Expect Credential Phishing to Continue Surging in 2019

“Hackers don’t need to break in, they only need to log in.” This was a quote mentioned at a conference I attended last December and which I repeated in an e-book Cofense™ recently published, 6 Phishing Predictions for 2019. My prediction was that hackers will continue to go full bore with credential phishing, emails that specifically ask for username and password.  

We’re Making It Easy for MSSP’s to Deliver Phishing Defense

By John McCabe

We’re Making It Easy for MSSP’s to Deliver Phishing Defense

A new Cofense™ Managed Security Service Provider (MSSP) program makes it easy for service providers to offer phishing defense to small and medium-sized businesses. Phishing is a huge problem for SMB’s. With limited budget and expertise, they’re often targets of spear phishing, ransomware, and other attacks.

The Malware Holiday Ends—Welcome Back Geodo and Chanitor

CISO Summary

Even cybercriminals knock off for the holidays. Then in January, it’s back to work. We all have bills to pay.

This past holiday season, including the Russian Orthodox Christmas which fell on January 7, threat actors cooled their heels and malware campaigns dipped. But with the holidays over, threat actors are back in action. Chanitor malware campaigns are spiking, at even higher levels than a year ago, and Geodo/Emotet campaigns have been surging too.

Introducing the Cofense Triage Certification Program

By Kiarra Grant

Want to be a certified expert in phishing response? Now you can.

Introducing the Cofense Triage TM Operators Certification. It’s our second industry-specific certification program, complementing our program for operators of Cofense PhishMeTM. The new program is focused on Cofense Triage, the first and only phishing-specific incident response platform. Become an expert in Cofense Triage while taking your phishing defense program to the next level.

The Cofense Triage Certification program provides:

  • Validation and certification of skills in the operation of Cofense Triage
  • Training in running a successful phishing response program
  • The ability to augment Cofense solution expertise with free threat landscape education modules
  • Complete education and testing for certification in about two hours, at the user’s pace

Upon completing the course, you may earn CPEs for your certifications by self-reporting to third-party organizations such as (ISC)² for review. This certification is included with your Cofense Triage license, so there is no charge for this program.

Users can request access to the certification by going to the “Request Cofense Triage Certification” button at the top of any Cofense Community page. Or click here.

 

Jigsaw Ransomware Returns With Extortion Scam Ploys

By Lucas Ashbaugh

Want to play a game? Jigsaw ransomware does, and it’s going to run you $400… or you could just download the free decrypter online. Jigsaw, featuring Billy The Puppet from Saw, was first released in 2016. It not only encrypts the victim’s files but deletes them at a continuously increasing rate until a payment in bitcoin can be confirmed against the bitcoin blockchain. Now, Jigsaw has been observed again, this time delivered through scam tactics.

The Delivery
Each email starts off with a ploy about how the threat actor somehow compromised the victim’s financial accounts. After shocking and scaring victims, the emails attempt to trick them into clicking on a download link disguised as if it were a stolen bank statement. This download link uses a shortened link to evade detection and then sends the user over to the payload server, where the malware is ultimately downloaded under the guise of a file named Statement.pdf.msi.

The Malware

At $400, this rendition of Jigsaw demands more than many of its predecessors, however it remains similar otherwise. As usual, a flashy dialog pops up and slowly types out its demand. It encrypts the victim’s files and then starts deleting them at an increasing pace, as outlined in the below ransom note. This escalation of file deletions is one of the reasons Jigsaw is so dangerous, heavily pressuring victims to pay the ransom in a short time frame or suffer increasing consequences.

Upon download, the file creates two malicious executables named drpbx.exe and firefox.exe., despite the different names these files are identical, they can be found at:

  • %AppData%local%Drpbx%drpbx.exe
  • %AppData%Roaming%Frfx%firefox.exe

   

Along with these executables, Jigsaw creates a new folder at %AppData%Roaming%System32Works which contains key files:

  • EncryptedFileList.txt

This document keeps a running record of all the files that have been encrypted so far.

  • Adress.txt

The bitcoin address that must receive payment is stored here.

For anyone daring enough to disregard the malware’s threat and turn off their machine, an ominous warning pops up. If the victim power cycles their machine, Jigsaw will automatically delete 1000 files.

Jigsaw is well known for its usage of the .fun file extension on its encrypted files. It has also been previously reported to use additional file extensions such as .kkk and .btc.

Jigsaw caters to a variety of different languages, selecting its language based off the victim machine’s locale setting.

