Is It Time to Rethink Your Phishing Awareness Program?

Part 1 of 2

As seen in Cofense’sTM 2019 Phishing Threat & Malware Review, threat actors innovate relentlessly. Technologies like secure email gateways (SEGs) can’t keep up. In fact, the vast majority of phishing emails verified by the Cofense Phishing Defense CenterTM are found in environments using SEGs.

With so many malicious emails making it past security controls, the human factor becomes decisive. This means your phishing awareness program needs to stay in fighting trim. In particular, it’s important to educate users on attacks that breach your perimeter, working with your SOC to focus on the most frequent threats.

If your program has been up and running for a few years, it may be time to rethink what you’re doing. Let’s start by looking at your threat profile and your program’s approach to communications.

Rethinking Your Threat Profile

If you conducted a risk profile in the past, consider revisiting your findings to see if they reflect both your internal environment and external threats. If your business has never done a risk profile, you should probably set a cadence to review your company’s risks.

Threat actors look at a lot of factors before targeting an attack, so your phishing awareness program should do the same. Privileged access users and high-risk business functions, geography, technical environment, adherence to compliance standards, and corporate communications and email style can all be used to launch a phishing attack.

One smart way to identify risks: review all Software as a Service (SaaS) applications. Because these applications use email to send, receive, and log communications, threat actors can easily leverage them to design attacks. Cofense CloudSeekerTM is a free tool that can help. It allows you to report on SaaS applications configured in your environment, including any provisioned without IT’s knowledge. CloudSeeker starts with a catalog of popular SaaS applications and checks each to see if a domain has been configured for use.

If your organization uses any well-known hosted services, remind your staff of the dangers of credential phishing and spoofed websites. Credential simulations are a good idea. You might also use newsletters or announcements to spread the good word. Speaking of which…

Rethinking Your Communications Approach

One of the keys to a successful phishing awareness program is a communications plan. You need to communicate regularly, including before and after each simulation.

Cofense PhishMeTM offers content to help you communicate better. You can use it to remind employees why they’re receiving email training in the first place, plus arm them with the information they need to be successful.

You can use a newsletter, for example, to educate employees on phishing emails that spoof brands like LinkedIn. For legal reasons, you shouldn’t spoof a brand in a simulation, but a newsletter post can warn users that some branded emails are fakes.

Also, embrace the power of “Thank you!” When users report an email and get an immediate response with a thanks, they’re more likely to report again. Users want to know what happens after they act. They also want to know what next steps, if any, they should take. Should they process that invoice? Can they post that purchase order or send it on for signature? Don’t keep them in the dark—communicate and pass out kudos.

In part 2 of this blog, we’ll look at rethinking your simulations. How can you make sure they’re helping to guard against real threats? Stay tuned.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Phishing Emails Are Using SharePoint to Slip Past Symantec’s Gateway and Attack Banks

Hiding in plain sight by using trusted enterprise technologies almost guarantees delivery of a phishing URL. Case in point: a phishing campaign that delivered a legitimate Sharepoint URL to bypass the email gateway, in this case Symantec’s. Here’s how this increasingly popular phishing tactic works.

Email Body

The phishing email is sent from a compromised account at a third-party vendor asking the recipient to review a proposal document. The recipient is urged to click on an embedded URL. As seen below in figure 1, the URL has been wrapped by Symantec’s Click-time URL Protection and redirects the recipient to a compromised SharePoint account. SharePoint, the initial delivery mechanism, then delivers a secondary malicious URL, allowing the threat actor to circumvent just about any email perimeter technology.

Figure 1: email body

The embedded URL in the email body delivers the recipient to a compromised SharePoint site where a malicious OneNote document is served. The document is illegible and invites the recipient to download it by clicking on yet another embedded URL, which leads to the main credential phishing page.

Figure 2: Malicious OneNote Document

Phishing Page

The phishing page is a cheap imitation of the OneDrive for Business login portal. There, the recipient is given two options to authenticate, with their O365 Login credentials or by choosing to login with any other email provider. We see this tactic quite often as it increases the chances that the recipient will log in.

Figure 3: Phishing Pages

When we download the files from the compromised server, we can see that the credentials from the phishing form are posted by login.php. Login.php posts the harvested credentials to a Gmail account.

Figure 4: Login.php

Other files harvested from the compromised server shed light on the origin of this attack. Below is a readme file that instructs the operator on how to configure and install the phishing page onto a compromised webserver. We have also identified that this phishing exploit kit is part of a series of “Hacking tools” built and sold by BlackShop Tools.

