This Credential Phish Masks the Scam Page URL to Thwart Vigilant Users

By Milo Salvia, Cofense Phishing Defense CenterTM

The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest credentials from Stripe, the online payment facilitator handling billions of dollars annually, making it an attractive target for threat actors seeking to use compromised accounts to gain access to payment card information and defraud consumers. The phish prevents email recipients from seeing the destination of an embedded link when they try to hover over the URL. Instead, what they see is a bogus account message. Here’s how the campaign works.

Email Body

The email pretends to be a notification from “Stripe Support,” informing the account administrator that “Details associated with account are invalid.” The administrator needs to take immediate action, otherwise the account will be placed on hold. This is cause for panic among businesses that rely solely on online transactions and payments. Fear and urgency are the most common emotions threat actors play on, spurring otherwise rational people to make irrational decisions.

Figure 1: Email Body

The email body contains a button with an embedded hyperlink, as seen above: “Review your details.” When clicked, the recipient is redirected to a phishing page. Usually one can check the destination of the hyperlink by hovering over it with the mouse curser. The true destination of this hyperlink is obscured by adding a simple title to HTML’s <a> tag, which shows the recipient the title “Review your details” when the recipient hovers over the button instead of the URL. Potentially this is a tactic to mask the true destination from a vigilant recipient.

Figure 2: Malicious Button

The phishing page is an imitation of the Stripe customer login page. In fact, it consists of three separate pages. The first one aims to harvest the admin’s email address and password, while the second page asks for the bank account number and phone number associated with the account. Lastly, the recipient is redirected back to the account login page which displays an error massager, “Wrong Password, Enter Again.” This leads the recipient to believe an incorrect password has been entered and redirects back to the legitimate site, so the recipient doesn’t suspect foul play.

Figure 3: Phishing Pages

IOCs:


Cofense Resources
HOW COFENSE CAN HELP

Cofense PhishMeTM offers a simulation template, “Stripe Account Notification,” to educate users on the campaign described in today’s blog.

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense and Eze Castle Integration Partner to Strengthen Security Awareness in the Investment Industry

LEESBURG, Va. – October 16, 2019 – Cofense™, the global leader in intelligent phishing defense solutions, today announced it has entered a strategic Managed Security Services Provider (MSSP) partnership with Eze Castle Integration, a leading provider of managed services and complete cloud solutions for the investment industry. Cofense will provide world-class security awareness and phishing simulation solutions to Eze Castle, enhancing their cybersecurity services portfolio to offer an end-to-end managed awareness and phishing simulation service for their financial customers.

Cyber-attacks and data breaches remain at the top of risks facing organizations today, and the majority of breaches begin with phishing. Effective employee education, training and conditioning is a critical element of a robust cyber defense strategy, allowing enterprises to bolster their resiliency to attacks. Eze Castle customers can take advantage of Cofense’s award-winning, human-driven training tools through Eze Castle’s managed service expertise, including more than 50 cyber-related and compliance-based training modules and insight into the latest phishing campaigns affecting the financial industry.

Eze Castle will also receive hands-on training from Cofense to help identify the right cadence of phishing simulations—from basic to more nuanced scenarios—along with tips for measuring results and communicating program success to an organization’s executives.

“We are proud to partner with Eze Castle Integration as part of our elite group of service providers that are enabling more organizations with the resources needed to thwart phishing attacks across the globe,” said Robert Iannicello, vice president of global channel sales, Cofense. “Together, we look forward to empowering employees in the investment industry to proactively report suspicious emails and generate actionable intelligence that gives their organization the upper hand in stopping phishing attacks in their tracks.”

“In today’s technology-driven world, cybersecurity threats are one of the greatest risks facing the investment industry,’ said Steve Schoener, chief technology officer, Eze Castle Integration. “We follow a security first approach to IT and deliver fully managed security solutions, such as Cofense PhishMe and Security Awareness Modules, to help our customers bolster the security of their environments – whether they reside in a public, private or hybrid cloud, or on-premises.”

New Phishing Sextortion Campaign Using Alternative Crypto Currencies to Evade Detection

By Hunter Johnson, Cofense Professional Services 

Cofense has observed threat actors employing a modified version of a sextortion scam using alternative crypto currencies to bitcoin.

Typical sextortion scams claim to have installed malware on recipients’ systems and recorded their browsing history of adult websites and webcam footage. Ransom is demanded in bitcoin, upon threat of releasing damaging information to family, friends, and co-workers. Because threat actors often get recipients’ emails from password breach lists, they sometimes include passwords to lend authenticity.

Early sextortion scams started with a plain text extortion email threating the recipient and asking for payment. As enterprises began writing detection rules to block those emails, threat actors modified the text by replacing it with an image, which prevented key words from being identified by Secure Email Gateways (SEGs). The bitcoin address was left as a plain text string in the email, so it could be easily copied. As enterprises began checking for bitcoin addresses, threat actors removed text and images and switched to attaching PDF documents containing the threats. Most recently, threat actors began encrypting PDF attachments and including the password in the email body to foil any further SEG detection rules.

