Threat Actors Subscribe To Patches

Cofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld. The patching subscription model may be a burden to some enterprise environments, but its underworld equivalent is a significant boon to law enforcement and network defenders. Personnel tasked with combating nefarious software can leverage the patching and licensing mechanisms of subscription-based malware to track down distributors.  

The Reasons Behind The Model 

Much like with legitimate software, threat actors decide what malware to buy based on several factors including the reviews, price, type (such as a keylogger or a Remote Access Tool (RAT), developer, and marketing. However, to make money in this competitive environment, malware developers need to take different approaches, such as: 

  • Sell the product for much less than similar malware. 
  • Give the product away. While this strategy may appear to be a good deal, malware developers have been known to include a back door enabling them to steal their “customer’s” stolen data.  
  • Base the new malware on a pre-existing and well-known malware, such as WSH RAT. As discussed in a previous CofenseTM report, the developers of this RAT billed it as a “new” RAT with advanced features and offered it at a starting subscription price of only $50 per month. However, in reality, WSH RAT wasn’t new at all and was a variant of the pre-existing and long-lived Houdini Worm with some minor feature improvements. 
  • Focus on spending heavily on marketing. While concentrating on marketing can be profitable, it is likely the reason that some malware perceived as the “next big threat” disappears shortly after making headlines – probably because the budget was spent mainly on marketing rather than development.  

Possibly taking a lesson from legitimate software companies and the frequent failure of the options mentioned above, more and more malware developers have started to adopt the patching subscription model. This model allows them to take the middle road, charging relatively smaller subscriptions (in the case of Alpha Keylogger, $13 per month) while claiming to deliver more and being able to delay feature release.  

The glut of available products, however, often leads malware developers to over-promise on features for which they then must include a basic test or example of in their code. Expedited or rushed releases of the software lead to buggy code, in turn hurting the credibility of malware authors. For instance, Alpha Keylogger claims to have a suite of features including the ability to exfiltrate data over email, FTP, or via the API of the messaging company Telegram. In practice, customers (threat actors) can choose FTP or email, and the keylogger will still attempt to exfiltrate information via Telegram API even when the configuration data is blank. This attempt creates a distinct and apparent HTTPS request on infected machines that do not successfully exfiltrate data and can be used to help identify this malware in network traffic. 

Why Network Defenders Like Updates 

The “bug” in Alpha Keylogger that causes extraneous network traffic could allow network defenders to look for such malformed URLs as signs of malicious activity despite the involvement of a legitimate domain. Even intentional updates on the part of malware developers can assist network defenders. An example of this is when the Geodo/Emotet botnet began distributing a new module. The nature of this deployment allowed Cofense to correctly assess and prepare for the delivery of more sophisticated phishing emails. If the changes had been made by a new family of malware rather than as part of an update that Cofense was looking for, it would have been more challenging to prepare. 

Why Law Enforcement Likes Licensing 

The bugs and hints provided via malware updates are helpful to network defenders, but the licensing system behind these updates can be even more useful to law enforcement. Many RATs store the license key of the individual that purchased the malware builder as a registry entry on infected computers. Depending on the method used to obtain this license key, the payment information may be associated with the key even if it is not directly associated with the individual who purchased the key. Subsequentially, a receipt of some sort may be sent to an account that is accessed by the threat actor who bought the license key. Under the right circumstances, a license key saved as a registry entry on a victims computer could be linked with a receipt in a threat actor’s inbox, attributing them to the attack. Law enforcement organizations could then build a case using this link and additional information, such as the IP address used to access the inbox. 

Applicability In Enterprise Environments 

Organizations with enterprise-scale infrastructure often encounter “shadow IT” software or malware applications that can be difficult to spot and eradicate. The licensing mechanisms found in subscription-based malware—to include potential receipts in email—can be used by threat hunters to identify insider threats. Organizations impacted by malware akin to Alpha Keylogger can weed out further infections by leveraging incident response tools and YARA rules (such as the ones provided by Cofense IntelligenceTM) which inspect registry keys. Furthermore, the potential for attribution and legal action against a threat actor through license tracking provides large corporations with enhanced defensive capabilities. 

