript and CSS. Use of element IDs means modifications to the page can be made accurately, provided the author adheres to the standards.

After gathering the information, this sample then sends it to the C2, which in this case was the same as the second-stage download. This OverByte ICS Logger persisted on the machine and gathered banking information at predetermined times to be sent to the C2. Figure 8 shows a list of banks (redacted) in the memory strings of the running sample.

Redactions in Figure 8 show where the references to banks would be within the memory strings.

The use of .cpl file extensions are a necessary item for most Control Panel tools to function properly. The operating system’s need for this extension makes the mitigation and remediation extremely difficult within the security stack. The trend to deliver banking trojans to the endpoint is a looming threat of these extensions. Educating end users on how to properly identify and report these types of files when they are encountered is the best way to avoid this type of infection on a network.

To stay abreast of the latest phishing and malware trends, sign up for free Cofense Threat Alerts.

Indicators of Compromise

Observed URLs: hxxps://gentsilen[.]com[.]mx/cl/factura[.]php?folio=1&Importancia=Urgente&descarga=true&impuestos=servidor_alerce&site=www[.]sii[.]cl



Observed IPs:




Observed Files:
File Name:
MD5: 9ace92029ad8f1516b141de7022d3c42
SHA256: 15f107a75f166b519ce7ca8da094c9b915aa7a6b44fade360535e5112bfd2f5f
File size: 718,191 Bytes

File Name:
MD5: 7e8edf93d3565c4eacbbea19615d21d3
SHA256: 5c908e77c0e2f14f757d9b0b2d63f661bc277eb70e8caa46d85f038cb87f2c2b
File size: 717,935 Bytes

File Name: Sii_Documento_K3YLT2WJNU.cpl
MD5: 541a3aaf1f70c473f0018c9aa951fb9a
SHA256: d9e3913e5e6d151dd487d9e174c9e3e73d1883ea0c78cf97909caaf76dd4e618
File size: 761,902

File Name: mTjdyis.exe
MD5: b2218df5c3373a9a1b619e53281e9806
SHA256: 681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c
File size: 400.872 Bytes

File Name: shfolder.dll
MD5: 037bb84e2aab7ab4df2e0c752c61233a
SHA256: b8af00e8e89583a529284496949cc2c10684b035
File size: 42.466.735 Bytes


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Launches MSSP Program to Provide Essential Phishing Defense Capabilities to Small and Midsized Businesses

Program will provide global MSSPs world-class, human-driven anti-phishing offerings that increase attack resiliency and speed response times to stop phishing in its tracks

LEESBURG, VA. – January 16, 2019 – Today Cofense™, the leading provider of human-driven phishing defense solutions world-wide, launched its Managed Security Service Provider (MSSP) program to provide small and medium-sized businesses (SMBs) across the globe with essential human-driven phishing defense solutions designed to stop active phishing attacks. SMBs are highly susceptible to phishing attacks, and often lack the resources necessary to stop advanced threats. In response, Cofense has partnered with a targeted group of elite service providers to provide their customers the dedicated resources required to strengthen defenses, build attack resiliency and ultimately stop real attacks in progress.

Exploiting an Unpatched Vulnerability, the Ave_Maria Malware Is Not Full of Grace

CISO Summary

CofenseTM has seen a rise in phishing campaigns designed to deliver a type of stealer malware called Ave_Maria. It contains a capability, DLL hijacking, that uses a vulnerability with no forthcoming fix. With origins in a publicly available utility, DLL lets Ave_Maria gain greater admin privileges and avoid detection, then steal information so it can download additional plugins and potentially other payloads. This malware can bypass detection and privilege restrictions on many endpoints.

The Vjw0rm Malware Does It All. Here’s What to Watch For.

CISO Summary 

It’s called the Vengeance Justice Worm (Vjw0rm), but think of it as the Leatherman tool of malware. Vjw0rm wreaks havoc in highly versatile ways: information theft, denial of service (DoS) attacks, and self-propagation to name a few. CofenseTM has spotted this hybrid threat—a cross between a worm and a remote access trojan (RAT)—in a recent phishing campaign dangling a banking lure.   

In 2018, Cheap and Easy Malware Flooded Corporate Inboxes

CISO Summary

Sometimes it’s the simple things that make life hard. In 2018, over 2/3 of unique malware campaigns Cofense IntelligenceTM observed were simple, inexpensive “stealers” or remote access trojans (RATs). With exceptionally low barrier-to-entry—an email account or website can handle distribution and communication—these malware types make data theft a viable career choice for threat actors without the skills to use more advanced varieties.

Why is this a problem?

Though complex malware like Geodo and TrickBot are harder to defend against, simple still works. If it didn’t, threat actors wouldn’t go back to the well again and again. A properly configured email gateway can block most stealers and RATs, but with so many in circulation it pays to a have a Plan B—a phishing awareness and reporting program focused on active threats (see Cofense PhishMeTM and Cofense ReporterTM) and a phishing-specific incident response solution (see Cofense TriageTM).

Full Details

This year saw the overwhelming dominance of stealers, with 69% of unique campaigns observed through 2018 delivering either a stealer or a RAT. The reasons for such a huge distribution skew:  ubiquity, simplicity, and cost. Stealers are extremely cheap or, in the case of Loki Bot, cracked and distributed for free.

What may come as a surprise is the volume of campaigns. Stealers, RATs, and keyloggers are often sent in extremely low volume campaigns—often campaigns of one, many times per day. Cofense Intelligence regularly observes 30+ unique daily Loki campaigns distributing unique samples of Loki. Each is utterly unique from its peers in everything from the message content to the C2 endpoint used by the binary. Again, Loki is free. It was cracked some time ago, is easy to use, and can be used with compromised domains, all of which explain why so many different actors distribute Loki as their malware of choice. Why such low-volume campaigns? Unsophisticated actors often lack the resources for widespread distribution.

All stealer-type malware is designed to obtain and exfiltrate valuable data from the target machine. Often, this data includes passwords, contact lists, and cryptocurrency wallets. Stealers often also incorporate functionality from other malware phenotypes, such as keyloggers, to bolster their capabilities with features such as keystroke monitoring, screenshot captures, and A/V recording.

Chart 1 details Loki Bot’s wide distribution relative to any other malware family. Indeed, Loki is almost twice as prevalent as second-place Pony.

Chart 1: 2018 Top 5 malware families

Chart 2: 2018 Phenotype breakdown

Chart 2 above details the breakdown of malware by phenotype. Stealers, RATs, and keyloggers make up 85% of the overall campaigns we observed, by unique sample. These simple types of malware benefit from very low barrier-to-entry, requiring little more than an email account or web site to facilitate distribution and communication. Because of this, threat actors’ motivations vary wildly and include  financial gain, revenge, and account takeover. More complex malware, such as Geodo and TrickBot, require enormous resources to simply maintain efficacy and relevance—but are still widely distributed and more difficult to defend against.

Chart 3: Phenotypes over time

Chart 3 is a companion to Chart 2, showing phenotype distribution over time and illustrating how stealer malware dominated the entire year. It should be noted that the increase in the numbers of campaigns identified per week are not an indicator that phishing has increased. Rather, it is a product of increased reporting by Cofense Intelligence due to improved collections and enhancements to our analysis process.

To summarize, stealers and keyloggers ruled the 2018 phishing-borne threat landscape, due to their vast diversity and accessibility. Despite their domination, a properly configured email gateway would prevent most of these messages getting to a protected inbox, with policy rejecting unknown senders with binary attachments. Still, these tools still clearly work—otherwise, they wouldn’t have been the ascendant malware this year.

Learn more about how Cofense stops active phishing threats.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.