This latest sextortion version is using a Litecoin wallet address instead of bitcoin to evade detection. Previous iterations showed a gradual shift away from identifiable patterns and to alternative crypto currencies, in an attempt to foil SEG bitcoin-detection rules. The current emails appear to be crafted to contain very few searchable word patterns. While we could publish the contents of those emails, let’s just say the emails contained adult language admonishing the recipient to be more careful about their browsing and webcam habits.

As this latest twist shows, threat actors can switch to the next crypto currency and attempt to iterate through all the scam’s previous versions. While there are thousands of crypto currencies, only a dozen or so are easily attainable from large exchanges. For the scam to work, the recipient needs an easy way to acquire the requested payment method.

Avoiding this scam is simple with phishing awareness training. Your users can safely ignore the emails—if threat actors actually had such access and data, they would include stronger proof. Also educate users about sites such as haveibeenpwned.com, so they can know if their email address is likely to become a target.

Cofense will also be publishing a rule to detect attacks we’ve seen so far using this new method.

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a phishing simulation template, “Fear Driven Phishing Scams Involving Embarrassing Situations,” to educate users on sextortion and similar scams.

Cofense Labs has published a database of 300 million compromised email accounts for use in sextortion campaigns. Find out if your organization’s accounts are at risk.

Reports of sextortion and other ransom scams to the Cofense Phishing Defense CenterTM are increasing. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains – do YOUR research with Cofense CloudSeeker TM.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Threat Actors Use Percentage-Based URL Encoding to Bypass Email Gateways

Last week, the Cofense Phishing Defense CenterTM observed phishing threat actors using low-level trickery to avoid detection, by utilizing basic percentage-based URL encoding. This takes advantage of Google’s nifty ability to decode the encoded URL data on the fly. The easiest way to trick a secure email gateway (SEG) is hiding the true destination of the payload.

Here’s how it works:

Figure 1: email body

The phishing email is simple and originates from a compromised email account of a relatively well-known American brand, informing recipients that they have a new invoice awaiting payment. The email body has an embedded hyperlink button, highlighted in yellow, where users can click to view the invoice.

As we can see in Figure 1 above, the true destination of the hyperlink is not immediately obvious to the untrained eye and unfortunately the same is true for many perimeter security devices. We note that the URL’s top-level domain is google.lv which is the home page for Google Latvia.

Figure 2: URL Encoding

If we take a deeper look into the embedded hyperlink, we see that Google is being used to redirect the recipient to a secondary malicious URL. The first part of the URL is benign “hxxps://google.lv/url?q=”, which tells the web browser to use Google to query a specific URL or string.

The second part of the string, highlighted in red (Figure 2), is the payload which is a string that is encoded with basic URL encoding. This is sometimes referred to as percent encoding, which replaces ASCII characters with a “%” followed by two hexadecimal digits. Most web browsers recognize URLs that contain hexadecimal character representations and will automatically decode them back into ASCII on the fly without any user interaction. When users click on the hyperlink within the email, they are redirected through their browsers to Google to query the encoded string. This is recognized as a URL to redirect the user to the final destination of the malicious payload.

This is enough to fool basic URL and domain checks by perimeter devices, a simple yet effective way for threat actors to ensure delivery of malicious payloads.

Figure 3: Phishing Page 

The phishing page itself is a simple imitation of the Office 365 login portal and aims to steal corporate users’ credentials. With businesses’ growing reliance on Office365, it’s fast becoming a favorite target amongst phishing threat actors.

Network IOCs
hxxps://gdank[.]com/office[.]o/microsoft/office/ 107[.]180[.]27[.]240

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a simulation template, “New Invoice,” to educate employees on the phishing tactic described in today’s blog.

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Rethinking Security Awareness? Fine-Tune Your Simulations

Part 2 of 2

In part 1 of this short series, we gave tips on re-energizing a mature security awareness program. We noted the importance of reassessing your organization’s risk profile and communicating with users as you educate them on phishing. For part 2, let’s look at anti-phishing through the lens of simulated threats.

How to Refocus Your Phishing Simulations

If you manage a security awareness program, you need to educate users on phishing emails that land in their inboxes—active threats like malware, business email compromise (BEC), or sextortion. This means talking to your SOC to understand the threats your business faces, then running simulations of those same threats. The objective isn’t just to educate users to spot phishing but to condition them to report threats, so the SOC can respond faster.

If you’ve been running simulations for some time, here are proven ways to reinvigorate your program.

Give Users an Easy Way to Report

To repeat, reporting is what you’re after. Make it easy for ALL users to report a suspicious message by giving them an EZ button. Cofense PhishMeTM customers can (and should) deploy Cofense ReporterTM, our email toolbar button that lets you report with one click.

If users don’t report threats, the SOC is blind while the danger spreads. Well-conditioned users become human sensors that send valuable threat intelligence to your security teams.

Send Targeted Simulations

As you build resiliency across your organization, send different simulations to different kinds of users:  high-value targets in human resources or finance, repeat clickers, and new hires/new users. You’ll also  want to continue sending campaigns to your full population.