Table 1: Malware Artifacts 

Filename  MD5 
Company Profile.doc  b46396f32742da9162300efc1820abb3 
bukak.exe  3ceb85bcd9d123fc0d75aefade801568 

 

Table 2: Network IOCs 

IOC 
biz[@]Bootglobal[.]com 
kamonubilel[@]gmail[.]com 
hxxp://ktkingtiger[.]com/bukak[.]exe 

 

 

HOW COFENSE CAN HELP 

Cofense Intelligence processes and analyzes millions of emails and malware samples each day, providing a view of emerging phishing and malware threats. 

The Cofense Phishing Defense CenterTM identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats. 

Condition end users to be resilient to ransomware and other attacks with Cofense PhishMeTM.  It includes a variety of ransomware templates to help users recognize the threat. Empower users to report phishing emails with one click using Cofense ReporterTM. 

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM. 

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekeTM. 

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understanding, read the 2019 Phishing Threat & Malware Review. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Cofense Vision UI: Quarantine Phish Faster, Without Disrupting the Mail Team

By Karen Kokiko

The holy grail of phishing defense is now within your grasp. Cofense VisionTM now comes with a user interface that lets you quarantine phishing emails with a single click—without disrupting the mail team and slowing down your response.

Let’s stop and let that sink in. You can quarantine phish right from your desktop, without asking the busy mail team to stop and perform a search. There’s no more waiting while an active phish does the backstroke in your inboxes. Faster, more precise phishing response is here.

Fast and Flexible Searching

Traditional email search and quarantine tools are slow and inflexible, offering limited search scope like ‘Sender’ and ‘Subject.’ It’s difficult to find the entire attack fast enough and account for the way tactics, techniques, and procedures morph.

The Cofense Vision user interface allows SOC analysts to search by combinations of fields, grouping emails together by selected criteria. You can search for recipients, senders, MIME type, attachments, a specific time, and more, essentially creating your own cluster. Then quarantine one or hundreds of malicious emails with a simple click. If you later determine that emails are harmless, you can “un-quarantine” them just as easily.

Built for Companies of All Sizes

The new Cofense Vision UI supports smaller customers who don’t have engineering teams or power users to write scripts and code. You can simply search natively and quarantine quickly. An hour after installation, analysts are ready to defend.

For example, an end-user at a small business sends a suspicious email to IT for investigation. IT determines it is malicious and wants to find out if anyone else received it. With the new Cofense Vision UI, they can search on key criteria found in the malicious email to determine if more than one instance of the message is in their environment, then quarantine the email in seconds.

If your company is larger, the interface improves the experience of power users and operators who are writing scripts or otherwise programmatically interacting with Cofense Vision. Proactive analysts, those with some information about where and how the bad guys are likely to attack, can use the UI to identify and quarantine malicious actors before any damage is done. SOC analysts can write rules to look for signs of malicious activity, searching criteria such as To, From, Subject, Attachment Hash, and the content of the message.

All of this shortens “dwell time” and the amount of damage an attacker can cause in your email environment. According to a SANS Institute survey, 75 percent of respondents say they reduced their attack surface by through more threat hunting. Fifty-nine percent believed that threat-hunting enhanced the speed and accuracy of their company’s incident response.1

The new Cofense Vision UI makes threat-hunting faster, easier, and more effective. Learn more or sign up for a demo now!

More Ways Cofense Can Help

90% of phishing threats observed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Then reduce exposure time by rapidly quarantining threats with Cofense Vision.

Be proactive against evolving phishing threats. Easily consume high-fidelity phishing-specific threat intelligence to defend your organisation with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threat than Cofense. Understand the current phishing threat – read the 2019 Phishing Threat & Malware Review.

 

1SANS Institute, “2018 Threat Hunting Survey”: https://www.sans.org/media/analyst-program/Multi-Sponsor-Survey-2018-Threat-Hunting-Survey.pdf

  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways

By Jake Longden

The Cofense Phishing Defense Center has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. Here’s how they work.