Figure 5: readme.txt

IOCs:

Malicious URL(s):

hxxps://botleighgrange-my[.]sharepoint[.]com/:o:/p/maintenance/EngTNCs22_REkaJY4gVf9lwBqkwYFtDSmJJ7L2H-AnoDQg?e=tgtauL
hxxps://alblatool[.]com/xxx/one/
hxxps://alblatool[.]com/xxx/one/office365/index[.]php

Associated IP(s):

13[.]107[.]136[.]9
198[.]54[.]126[.]160

 

HOW COFENSE CAN HELP

To defend against the attack described in today’s blog, Cofense offers:

 

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Updated Sep. 12

Trickbot Is Using Google Docs to Trick Proofpoint’s Gateway

By Tej Tulachan

The Cofense Phishing Defense Center (PDC) has detected a phishing campaign that delivers Trickbot embedded in a Google Docs link. Trickbot has been making the rounds for a long time now and is still considered one of the biggest malware threats targeting business today. Threat actors frequently utilize legitimate applications or trusted file sharing sites like Google Docs to bypass the email gateway and lure users to click on the link to deliver malware. In this case, the email made it through Proofpoint’s gateway utilized by our PDC customer.

Email Body

The email attempts to lure curious users to click on the link: “Have you already received documentation I’ve directed you recently? I am sending them over again.” This is a legitimately generated email by Google Docs when a file is shared by one of its subscribers. Unknowingly, the recipient is directed to a document hosted on Google that contains a malicious URL.

Fig 1. Email body

When the recipient clicks on the link it directs to a genuine Google Docs page as shown below, which contains a fake 404 error message and another embedded link. The threat actor baits the recipient into downloading the document: “Downloading the document manually via the link”. This link hxxps://docs[.]google[.]com/uc?id=112QLCdDtd4y-mAzr8hobCs0TP5mQmKfL downloads the malicious payload.

Fig 2. Google doc page

Once the URL links to a file hosted on Google drive, it downloads a Review_Rep.19.PDF.exe which has been disguised as PDF file. Many recipients will not see the .exe file extension. It’s something that you need to specifically enable in Windows. So, to them it looks like a legitimate PDF file since the attacker uses the icon for a PDF.

Fig 3. Pdf Icon

If we look at the file in a hex editor, we see that in fact it’s an executable file and not a PDF.

Take a look below in the editor, indicated by the magic bytes MZ which denotes a windows executable.

Fig 4. Magic Number

Once the payload is executed it creates a copy of itself (egолаСывЯыФЙ) in C:\ProgramData, where it  undertakes control over execution of the malware.

Fig 5. egолаСывЯыФЙ.exe

Furthermore, it creates another copy in “C:\Users\REM\AppData\Roaming\speedLan” that also includes the config file for Trickbot (settings.ini) (The directory depends on the Trickbot version.)

Fig 6. speedlan

If we look inside the settings.ini we see a lot of the “obfuscated” text.

Fig 7. Obfuscated text

Additionally, if we open up the Task Scheduler, we can see it also sets a task that starts the malicious file from the “Speedlan” folder.

Fig 8. Start Task Scheduler

Looking at the Triggers tab, we can see it has been set to repeat itself every 11 minutes for 596843 minutes (414 days) for this particular version of Trickbot. The scheduled task checks to see if the binary is running in memory every 11 minutes over a 1-year period. This means that the binary will stay persistent on the system if the process is terminated. The 414 day counter just insures that the scheduled task stays running for as long as the system is online (generally, people will reboot their computer at least once a year).

 

 

 

 

 

 

 

 

 

Fig 9. Trigger

This then hollows out Svchost, injects its malicious code, and launches it. It keeps launching more and more Svchost’s if you let it run. Each of these are typically responsible for a module of Trickbot.