Simulate Emerging and Active Threats

The phishing scenarios in Cofense PhishMe are based on real threats, thanks to constant input from our threat intelligence teams. For example, we see a lot of emerging threats, those observed in the wild, using phony invoices and purchase orders. Threat actors have a good understanding of how organizations process payments and emulate those methods to disarm users.

If something seems familiar, users are more likely to open an attachment or click links to filesharing sites like Sharepoint. Another example: users often feel safe using sites that display the HTTPS prefix and padlock symbol. They look for these on e-commerce sites asking them to enter personal information. There’s been an uptick in threat actors leveraging HTTPS in phishing emails, so you might use this tactic in your simulations.

Also be sure to send simulations that mirror active threats—phishing emails that get past your organization’s secure email gateway (SEG). Again, communicate with your SOC to learn the latest examples. If your organization is a Cofense TriageTM and Cofense VisionTM customer, these incident response solutions can give you deeper insight.

As your phishing awareness program matures it needs to stay current with your phishing risk. Teach users to report more nuanced attacks should they breach the perimeter. To counter today’s threats, your organization, all of it, needs to keep up with the times.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Emotet Malicious Phishing Campaigns Return in Force

By Alan Rainer and Max Gannon

The infamous malware family Emotet—also known as Geodo—has fully resurfaced and resumed sending phishing campaigns that trick users into clicking on links and downloading attachments that contain malicious macros. Many of the emails feature common financial themes that capitalize on an existing reply chain or contact list impersonation.

In most cases, subjects for these phishing emails are rather mundane, such as “RE: Re: Contract/Invoice Count” and “Customer Statement 09/16/2019”, with attachments that use Microsoft Office macros to install malware. Upon installation of the Emotet executable, the banking Trojan TrickBot may be placed onto the victim machine, mainly depending on geography and organization. TrickBot is known to siphon information from a host and has shown to result in Ryuk ransomware making its way to the victim after some time. Current statistics show that Emotet is targeting over 66,000 unique emails on more than 30,000 domains. The origin emails—of which credentials had likely been stolen—span over 1,900 unique domains from 3,400 different senders. This extensive reach makes it tricky to combat the Emotet threat.

User awareness and technical safeguards such as email defense capabilities and endpoint protection solutions are vital in thwarting Emotet. Users should be increasingly wary of reply chain emails that contain unexpected documents, especially ones that ask to ‘Enable Content’ for editing or to ‘Accept the license agreement.’

Security teams should maintain a heightened awareness of Emotet trends and leverage the analysis to deny or hunt down malicious activity. Through active monitoring of the Emotet botnet and malware, Cofense IntelligenceTM continues to identify phishing threats that may impact customers and to provide security operations with the latest campaign data.  In the Technical Findings section below, Cofense Intelligence has chosen a random example of the most common email and macro as seen today for analysis.

Figure 1: Original Email

Technical Findings

Emotet delivers malicious documents as either part of a reply chain or as a finance-themed (such as invoice, new document, bank transfer, and quotation) phishing email. The languages used for each email body differ widely and have been seen to include English, Italian, Polish, or German, among others. These phishing emails contain a Microsoft Word document with a .doc extension and an Office macro that downloads Emotet executables.

Historically, Emotet utilized malicious links as well, but current indications show this is not the preferred method of malware delivery. The attached Office documents with macros store payload information in embedded object data, rather than in the macro itself, which makes analysis more difficult.

While similar to a delivery mechanism discussed in a previous blog, this version of the dropper is more advanced than before. When the document is opened, it displays a lure stating that to continue to use Microsoft Word after September 20, 2019, the user must accept the license agreement and enable editing. The lure shown in Figure 2 does not appear to be significantly different from the typical Office message that asks to enable macros; however, a requirement to accept a new license agreement makes the lure seem so routine that this new trap may be more effective.

Figure 2: Macro Request

After Office macros are enabled, Emotet executables are downloaded from one of five different payload locations. When run, these executables launch a service, shown in Figure 3, that looks for other computers on the network. Emotet then downloads an updated binary and proceeds to fetch TrickBot if (currently undetermined) criteria of geographical location and organization are met.

Figure 3: Service Launched by Emotet

The macros used in this case are relatively small even with the garbage code included, totaling approximately 150 to 300 lines. Removing the garbage code reveals only 10 lines of actual code. This code extracts metadata from embedded objects in the Word document; specifically, the “caption” data of these objects as seen in Figure 4.

Figure 4: Object content

While the attached documents all have a .doc extension, they are in fact .dotm, .docx, and other document file types, which enables them to successfully hide the embedded objects as ActiveX objects rather than typical “Form” objects whose metadata can be easily accessed in an opened document.

In each case, the result is the attempted download of an Emotet binary from a set of five payload locations using both HTTP and HTTPS. Emotet has been seen downloading TrickBot and other malware historically, with no noteworthy modifications to the present-day TrickBot sample.

 

How Cofense Can Help

Cofense Resources

Cofense PhishMeTM  offers a phishing simulation, “Service Report – Emotet,” to educate users on the phishing attack described in today’s blog.