Email Body:

The email body is a genuine notification from WeTransfer which informs the victim that a file has been shared with them. The attackers utilise what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel straight through security checks at the gateway.

WeTransfer allows for the addition of a note to the email to clarify why the file was sent. Here, the threat actor will often write a note stating that the file is an invoice to be reviewed. This is a commonly observed phishing technique to pique the user’s interest.

Fig 1. Email body

Phishing Page:

When the user clicks on the “Get your files” button in the message body, the user is redirected to the WeTransfer download page where a HTM or HTML file is hosted and thus downloaded by the unsuspecting victim. When the user opens the .html file, he or she is redirected to the main phishing page.

Fig 2. WeTransfer Hosted file

In the final stage of the attack, victims are asked to enter their Office365 credentials to login. More often than not, we see a Microsoft Service being targeted, however we have observed other targeted brands.

Fig 3. Phishing Page

Gateway Evasion

As WeTransfer is a well-known and trusted file hosting system, used to share files too large to attach to an email, these links will typically bypass gateways as benign emails, unless settings are modified to restrict access to such file sharing sites. The PDC has observed this attack method to bypass multiple gateways. These include ProofPoint, Office365 Safe Links,  and Symantec.

Useful Resources for Customers

Description
Triage Yara rule: PM_WeTransfer_File_Download
PhishMe Templates: “File Transfer”
Cofense Intelligence: https://www.threathq.com/p42/search/default#m=26412&type=renderThreat 


Other Ways Cofense Can Help

The Cofense Phishing Defense Center identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats.

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.  Our solution offers a phishing simulation to protect against file-transfer attacks like the one described in this blog.

According to the Cofense Phishing Defense Center, over 91% of the credential harvesting attacks they identify bypassed email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understand, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Ransomware: A Mid-Year Summary

By Alan Rainer

Recently, ransomware has given off the appearance of widespread destruction and rampant use. 2019 alone has seen headlines such as “Florida City Agrees to Pay Hackers $600,000” and “Baltimore City Operations Impaired by Cyber Criminals.” Yet, despite the resurgence of large-impact headlines, phishing campaigns have delivered less ransomware overall since 2016, per Cofense analytics. The decline in Ransomware-as-a-Service (RaaS) operations demonstrates an impact on threat actor ransomware activity. Attackers find that emerging protection technology, improved law enforcement tracking of cryptocurrency payments, systems patching, and costly infrastructure upkeep all pose a deterrent to broad-spectrum targeting.

Ransomware Is Down Holistically, But Targeted Infections Are Up

Threat actors find that targeted ransomware attacks against high-value victims can be accomplished with greater efficiency, enabled by other malware families such as Emotet/Geodo. These secondary malware families provide an effective attack vector that increases the success of phishing attempts and targeted ransomware campaigns. Emotet—an email-borne Trojan which actors use to install other nefarious tools—has gone offline with no activity since June 2019. If the Trojan were to resurface, we assess that threat actors could rather easily carry out more email ransomware attacks on a broader scope. Without the efficiency provided by Emotet or even a Ransomware-as-a-Service such as GandCrab (which has supposedly shut down permanently), targeted infections continue to be the more lucrative option for ransomware operators.

Recent headlines have drawn attention to exceptionally costly targeted ransomware attacks against local US governments, healthcare services, and the transportation sector. Also spurring great debate: cyber insurance companies are recommending payment of ransom and are directly contributing to those payments as part of their insurance coverage. Taking this into account— along with the hefty price tags associated with the recovery costs of cities who have not elected to pay the ransom, such as Atlanta and Baltimore—Cofense Intelligence™ assesses this could lead to an uptick in ransom payments and further embolden an increase in targeted ransomware campaigns.

Only last week, the cyber insurer of La Porte County in Indiana contributed $100,000 toward an equivalent of $130,000-valued Bitcoin demand. The firm advised La Porte County to pay the threat actors, who infected local networks using the Ryuk ransomware. Similar stories have emerged across the United States. What remains to be seen is how effective recovery is following payment. Often, decryption is not as immediate or successful as ransomware operators would have their victims believe.

Will Cyber Insurance Create New Targets?