Fig 10. Hollows Svchost

Indicators of Compromise (IOCs):

Malicious File(s):

 

Filename: Review_ Rep.19.PDF.exe

MD5: ab2a8fc10e8c1a39ae816734db9480de

SHA-256: 20328b1f169b1edeef38853dafbbacfdac53c66f7f1dd62f387091bedebfd497

File Size: 404,320 Bytes

Extension: exe

 

Malicious URL(s):

 

hxxps://docs[.]google[.]com/document/d/1fgSfd4DwReVKbcLI3ISO2jhX1Yn8WOqbXnmU_bg00_A/edit?usp=sharing_eip&ts=5d5accb1
hxxps://docs[.]google[.]com/uc?id=112QLCdDtd4y-mAzr8hobCs0TP5mQmKfL
hxxps://jaquetas01[.]cordenadorltda[.]org
hxxps://services[.]halapar[.]org

 

Associated IP(s):

200[.]119[.]45[.]140

107[.]181[.]175[.]122

79[.]143[.]31[.]94

198[.]27[.]74[.]146

186[.]47[.]40[.]234

181[.]129[.]93[.]226

190[.]152[.]4[.]210

 

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM. Cofense PhishMe offers a phishing scenario, “Shared Google Doc – TrickBot,” to help users identify the attack described in today’s blog.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense™. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Advanced Phishing Campaign Delivers Quasar RAT

Cofense IntelligenceTM has uncovered an advanced campaign that uses multiple anti-analysis methods to deliver Quasar Remote Access Tool (RAT). A phishing email poses as a job seeker and uses the unsophisticated ploy of an attached resume to deliver the malware. Quasar RAT is freely available as an open-source tool on public repositories and provides a number of capabilities. Organizations find a higher degree of difficulty with the ‘.doc’ file attachment distributing Quasar RAT itself, because the document employs a multitude of measures to deter detection. Such methods include password protection—which is a built-in feature of Microsoft Word—and encoded macros. Along with automated tools, educating employees on new phishing trends is the best way of countering a campaign such as this.

Figure 1: Original Email

Technical Findings

The initial email used to deliver this malware, seen in Figure 1, uses a relatively common “resume” theme with an attached document. As previously mentioned, Quasar RAT is not particularly unusual or advanced compared to other toolkits. A US-Cert report states that Quasar RAT “has been observed being used maliciously by Advanced Persistent Threat (APT) actors to facilitate network exploitation,” however, Quasar is also “a publicly available, open-source RAT” and can be found on GitHub. Since the tool is easily accessible, attributing the activity to a specific threat actor is tedious at best.

The malicious attachment used by this campaign employs counter-detection measures to reach the end user. Even if the email is marked as being suspicious, the attachment may be treated as legitimate and delivered. Despite a simplistic and apparent first stage delivery, threat actors took advantage of increasingly sophisticated methods to increase the difficulty of analysis and delay detection. This delay can provide threat actors with enough time to gather information and potentially install additional, more subtle, malware before being detected or removed.

The first stage of the avoidance practiced by the document in this campaign is simple password protection. A password of “123” is not particularly inventive, but to an automated system that processes attachments separately from emails it means that the document will be opened and no malicious activity will be recorded because the system has not determined either a need for a password or what the password is. Sufficiently advanced systems should still be able to guess a password of “123”; however, this only opens the document and does not necessarily trigger malicious activity. The resulting prompt is shown in Figure 2.

Figure 2: Request to enable macros

If an analyst or automated system were then to attempt to analyze the macros using an analysis tool (such as the popular tool ‘olevba’ by Philippe Lagadec), the script would fail and potentially crash from using too much memory when it attempted to analyze the macro. This is likely an intentional effect by the threat actor in the form of more than 1200 lines of garbage code that appears to be base64 encoded. Forcing the script to attempt to decode the garbage strings causes, in all likelihood, a crash due to the magnitude of decoding required. An example of some of these garbage strings is shown in Figure 3.

Figure 3: Example of the fake encoded strings

If those strings are not decoded or the process decoding them has enough resources allocated, the resulting content still lacks the all-important payload URL. Instead, partial strings and filler text give some semblance of legitimacy. Portions of the payload URL, as well as additional information, are in fact hidden as meta-data for embedded images and objects, as shown in Figure 4.

Figure 4: Script content in the meta-data of a form object

Other script content bears essential information within its comments. Below, you can see evidence that this macro may originate from a template or guide. Here, some of the commentary relates to if the operating system is Windows or Mac.

Figure 5: Commentary included in the script

Embedded comments describe the usage of a shelled application and the startup process. If the macro is successfully run, it will display a series of images claiming to be loading content while repeatedly adding a garbage string to the document contents. It will then show an error message while downloading and running a malicious executable in the background.

The last significant step the threat actors take to avoid discovery is to download a Microsoft Self Extracting executable. This executable then unpacks a Quasar RAT binary that is 401MB. The technical maximum file upload size for the popular malware information sharing website, VirusTotal, is 550 MB. However, the commonly used public methods of submission, email and API, are set to 32MB maximum with special circumstances for API submission going up to 200MB. By using an artificially large file size the threat actors make sharing information difficult while also causing problems for automated platforms that attempt to statically analyze the content.