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Phishing Campaign Targets U.S. Taxpayers by Dropping Amadey Botnet

The Cofense Phishing Defense CenterTM  has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails. Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality. Threat groups like TA505 have been known to leverage Amadey botnet as recently as July 2019 to deliver secondary malware like FlawedAmmy (RAT) and email stealers.

Here’s how a typical attack works:

Figure 1: Infection chain

Figure 2: Email Body

The email body reports to be from the Internal Revenue Service (IRS) and claims that the recipient is eligible for a tax refund. The recipient is presented with a “one time username and password” and urged to click the “Login Right Here” button. As seen above in figure 1, the login button is an embedded Hyperlink and redirects to hxxp://yosemitemanagement[.]com/fonts/page5/. Here the recipient is presented with an IRS login page to enter the one-time password.

Figure 3: Infection Page 

Once the recipient is logged into the fake IRS portal they are informed that they have “1 pending refund” and asked to download a document, print and sign, then either mail it back or upload a copy to the portal. When the recipient clicks to download the document, a zip file called “document.zip” is presented, which contains a Visual Basic script dropper.

Fig 4. Obfuscated vbs Script

The VBScript is highly obfuscated and encrypted. For more details on how this VBScript was decoded, please take a look at the Cofense™ Labs detailed write-up, which can be found here.

At a high level, once executed the script decrypts itself at run time and drops an executable file called “ZjOexiPr.exe” in C:\Users\Byte\AppData\Local\Temp\. Once dropped it then proceeds to install the executable kntd.exe in C:\ProgramData\0fa42aa593 and execute the process.

Figure 5: Persistence 

The Amadey process installs itself in C:\ProgramData\0fa42aa593 and to maintain persistence it uses Reg.exe, a command line tool for editing the registry. Next the script issues the command “REG ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” /f /v Startup /t REG_SZ /d C:\ProgramData\0fa42aa593”

Figure 6: C2 channels

Amadey instantly beacons out to its command and control (C2) channels sending system diagnostic information back to the C2 server and awaits further instructions. Amadey connects out via HTTP on port 80 to multiple C2 servers.

Figure 7: Network Traffic

If we take a closer look at the HTTP traffic we can see that Amadey sends system information back to its C2 server.

From the values given we can infer that:

ID – Unique identifier of the infected system

VS – Version of Amadey

OS – Operating system

AV – Antivirus

PC – System name

UN – Username

Additional Analysis:

Cofense Labs takes this analysis a bit deeper to deobfuscate the malware. To learn more, check out the Lab Notes on this analysis: https://cofenselabs.com/i-see-what-you-did-there/

Indicators of Compromise (IOCs):

Malware Artifacts

File  MD5 Hash Value
document.zip 7f9a3244d23baed3b67416e32eb949bd
a4-155QFYXY.vbs 79d24672fff4c771830b4c53a7079afe
kntd.exe a046030e2171ddf787f06a92941d37ca

 Network Connections

URL  IP
hxxp://yosemitemanagement[.]com/fonts/page5/ 160[.]153[.]138[.]163
hxxp://ledehaptal[.]ru/f5lkB/index[.]php 78[.]40[.]109[.]187
hxxp://nofawacat[.]com/f5lkB/index[.]php 179[.]43[.]139[.]222
hxxp://Ip[.]hoster[.]kz 192[.]4[.]58[.]78

 

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a phishing simulation, “Tax Refund Notice –Amadey Botnet,” to educate users on the attack described in today’s blog.

89% of phishing threats delivering malware payloads analysed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe.

Remove the blind spot with Cofense ReporterTM—give users a one-click tool to report suspicious messages, alerting security teams to potential threats.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand current threats, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Healthcare’s Getting Smacked by Phishing. These Resources Can Help.

This summer, phishing attacks continued to hammer healthcare.

Florida: Compromised email accounts, at last count 73, were used to send a phish which led to a breach at NCH Healthcare.1

Ohio: Eye Care Associates was hit with ransomware. The regional eye care provider’s systems were locked for several weeks. 2

New York: In the biggest healthcare breach so far in 2019, American Medical Collection Agency was breached to the tune of 25 million patient records. While phishing hasn’t been positively identified as the culprit, it’s high on the suspect list.3

Need Phishing Defense Resources? Start Here.

To help healthcare companies better defend against phishing, CofenseTM maintains a healthcare hub with information and solutions including:

Case Study: Getting Creative to Stop Attacks

After getting targeted by a credential phishing attack, one healthcare company got serious about phishing awareness and response. They turned to Cofense to help educate users to report suspicious emails.

Now the reporting rate is 3-7 times higher than the susceptibility rate. Even better: employees are reporting real phish that security teams are stopping faster, including credential harvesting phish, malicious URLs, and malware campaigns.

Read the full case study.

Infographic: 5 Ways Healthcare Can Beat Phishing

At the heart of these 5 tips: educate users to report phishing and benchmark your success.

Our infographic shows that healthcare companies have made progress in email reporting, but still lag behind other industries. View exclusive Cofense data that shows where healthcare stands, plus best practices and some newer phishing tactics to watch for.

See the infographic.