It makes sense that organizations seek indemnity to protect their financial portfolios. But while everyday scams or fraud occur in a traditional insurance setting, cyber criminals may look to specifically target insured organizations for a guaranteed return in the future. Cyber insurance companies known to pay out ransom could present a surefire target for actors.

Regardless of targeting potential, all organizations should engage in appropriate planning and preparation with defense technology and user awareness. Threat intelligence will help to ensure that your organization’s defense is as proactive as possible. Educating and enabling your users to identify and report phishing messages ensures preparedness at every line of defense. As an industry leader in phishing defense solutions, CofenseTM provides security professionals with tools and skills to combat email-borne threats, so that you can defend against even those threats that bypass your perimeter technologies and reach user inboxes. Only by stepping up our collective defense will we reduce the efficacy and proliferation of ransomware campaigns for good.

More Ways Cofense Can Help

Cofense IntelligenceTM processes and analyzes millions of emails and malware samples each day, providing a view of emerging phishing and malware threats.

The Cofense Phishing Defense CenterTM identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats.

Condition end users to be resilient to ransomware and other attacks with Cofense PhishMeTM.  It includes a variety of ransomware templates to help users recognize the threat. Empower users to report phishing emails with one click using Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understanding, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

This Phishing Attacker Takes American Express—and Victims’ Credentials

Recently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.

UK Banking Phish Targets 2-Factor Information

Recently, the Cofense Phishing Defense Center observed a wave of phishing attacks  targeting TSB banking customers in the UK. We found these consumer-oriented phishing emails in corporate environments, after the malicious messages made it past perimeter defenses.

The convincing emails aimed to harvest an unsuspecting victim’s email, password, mobile numbers, and the “memorable information” used in two-factor authentication. If someone were to bite on the phish, they would be open to follow-up phone scams or the complete takeover of their bank account and credit cards.

Most UK banks implement two-factor authentication. They require users to set a standard password and a piece of memorable information, which users authenticate with their user name and password. Users are then asked to provide three random characters from their memorable information. This does two things to help improve the security of your bank account:

  1. It can help mitigate against man in the middle attacks, as any intercepted data would only reveal partial fragments of the memorable information.
  2. If a user’s email address and password combination has been leaked online, it provides an extra barrier for attackers attempting to access their accounts.

Again, if successful this phish could help the attacker evade these extra controls. Here’s how it works:

Email Body:

The attacks begins with an email purporting to be from the TSB customer care team, informing the customer that a new “SSL server” has been implemented to prevent access to customer accounts by third parties. It then asks the user to update their account information by clicking on the conveniently placed hyperlink.

Fig 1. Phishing Email

Headers:

To add authenticity to the attack, the threat actors have spoofed the sending information to make the email appear to come from the sender customercare[@]tsb[.]co[.]uk If we correlate this with the message ID, we can see that it actually originated from the ttrvidros[.]com[.]br a Brazilian registered domain.

From: TSB Bank <customercare[@]tsb[.]co[.]uk>
To: "MR, Example" <[email protected]>
Subject: EXTERNAL: Account Update Notice
Thread-Topic: EXTERNAL: Account Update Notice
Thread-Index: AQHVJzUy0rKRdi+45UWU8FPBrgSqiQ==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Thu, 20 Jun 2019 06:55:28 +0000
Message-ID: <5630c1ff905b65891e435ec91b8a1390[@]www[.]ttrvidros[.]com[.]br>
Content-Language: en-GB

Fig 2. Header Information

Phishing Page:

The malicious page shown below on fig3 is almost identical to TSB online banking portal. The first page is directed to ask for a User ID and password.

Fig 3. Phishing Page 1

The victim is then asked to supply characters from their memorable information. This is typically a word that is memorable to the user and six characters or longer, usually a pet’s name, mother’s maiden name, or a favorite city or sports team. It is standard practice to only provide three characters of your memorable information. However, this is just a clever ruse to gain the confidence of the victim.