Table 1: Malware Artifacts

Filename MD5
0.doc 1d7328b01845117ca2220d8f5e725617
Period1.exe 15dbb457466567bfeaad1d5c88f4ebfe
Uni.exe e7bcec4d736a6553b4366b0273aaf6f8

Table 2: Network IOCs

IOC
hxxp://1xv4[.]com/due[.]exe
toptoptop1[.]online
toptoptop1[.]site

 

Yara Rule:

rule PM_Intel_Quasar_27476

{

    strings:

        $message_lede = "the password is " nocase

        $attachment = /[0-9]{1,3}\.doc/ nocase

        $subject = /subject:\s*attached resume/ nocase

    condition:

        all of them

}

 

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.  Cofense PhishMe offers a phishing scenario, “Password-Protected Resume – Office Macro / Monero / Smoke Loader,” to help users recognize the phish described in today’s blog.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Cofense Secures Additional Investment from Funds Managed by BlackRock

Company Reaffirms Commitment to Deliver Reliable Phishing Technology and Awareness Training to the Global Market

Leesburg, VA Cofense™, the global leader in intelligent phishing defense solutions, today announced that funds managed by BlackRock Private Equity Partners have taken an additional ownership position in Cofense, having acquired the equity of former investor Pamplona. Cofense is pleased to expand the partnership, initially inked in 2018, which will continue to support the company’s mission to help organizations stop phishing attacks in their tracks.  Private Equity Partners is BlackRock’s fund of private equity funds platform that sources and evaluates the full spectrum of private markets investing, including partnerships, direct co-investments, and secondary transactions.

“We met with dozens of world-class financial institutions who were keen to invest. We’re delighted that BlackRock was the winning bidder, as they are familiar with our business and already have a strong relationship with Cofense,” said Rohyt Belani, Co-Founder and CEO, Cofense. “BlackRock’s expanded investment is a direct reflection of their confidence in our company and the growing market opportunity. Cofense has a history of successfully uncovering and reporting threats from all corners of the globe, but we are particularly proud of our track record for taking all possible measures to protect our customers, partners and prospects from phishing attacks.”

In the previous 12 months, Cofense has accelerated its efforts to bring reliable, best-in-class phishing defense solutions to the global market, and as a result the fourth quarter (2018) and first quarter (2019) were the two most successful in company history. The company has close to 2,000 enterprise clients in over 150 countries, representing every major vertical from energy, financial, healthcare to manufacturing and high-technology. Since July 2018, Cofense has expanded its product suite to deliver turnkey solutions for employee education and awareness to phishing response. The company will continue investing in R&D to provide their customers with peak phishing protection across the organization.

In addition to technical accolades, including being positioned as a Leader in the Gartner Magic Quadrant for Security Awareness Computer-Based Training for the fourth consecutive year, Cofense has been recognized for its culture and team leadership. The company was named a 2018 Best Place to Work by the Washington Post and Washington Business Journal and included on the Inc. 5000 list of fastest growing companies. Most notably, Cofense has been honored multiple times in 2019 for raising the standards of excellent customer service, as a finalist for the 2019 SC Awards and HDI Team Awards, and as a winner of the ISPG Global Excellence Awards. The company also successfully completed a Service Organization Controls (SOC) 2 Type II examination for Cofense PhishMe™ and Hosted Cofense Triage™.

About Cofense
Cofense™, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact
press@cofense.com

Why Join Us at Cofense Submerge? Here’s What Attendees Say

Next month in Orlando we’ll be hosting CofenseTM Submerge 2019, our fourth annual user conference and phishing defense summit. As we wrap up each event, we ask attendees for feedback. What did they like best? Networking and hearing other customers’ experiences are always the top responses. As a former customer who now works at Cofense, I totally agree.   

Here are some of the answers we heard last year when we asked, “Why attend Submerge?” 

“Sharing ideas was tremendously helpful to me—having the opportunity to meet other people from a variety of industries doing the same thing that I do.” 

We’re all on this journey together, so the opportunity to meet industry peers is invaluable. If you’re new to getting your phishing defense program started, networking with peers can go a long way. If you’ve been running your program for a while and want to recharge it or find out about the latest in the phishing threat landscape, this is the place to get all that! You’ll be amazed how folks in different industries deal with the very same challenges. 