More Healthcare Content + Cofense Solutions

Watch a short video of a healthcare executive discussing how he trains users to spot phishing. Read blogs on healthcare security awareness, incident response, and how another healthcare company stopped a phishing attack in 19 minutes.

Plus, learn how Cofense solutions can protect your healthcare company from the inbox to the SOC.

Check out our healthcare hub now.

 

Sources

  1. HIPAA Journal, September 2, 2019
  2. Healthcare IT Security, August 15, 2019
  3. Ibid, July 23, 2019

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Astaroth Uses Facebook and YouTube within Infection Chain

Cofense Intelligence™ has identified a phishing campaign targeting Brazilian citizens with the Astaroth Trojan in which Facebook and YouTube profiles are used in support of the infection. The complex chain of events that leads to the successful installation of the Astaroth Trojan all starts with an .htm file attached to an email. There are numerous stages within this infection chain that could have been stopped with properly layered defenses on the email and network security stack. However, at each step of the infection, this campaign uses trusted sources and the end user to help advance to the next stage, ultimately leading to an eventual exfiltration of sensitive information.

This Astaroth Trojan campaign exclusively targeted Brazilians, as also reported in 2018. In one week, it was able to compromise around 8,000 machines. Astaroth leverages legitimate Microsoft Windows services to help propagate and deliver the payloads. This campaign also utilized Cloudflare workers (JavaScript execution environment) to download modules and payloads, negating network security measures. Using these resources adds to the trusted source methodology employed by this campaign to bypass the security stack.

The emails analyzed by Cofense Intelligence were in Portuguese and had three distinct themes: an invoice theme, a show ticket theme, and a civil lawsuit theme. Each of the phishing campaigns enticed the end user into downloading and opening a .htm file to start the infection chain. The email security stack would need to be able to scan the attachments for malicious links and/or downloads to stop this technique. Having proper mitigations in place alongside user education on safeguard procedures will also help negate this type of attack, as it is mainly reliant on the end user.

Technical Findings

Once opened, the .htm downloads a .zip archive that is geo-fenced to Brazil and contains a malicious .LNK file. The .LNK file then downloads a JavaScript from a Cloudflare workers domain, shown in Figure 1.

Figure 1: The Cloudflare workers domain used within the infection chain

The JavaScript then downloads multiple files that are used to help obfuscate and execute a sample of the Astaroth information stealer. Among the files downloaded are two .DLL files that are joined together and side-loaded into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe’. Using a legitimate program to run the two-part malicious code that was downloaded from a trusted source helps to bypass security mseasures such as Anti-Virus (AV), application white-listing, and URL filtering.

After ExtExport.exe is running with the malicious code side-loaded, it uses a technique known as process hollowing to execute a legitimate program within a suspended state. Process hollowing is used to inject malicious code retrieved from multiple files downloaded by the earlier JavaScript. The legitimate programs that were targeted for process hollowing were unins000.exe, svchost.exe, and userinit.exe. The program unins000.exe is most notably used within a security program on systems that allow online banking in Brazil. After the program’s process is hollowed out and replaced with malicious code, Astaroth begins to retrieve the Command and Control (C2) configuration data from outside trusted sources.

Astaroth uses Youtube and Facebook profiles to host and maintain the C2 configuration data. This C2 data is base64 encoded as well as custom encrypted, and bookended by ‘|||’ as shown in Figure 2. The data is within posts on Facebook or within the profile information of user accounts on YouTube. By hosting the C2 data within these trusted sources, the threat actors can bypass network security measures like content filtering. The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down.

Figure 2: Shows the C2 configurations data hosted on YouTube

Once the C2 information is gathered, Astaroth then proceeds to collect sensitive data on the endpoint. The data gathered includes financial information, stored passwords in the browser, email client credentials, SSH credentials, and more. The modules used to collect this data are part of the multiple files downloaded by the JavaScript discussed above. All collected information is encrypted with two layers of encryption and sent via HTTPS POST to a site from the C2 list, a majority of which are hosted on Appspot. This encrypted connection to another trusted source allows for the communication to bypass network security measures that cannot decrypt it.

Astaroth’s complex infection chain targeting Brazilian citizens shows the value in layered defense as well as education of the end user. At each step, the security stack could have made an impact to stop the infection chain; however, through the use of legitimate processes and outside trusted sources, Astaroth was able to negate those defensive measures. Understanding these types of threat actor Tactics, Techniques, and Procedures (TTPs) can help finetune the security stack to defend against them. Technology can help empower an end user to help protect against this type of attack, but education will make them confident in doing so.

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.