Fig 4. Phishing Page 2

The user is then redirected to a fake error page that states, “There is a problem with some of the information you have submitted. Please amend the fields below and resubmit this form.” Afterward, the form asks the victim for the full memorable information and the mobile phone number. Armed with the victim’s user-ID, password, memorable information, and phone number an attacker can easily gain access to the victim’s bank account and credit cards through the online portal—or perhaps more worryingly, they can utilize this information to launch a social engineering campaign over the phone, commonly referred to as vishing (Voice Phishing).

Fig 5. Phishing page 3

Gateway Evasion:

This threat was found in an environment running Microsoft Exchange Online Protection (EOP) which provides built-in malware and spam filtering capabilities it is intended to screen inbound and outbound messages from malicious software spam transferred through email. 

Learn More

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe™, which among many training scenarios offers an “Account Update Notice” phish to prepare for the type of credential attack examined in this blog post.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense Reporter™.

Quickly turn user reported emails into actionable intelligence with Cofense Triage™. Reduce exposure time by rapidly quarantining threats with Cofense Vision™.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker™.

Thanks to our unique perspective, no one knows more about the current REAL phishing threat than Cofense™. To improve your understanding, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Double Duty: Dridex Banking Malware Delivered with RMS RAT

Cofense IntelligenceTM analyzes millions of emails and malware samples each day to alert organizations to emerging phishing threats. Thanks to our expansive view of the threat landscape, we recently were able to discover and investigate a campaign impersonating eFax that appeared to have an attached Microsoft Word document. The attachment was a .zip archive which contained a .xls Microsoft Excel spreadsheet. This spreadsheet included an Office macro which, when enabled, was used to download and execute two malicious executables: samples of Dridex and Remote Manipulator System Remote Access Tool (RMS RAT).

What’s notable: By delivering a banking trojan and a RAT, the threat actors are able to use the banking trojan purely for credential stealing via browsers and use the RAT for more complex management of the infected computer. Dridex may be able to handle some of the machine management tasks, but by using RMS RAT and Dridex for separate purposes threat actors can more efficiently accomplish their tasks. And having both available provides a backup communication channel in case one of the malware families is detected and removed.

RMS RAT Features

RMS RAT is a legitimate remote access tool appropriated for malicious use by threat actors. RMS RAT has a large number of features that include logging keystrokes, recording from the webcam or microphone, transferring files, and manipulating Windows Task Manager and other Windows utilities. This multi-featured tool allows for significant control of a compromised computer as well as multiple methods of information gathering. Due to its legitimate origins and usage of legitimate components, not all endpoint protection suites will immediately detect this tool as malicious, which allows threat actors more time to establish a foothold in the infrastructure.

Dridex Web Injects

Banking trojans often target a large number of websites and use different kinds of scripts for different targets. Some banking trojans will even share the same scripts and targets with other banking trojans. When a victim on an infected machine visits one of the targeted websites in an internet browser, the script will be “injected” into the browser. This allows the threat actor to steal information entered, redirect traffic, bypass multi-factor authentication, and even provide additional “security questions” to obtain information from the victim. In this case, the web injects used by Dridex were unusual because of both the large number of possible web inject scripts and the fact that some of the web injects were labeled as being from the Zeus banking trojan.

There are three types of web injects used in this case. The first type is used to hide or display content on certain web pages, making it possible to insert additional requests for personal questions used to verify banking accounts. The second type monitors the URLs visited by the browser and downloads additional files; the web injects labeled as Zeus fall in this category. Both of these web injects come hard coded into the original malicious binary. The third type of web inject is downloaded from a remote host and often has more capabilities, including greater information-gathering capacity.

Web injects in this sample of Dridex target a variety of websites:

  • The first set targets crypto currency websites such as coinbase[.]com and banking websites such as hsbc[.]co[.]uk and synovus[.]com. The web injects for these targets are downloaded from the same command and control location, 144[.]76[.]111[.]43.
  • A second set of web injects targets e-commerce websites, including paypal[.]com and bestbuy[.]com, and is sourced from a different location: akamai-static5[.]online. The threat actor’s use of this particular domain name is clever because it is similar enough to an Akamai network domain name that the domain might not be reported because it looks legitimate.
  • The final set of web injects are tagged as “Zeus” injects. The use of these injects is particularly unusual because several of the targeted websites overlap with those in other web injects, such as paypal[.]com and amazon[.]com.