Protecting Yourself and Your Company

User training. Jigsaw still relies on an untrained user to click on the infection URL in the first place. For a trained user, these scam ploy tactics should be glaringly obvious. The ploys include choppy English, urging a user to click a suspicious link. Users that are well trained with tools like Cofense PhishMeTM know to report these emails and not click.

Indicators of Compromise

Malicious File

File Name: Statement.pdf.msi

MD5: a362de111d5dff6bcdeaf4717af268b6

SHA256: 0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca

File size: 1.1 MiB (1,175,552 bytes)

 

Malicious File

File name: firefox.exe

MD5: fba7f5f58a53322d0b85cc588cfaacd1

SHA256: 1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

Filesize: 282 KB (289,280 bytes)

 

Malicious File

File name: drpbx.exe

MD5: fba7f5f58a53322d0b85cc588cfaacd1

SHA256: 1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

Filesize: 282 KB (289,280 bytes)

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Announces New Cofense Triage Operator Certification

Incident Responders Gain Deeper Knowledge of Product Capabilities and Functionality to Analyze and Respond to Active Phishing Emails Faster

LEESBURG, VA. – Jan. 23, 2019 – Today Cofense™, the leading provider of human-driven phishing defense solutions world-wide, announced their Cofense Triage™ Operator Certification. Cofense Triage is the first phishing-specific orchestration, automation and response platform that helps stop active phishing attacks in progress. The Cofense Triage Operator Certification teaches incident responders best practices to make them more efficient and assures that organizations maximize the investments that they have made in Cofense Triage. This training is interactive, self-paced, and typically completed in just two hours.

Phishing Campaigns are Manipulating the Windows Control Panel Extension to Deliver Banking Trojans

By Aaron Riley and Marcel Feller

CISO Summary

Recently, CofenseTM has seen phishing campaigns that bypass email security using a .cpl file extension attachment. .CPL is the file name extension for items or icons appearing in the Windows Control Panel. These file extensions are vital for most Control Panel tools to function, making endpoint threat mitigation extremely difficult.

After evading controls and successfully executing on the endpoint, the .cpl file downloads a second-stage payload, which is typically a banking trojan. According to Cofense IntelligenceTM, most of these phishing campaigns are aimed at South American inboxes. As part of security awareness training (see Cofense PhishMeTM), organizations should condition users to identify and report .cpl files to avoid network infection.

Full Details

The Cofense Phishing Defense Center (PDC) has captured multiple phishing campaigns using a .cpl file extension attachment to bypass email security measures and download a second stage payload, which typically is a banking trojan. Cofense Intelligence has analyzed these campaigns and found that the majority of them are targeting South American citizens. Furthermore, to successfully communicate with the Command and Control (C2) infrastructure, the endpoint needs to mirror a South American computer’s settings like IP address, time zone, language pack, and keyboard settings.

The .cpl file extension is used for Control Panel tools with executable byte code. The .cpl byte code is the same across all PE32 binaries (such as .exe, .dll, .scr) within the DOS stub and is executed by control.exe. These file extensions have been used with campaigns that deliver banking trojans, most notably Banload. Cofense IntelligenceTM customers can view an analysis of Banload by logging in here. Figure 1 shows an email campaign that is used to deliver a .cpl attachment. The email is in Spanish and claims to come from ‘Servicio de Impuestos Internos,’ the Internal Revenue Service of Chile.

Figure 1 shows the email campaign used to deliver .cpl attachments.

The .cpl file attached to this campaign acted as a first-stage downloader, facilitating the retrieval and execution of a secondary payload. Figure 2 shows the HTTP POST to the C2 infrastructure during the preliminary communication. This HTTP POST contains the machine and username of the infected endpoint and is appended with a number sequence known to the C2. Figure 3 shows the fingerprinting data within the form values posted to the C2.

Figure 2 shows the HTTP POST and GET traffic originating from the .cpl file.

Figure 3 shows the information gathered by the .cpl file to fingerprint the infected machine.

After the initial connection is successful, the binary then connects to a hardcoded payload location for the second stage. Notice in Figure 2 that there was a GET request for another payload. By effectively expanding the detection surface, this two-stage download and execution actually increases the likelihood of C2 interruption.

While analyzing the .cpl binaries’ network traffic, Cofense Intelligence identified a custom User-Agent string that can be turned into network alerts within a Security Event Information Management (SEIM) system. Figures 4 and 5 shows the two different user agents connecting to the same host. Based on packet analysis, these custom User-Agents would suggest the threat operators are limiting access to their C2 infrastructure.

Figure 4 shows the User-Agent for the HTTP POST.