Appendix 

Click to Expand a Full List of IOCs

ATR ID: 28320 

hxxp://32ou4r9kwagc[.]hammer-escritorios[.]de/[.]well-known/hxxp-opportunistic 

hxxp://32ou4r9kwagc[.]hammer-escritorios[.]de/U0W5Q0TJ80K/36516/Processo_8254504[.]htm 

hxxp://36ou6w4yhiat6[.]patrocinioscomerciais[.]de/[.]well-known/hxxp-opportunistic 

hxxp://36ou6w4yhiat6[.]patrocinioscomerciais[.]de/M03L90NWJ9A/38832/Processo_4872485[.]htm 

hxxp://6suehrwtdue1m[.]patrocinioscomerciais[.]de/[.]well-known/hxxp-opportunistic 

hxxp://6suehrwtdue1m[.]patrocinioscomerciais[.]de/ERC02X7133I/31888/Processo_8651438[.]htm 

hxxp://7yaaa5w7woa8a[.]dracordocerto[.]com[.]br/[.]well-known/hxxp-opportunistic 

hxxp://7yaaa5w7woa8a[.]dracordocerto[.]com[.]br/4LU11BID55M/74375/NOTA_FISCAL_ELETRONICA[.]htm 

hxxp://a7aie85hyaeg9[.]paulosilvasoares[.]com[.]br/[.]well-known/hxxp-opportunistic 

hxxp://a7aie85hyaeg9[.]paulosilvasoares[.]com[.]br/0H4Z02YXSEB/42230/NOTA_FISCAL_ELETRONICA[.]htm 

hxxp://a7oueu1x3a6f[.]contratosadministrativoscasanova[.]de/[.]well-known/hxxp-opportunistic 

hxxp://a7oueu1x3a6f[.]contratosadministrativoscasanova[.]de/000C7Q00AV2/53058/Processo_3372578[.]htm 

hxxp://e3eonr2jaao8r[.]administrativosfiscaisbr[.]de/[.]well-known/hxxp-opportunistic 

hxxp://e3eonr2jaao8r[.]administrativosfiscaisbr[.]de/8N139KS0TC8/28551/Processo_3358257[.]htm 

hxxp://e8iat1eu5aae6[.]representantecomercialilhaverde[.]de/[.]well-known/hxxp-opportunistic 

hxxp://e8iat1eu5aae6[.]representantecomercialilhaverde[.]de/L62SP3U11FF/76558/Processo_8933747[.]htm 

hxxp://eoeaic04euwv[.]promad-contabilidade[.]de/[.]well-known/hxxp-opportunistic 

hxxp://eoeaic04euwv[.]promad-contabilidade[.]de/7PY70HRS6M3/98547/Processo_5229337[.]htm 

hxxp://fwadurhba31[.]paulosoaressilva[.]com[.]br/[.]well-known/hxxp-opportunistic 

hxxp://fwadurhba31[.]paulosoaressilva[.]com[.]br/4K040HI1WB7/26224/NOTA_FISCAL_ELETRONICA[.]htm 

hxxp://infects[.]maquina-turbo-huracan[.]adm[.]br/hura//dir1/ 

hxxp://jwa0ywl3a2h[.]paulosilvasoares[.]com[.]br/[.]well-known/hxxp-opportunistic 

hxxp://jwa0ywl3a2h[.]paulosilvasoares[.]com[.]br/1Q6S1733W88/65153/NOTA_FISCAL_ELETRONICA[.]htm 

hxxp://p1uifrt6eeuk9[.]representantecomercialilhaverde[.]de/[.]well-known/hxxp-opportunistic 

hxxp://p1uifrt6eeuk9[.]representantecomercialilhaverde[.]de/0YW07AY906D/43557/Processo_4474588[.]htm 

hxxp://sba8j8thar7[.]paulosilvasoares[.]com[.]br/[.]well-known/hxxp-opportunistic 

hxxp://sba8j8thar7[.]paulosilvasoares[.]com[.]br/77MMM3800Z2/73319/NOTA_FISCAL_ELETRONICA[.]htm 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://billowing-morning-e8ad[.]number2one78jure[.]workers[.]dev/ 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://little-dust-d4f3[.]number2one78jure[.]workers[.]dev/ 

hxxps://lucky-firefly-7e5f[.]true[.]workers[.]dev/ 

hxxps://lucky-tooth-57b7[.]true[.]workers[.]dev/ 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://polished-bread-7459[.]number2one78jure[.]workers[.]dev/ 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://rapid-sea-58cf[.]number2one78jure[.]workers[.]dev/ 

hxxps://rough-sunset-da24[.]number2one78jure[.]workers[.]dev/ 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://small-glade-1d16[.]number2one78jure[.]workers[.]dev/ 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://tight-fire-750f[.]number2one78jure[.]workers[.]dev/ 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://twilight-voice-28c6[.]number2one78jure[.]workers[.]dev/ 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://www[.]facebook[.]com/permalink[.]php?story_fbid=107771317241483 

hxxps://www[.]facebook[.]com/permalink[.]php?story_fbid=108724057145111 

hxxps://www[.]youtube[.]com/channel/UC_eGbnxTGKLBkncM6-xgXEQ/about 

hxxps://www[.]youtube[.]com/channel/UCRvJAUYS4X3cjswXzdizM7w/about 

hxxps://www[.]youtube[.]com/channel/UCWMRA17ykEduy3PYSLJ7qUQ/about 

 