By using multiple types of web injects, and in some cases duplicating websites of other web injects, the threat actors have a wide variety of possible targets at their disposal. Using both old and new web injects can also help threat actors target information even when the structure of the webpages’ URL has changed over time.

Threat Results and a Look Ahead:

The dual-pronged attack in this case provided the threat actors with multiple methods of compromise, access to data, and some resistance to traditional endpoint protections. RMS RAT provided remote access, key logging, and credential stealing. And using different types of web injects enabled threat actors to utilize some of the features of Zeus to improve the capabilities of Dridex. Each different type of web inject also made use of a different command and control location to provide information, which can help make the threat actor’s infrastructure more resilient.

Knowing all of the possible threats in combination rather than those seen individually can help organizations prepare for and defend against threats. Training employees to spot and report possible phishing messages can help stop malware from making it to an endpoint and prevent threat actors from ever establishing a foothold.

Learn More

See how Cofense Intelligence analyzes and processes millions of emails and malware samples daily so security teams can easily consume phishing-specific threat intelligence. Discover how to proactively defend your organization against evolving phishing attacks and the latest malware varieties.

Appendix:

Table 1: List of potential web inject source

Web Inject Sources
hxxps://144[.]76[.]111[.]43:443/5/amex_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/bbt_biz_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/bbt_corp_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/bmo_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/bnycash_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/bremer_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/pnc_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/scotiabank_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/tdbank_tdetreasury_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/510/tiquani_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/amama_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/amunba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/atonbu_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/bacana_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/bahaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/bokafi_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/bomobo_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/buliba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/camaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/camaci_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/camana_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/cibaca_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/cobaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/cobuba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/emriba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/ewaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/facosa_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/famaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/finiba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/fumaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/hacaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/hasaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/hasaba_uk_pers_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/iboaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/inruba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/irisoba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/katata_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/lakala_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/lemiba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/madaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/magaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/matawa_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/mecoma_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/moboma_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/osv_cetiba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/osv_fasaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/osv_sabatu_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/osv_tobipu_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/pawaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/peniba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/pocoba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/povaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/rabaca2_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/rabaca_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/rasaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/satara_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/secaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/sigaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/socoba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/synova_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/tadaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/todoba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/ubatra_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/unbaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/wabaca_l4R5Ej69o91Bc3ja/
hxxps://akamai-static5[.]online/appleadmin/gate[.]php
hxxps://akamai-static5[.]online/bestbuyadmin/gate[.]php
hxxps://akamai-static5[.]online/costcoadmin/gate[.]php
hxxps://akamai-static5[.]online/ebayadmin/gate[.]php
hxxps://akamai-static5[.]online/neweggadmin/gate[.]php
hxxps://akamai-static5[.]online/ppadmin/gate[.]php
hxxps://akamai-static5[.]online/samsclubadmin/gate[.]php
hxxps://akamai-static5[.]online/walmartadmin/gate[.]php
hxxps://bustheza[.]com/lob[.]php
hxxps://cachejs[.]com/lob[.]php
hxxps://46[.]105[.]131[.]77:443/B88U86giIPyD55RK/
hxxps://46[.]105[.]131[.]77:443/ehf9i7ywh5kdyu50/
hxxps://46[.]105[.]131[.]77:443/xobj6j20x84lhk3x/

Table 2: Command and control hosts (C2)

RMS RAT C2
217[.]12[.]201[.]159:5655
Dridex C2
hxxps://71[.]217[.]15[.]111:443/
hxxps://97[.]76[.]245[.]131:443/
hxxps://24[.]40[.]243[.]66:443/
hxxps://159[.]69[.]89[.]90:3389/
hxxps://159[.]89[.]179[.]87:3389/
hxxps://62[.]210[.]26[.]206:3389/

Table 3: Payload locations

Office Macro Payloads
hxxp://topdalescotty[.]top/filexxx/wiskkk[.]exe
hxxp://topdalescotty[.]top/filexxx/wotam[.]exe

 

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.