Figure 5 shows that the User-Agent value is ‘LA CONCHA DE TU MADRE,’ a Spanish expletive whose cleaned-up meaning is ‘the shell of your mother.’ This User-Agent string lends further credence to the idea that the User-Agent string is used to mitigate access to the C2 infrastructure and help determine the stage of infection. However, leaving such an obvious indicator for the security infrastructure to identify gives the impression this was an amateur operator.

Figure 5 shows the User-Agent string for the GET request made by the .cpl file.

After execution, this .cpl attachment followed trends and called for the second-stage payload to execute a sample of OverByte ICS Logger. This keylogger was configured with multiple modules to target and gather banking information from the endpoint. Figure 6 shows the malware family name within the memory strings. Figure 7 shows the multiple modules configured within this binary.

Figure 6 shows the malware family name within the memory strings.

Figure 7 shows the multiple modules that were used to configure this binary.

This sample of OverByte ICS Logger went after banking information, specifically South American banks. The banking information gathered includes usernames, passwords, Personal Identification Numbers (PINs), and any element ID that was selected during the login process. Element IDs are unique identifiers that facilitate accurate targeting for JavaScript and CSS. Use of element IDs means modifications to the page can be made accurately, provided the author adheres to the standards.

After gathering the information, this sample then sends it to the C2, which in this case was the same as the second-stage download. This OverByte ICS Logger persisted on the machine and gathered banking information at predetermined times to be sent to the C2. Figure 8 shows a list of banks (redacted) in the memory strings of the running sample.

Redactions in Figure 8 show where the references to banks would be within the memory strings.

The use of .cpl file extensions are a necessary item for most Control Panel tools to function properly. The operating system’s need for this extension makes the mitigation and remediation extremely difficult within the security stack. The trend to deliver banking trojans to the endpoint is a looming threat of these extensions. Educating end users on how to properly identify and report these types of files when they are encountered is the best way to avoid this type of infection on a network.

To stay abreast of the latest phishing and malware trends, sign up for free Cofense Threat Alerts.

Indicators of Compromise

Observed URLs: hxxps://gentsilen[.]com[.]mx/cl/factura[.]php?folio=1&Importancia=Urgente&descarga=true&impuestos=servidor_alerce&site=www[.]sii[.]cl

185-35-139-197[.]v4[.]as62454[.]net

185-35-139-190[.]v4[.]as62454[.]net


Observed IPs:

185[.]35[.]137[.]85

185[.]35[.]137[.]80
185[.]35[.]139[.]190

 

Observed Files:
File Name: Sii_Documento_TVLN11.zip
MD5: 9ace92029ad8f1516b141de7022d3c42
SHA256: 15f107a75f166b519ce7ca8da094c9b915aa7a6b44fade360535e5112bfd2f5f
File size: 718,191 Bytes

File Name: Sii_Documento_TVLN11.zip
MD5: 7e8edf93d3565c4eacbbea19615d21d3
SHA256: 5c908e77c0e2f14f757d9b0b2d63f661bc277eb70e8caa46d85f038cb87f2c2b
File size: 717,935 Bytes

File Name: Sii_Documento_K3YLT2WJNU.cpl
MD5: 541a3aaf1f70c473f0018c9aa951fb9a
SHA256: d9e3913e5e6d151dd487d9e174c9e3e73d1883ea0c78cf97909caaf76dd4e618
File size: 761,902

File Name: mTjdyis.exe
MD5: b2218df5c3373a9a1b619e53281e9806
SHA256: 681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c
File size: 400.872 Bytes

File Name: shfolder.dll
MD5: 037bb84e2aab7ab4df2e0c752c61233a
SHA256: b8af00e8e89583a529284496949cc2c10684b035
File size: 42.466.735 Bytes

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Launches MSSP Program to Provide Essential Phishing Defense Capabilities to Small and Midsized Businesses

Program will provide global MSSPs world-class, human-driven anti-phishing offerings that increase attack resiliency and speed response times to stop phishing in its tracks

LEESBURG, VA. – January 16, 2019 – Today Cofense™, the leading provider of human-driven phishing defense solutions world-wide, launched its Managed Security Service Provider (MSSP) program to provide small and medium-sized businesses (SMBs) across the globe with essential human-driven phishing defense solutions designed to stop active phishing attacks. SMBs are highly susceptible to phishing attacks, and often lack the resources necessary to stop advanced threats. In response, Cofense has partnered with a targeted group of elite service providers to provide their customers the dedicated resources required to strengthen defenses, build attack resiliency and ultimately stop real attacks in progress.