File   MD5 Hash Value 
06  dac44bfad9f76ba6dbdc2e5753b45ace 
09  ba048536df48d7e9dd893a6a03ef2241 
Casa&Show_Convite-16478.doc.htm.zip  19260462563234466f017056f6a206a4 
Casa&Show_Convite-24434.doc.htm.zip  02b9550e9530552f0291e018248616e3 
Casa&Show_Convite-28353.doc.htm.zip  b939510a06297f7df415da4969ad370f 
Convite-16478.doc.htm  1b4ba6193c41c002ca01b79be6b4bf58 
Convite-24434.doc.htm  b958cc34580f88a85ec213710096b3f2 
Convite-28353.doc.htm  fd5a66109a47f6f8e2ddccd18dff90ac 
Convite-Especial_450.lnk  c240f95d98b9a9c7013568bf82f82200 
Convite-Especial_450.zip  a4c9f257b3e59da8b2fcf0d8cea55c5a 
Convite-Especial_500.lnk  0ef2370581573a7dd04600957e1bf5f1 
Convite-Especial_500.zip  f71b63d22f4bab20aab0c9393857f665 
Convite-Especial_600.lnk  451dcb3829434c1e2f12bf894a8f2793 
Convite-Especial_600.zip  68b9e1a6ced7762ceb77f28632f0c462 
daffsyshqy64a.dll  6ddf3a891ea9f3cc96cf04c6a06f8176 
daffsyshqy64b.dll  a8eb5f30af5632b86f61b82d32b39dca 
daffsyshqy64.dll  14ffd7f15426f44f2f6cca63c1f3074b 
daffsyshqya.jpg  57bbfb7dfbd710aaef209bff71b08a32 
daffsyshqyb.jpg  f2cf0bc2a11c62afa0fd80a3e8cd704d 
daffsyshqyc.jpg  1f2204f86817402088d4cb8337bfbccc 
daffsyshqydwwn.gif  d0b486f131c70cf18b1e51651fa3667b 
daffsyshqydx.gif  e1762709a530f79365e53339c3f5a92c 
daffsyshqyg.gif  d2fb935b6a5ca8d61f27198eea7a3ad5 
daffsyshqygx.gif  7443bbbf9b2f02c68573f2788208f9b3 
daffsyshqyxa.~  95b4897223c0220a71f8b7db8d26b96f 
daffsyshqyxb.~  a75137f66c218886d6cd44f6efa703bf 
Departamento_Fiscal.170.lnk  f47531b59187ec87dcac80383fb43a32 
Departamento_Fiscal.170.zip  8c39a5cbacf24535d83c116eb680cb08 
Departamento_Fiscal.300.lnk  9db1833a686fea058b12bb050ec71d15 
Departamento_Fiscal.300.zip  3cfdeede42ce9a35009ab8755860ce97 
Departamento_Fiscal.490.lnk  1fda7ca3dca57d1eee0007695af6c36d 
Departamento_Fiscal.490.zip  7f01a1f829a1c514fcf372a5fed4852b 
Departamento_Fiscal.580.lnk  a9939044af4b9886ed5fc570bef357d7 
Departamento_Fiscal.580.zip  c0bbbc27ed84ffb2066f4fd53f66fb8f 
Departamento_Fiscal.700.lnk  8d6379a39692ace24ec6232e333733ca 
Departamento_Fiscal.700.zip  cb67c6e585b5ed0ffa8d6a1da0f50f6d 
FISCAL_ELETRONICA.htm  356f364e63d1cb900f4210497c006592 
FISCAL_ELETRONICA.htm  be34918b1b4f68885f12cfe79d79eaed 
FISCAL_ELETRONICA.htm  1b2fbd4b8e0fc09f18e385f3e99c7c18 
FISCAL_ELETRONICA.htm  8d5ac61b30c704f18131afe16c6a931d 
FISCAL_ELETRONICA.htm  0c8c016e42cde175761ef1ccf5f49393 
l0hdOOY.js  de057b5a7518f0117a884b0393cb24f8 
mozcrt19.dll  14ffd7f15426f44f2f6cca63c1f3074b 
mozsqlite3.dll  14ffd7f15426f44f2f6cca63c1f3074b 
NOTA_FISCAL_ELETRONICA.htm.zip  e36ae691fc76dd3afdab86f120ef45f0 
NOTA_FISCAL_ELETRONICA.htm.zip  9f20b09dd004fffb3bd440f1a69ff7e2 
NOTA_FISCAL_ELETRONICA.htm.zip  bde41fa97144ef74be6ae129aa699f9f 
NOTA_FISCAL_ELETRONICA.htm.zip  2159653ee0374fa4a157ba98ecd6dfe3 
NOTA_FISCAL_ELETRONICA.htm.zip  74e9ee1b315b4bbe2f393eb434d282e8 
Processo_0339688.htm  1b99d7c6ba70f5b51d29aa7138871de3 
Processo_0339688.htm.zip  9bf29a680a7ccdcf08539cc0334d3bf0 
Processo_0743333.htm  07eb7252072a9a367952e11e91099aba 
Processo_0743333.htm.zip  676752b756d6b549ba70bfd78453df75 
Processo_3585524.htm  14c345a7b0832d978b0bfc1a41936cce 
Processo_3585524.htm.zip  99716f3749772b55a7a2337aa9c2ceae 
Processo_4520552.htm  552c4f4606586020e649e608a9635283 
Processo_4520552.htm.zip  b3e3cc3fc712b4e3bc0513e15da49fb7 
Processo_5451802.htm  71c2dd1749b8b6424ae33fc742d8b979 
Processo_5451802.htm.zip  95bb9a288c45ba4192c4c206a153898f 
Processo_5574567.htm  d1a5c070a423d13a9f9a7a6c30290b96 
Processo_5574567.htm.zip  e829f09c42e9866027de2ba5ff37b42b 
Processo_5583423.htm  0c6bcf42b7eea1c88f501e7d27bd635a 
Processo_5583423.htm.zip  4459af875005925cc214699ea65e433a 
Processo_8457803.htm  a62c73c1a6ffc93300ecd3417682caaa 
Processo_8457803.htm.zip  4459af875005925cc214699ea65e433a 
Processo_8538828.htm  2b3cd62a7e1ffb67a2412045ff3175a5 
Processo_8538828.htm.zip  a68847e5fa17cf6500fc2cc1bb9ad606 
Processo_Judicial_Eletronico.130.lnk  11f473c93a505d0be9b2bbe2261f6891 
Processo_Judicial_Eletronico.130.zip  eca6717f16ce755254f39c1ff9175c62 
Processo_Judicial_Eletronico.150.lnk  cf333b6d6f5b22f41c685d7fce1ed30e 
Processo_Judicial_Eletronico.150.zip  d623289773b08bddf4cb05b4c2155779 
Processo_Judicial_Eletronico.30.lnk  cf9599ed5188bf857d325a383492230b 
Processo_Judicial_Eletronico.30.zip  9986df584fbc379e71c94462f680435b 
Processo_Judicial_Eletronico.310.lnk  b6f0527fe826a1c367f9385e6097284d 
Processo_Judicial_Eletronico.310.zip  fee203eea24f9a647a7feb7c194cd36d 
Processo_Judicial_Eletronico.420.lnk  6bd1f103d08fd98d16346ef53a1bec9c 
Processo_Judicial_Eletronico.420.zip  deb93d749ae8027263432e40be98fc22 
Processo_Judicial_Eletronico.480.lnk  b7901d33364a4734b9c02b6083ef3f7f 
Processo_Judicial_Eletronico.480.zip  e38239422342eb717bcaccd3dc2c3c8e 
Processo_Judicial_Eletronico.740.lnk  7479929ccaa6c4a7b4e3e68eeac1668f 
Processo_Judicial_Eletronico.740.zip  5cff755c3bd694d8927d6ceb6bee3e0b 
Processo_Judicial_Eletronico.750.lnk  4f82854519cd2f6bdd77dd43bd8f7605 
Processo_Judicial_Eletronico.750.zip  17f2e35d0e108c0a70325450c25bd57e 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Phishing Campaign Uses Captcha to Bypass Email Gateway

By Fabio Rodrigues

Phishing threat actors are using Captcha methods to bypass automated URL analysis. By using Captcha techniques to prove human presence, the phish prevents the secure email gateway (SEG), in this case Mimecast’s gateway, from scanning the URL thereby enabling the threat to get through. Here’s how it works.

Email Body
The phishing email is sent from a compromised account at @avis.ne.jp as if it originated from a voip2mail service. The email alerts the recipient to a new voicemail message. The message is crafted in a simple format, with a preview of the voicemail to entice the recipient to click on the button to listen to the full message.

Figure 1: Email Body

This button is in fact an embedded hyperlink that will redirect the recipient to a page that contains a Captcha code to prove the victim is a human and not an automated analysis tool or, as Google puts it, “a robot.” It’s at this point that the SEG validation would fail. The SEG cannot proceed to and scan the malicious page, only the Captcha code site. This webpage doesn’t contain any malicious items, thus leading the SEG to mark it as safe and allow the user through.

Figure 2: Captcha Page

Once the human verification process is complete, the recipient is redirected to the real phishing page. In this example, it imitates the Microsoft account selector and login page. When unwitting victims login, their credentials are captured.

Figure 3: Phishing Page

As we can see, both the Captcha application page and the main phishing page are hosted on MSFT infrastructure. Both pages are legitimate Microsoft top level domains, so when checking these against domain reputation databases we receive a false negative and the pages come back as safe. SEGs frequently check URLS against reputation databases as part of a layered defense.

Table 1: Network IOCs

hxxp://t[.]mid[.]accor-mail[.]com/r/?id=
hxxps://osnm[.]azurewebsites[.]net/?b=
hxxps://phospate02[.]blob[.]core[.]windows[.]net/vric/112-vml[.]html?sp=r&st=2019-09-03T19:01:36Z&se=2019-09-28T03:01:36Z&spr=hxxps&sv=2018-03-28&sig=q4OWNkGXIlBtE99JknDZ047J94uFFCc%2BoNaZmtHOt2k%3D&sr=
52[.]239[.]224[.]36
66[.]117[.]16[.]17
52[.]173[.]84[.]157

 

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a phishing simulation template, “New Voice Message,” to educate users on the attack described in this blog.

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.