“I’ve taken tons of notes that will help me justify budget and take our program to the next level.” 

When you can take tidbits back to your boss, tips and tricks you can use immediately, that’s a good return on investment. Submerge 2019 offers nearly 30 sessions packed with practical information. Besides getting inspired about the future, you can apply what you learn right away. 

 “Substantive case studies provided by clients who had good program maturity.” 

Each year we hear from our attendees that they prefer sessions that are led by other customers. And when customers speak, we listen. This year, 80% of our sessions will be led by customers. The topics of our sessions this year range from phishing programs to technical incident response and threat intelligence. In most cases, the session leaders will be your peers, people that manage mature phishing defense programs. 

“Submerge is knowledge, security, and innovation.” 

This year’s sessions cover the gamut: trends in security awareness and incident response, a glimpse at our product road map, deep dives on topics like dealing with repeat clickers, and lots more. Not only do we have great sessions, but we have Kevin Mandia, FireEye CEO, providing insights into the incident response landscape.  

So, don’t just take our word for it—ask around and you’ll hear many more reasons to attend Cofense Submerge. Join us in Orlando, September 23-24!  

  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 

New Phishing Campaign Bypasses Microsoft 365 ATP to Deliver Adwind to Utilities Industry

The CofenseTM Phishing Defense CenterTM has observed a new phishing campaign that spoofs a PDF attachment to deliver the notorious Adwind malware. This campaign was found explicitly in national grid utilities infrastructure. Adwind, aka JRAT or SockRat, is sold as a malware-as-a-service where users can purchase access to the software for a small subscription-based fee.

The malware boasts the following features:

  • Takes screen shots
  • Harvests credentials from Chrome, IE and Edge
  • Accesses the webcam, record video and take photos
  • Records audio from the microphone
  • Transfers files
  • Collects general system and user information
  • Steals VPN certificates
  • Serves as a Key Logger

Email Body

Fig1. Email Body

This email comes from a hijacked account at Friary Shoes. Also note the web address for Fletcher Specs, whose domain threat actors are abusing to host the malware.

The email body is simple and to the point: “Attached is a copy of our remittance advice which you are required to sign and return.” At the top of the email is an embedded image which is meant to look like a PDF file attachment, however, is in fact a jpg file with an embedded hyperlink. When victims click on the attachment, they are brought to the infection URL hxxps://fletcherspecs[.]co[.]uk/ where the initial payload is downloaded.

Fig 2. Payload 

The initial payload is in the form of a .JAR file named: “Scan050819.pdf_obf.jar.” Note that the attacker has attempted to make the file appear as if it were a PDF by attempting to obfuscate the file true extension.

Fig 3. Running processes

Once executed, we can see that two java.exe processes are created which load two separate .class files. JRAT then beacons out to its command and control server: hxxp://ns1648[.]ztomy[.]com

Fig 4. C2 Traffic

Adwind installs its dependencies and harvested information in: C:\Users\Byte\AppData\Local\Temp\. Here we can see the two class files the jave.exe process has loaded along with a registry key entries and several .dlls:

Fig5. Additional dependencies and artifacts 

The malware also attempts to circumvent analysis and avoid detection by using taskkill.exe to disable popular analysis tools and antivirus software. If we take a closer look at the registry entries file we see that the malware looks for popular antivirus and malware analysis tools.

Fig 6. Anti-Analysis

Indicators of Compromise (IOCs):

Malicious File(s):

File Name: Scan050819.pdf_obf.jar

MD5: 6b94046ac3ade886488881521bfce90f

SHA256: b9cb86ae6a0691859a921e093b4d3349a3d8f452f5776b250b6ee938f4a8cba2

File size: 634,529 bytes (619K)

File Name: _0.116187311888071087770622558430261020.class

MD5: 781fb531354d6f291f1ccab48da6d39f

SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

File size: 247,088 bytes (241K)    

File Name: _0.40308597817769314486921725080498503.class

MD5: 781fb531354d6f291f1ccab48da6d39f

SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

File size: 247,088 bytes (241K)

File Name: gCMmWntWwp7328181049172078943.reg

MD5: 7f97f5f336944d427c03cc730c636b8f

SHA256: 9613caed306e9a267c62c56506985ef99ea2bee6e11afc185b8133dda37cbc57

File size: 27,926 bytes (27K)

File Name: Windows3382130663692717257.dll

MD5: 0b7b52302c8c5df59d960dd97e3abdaf

SHA256: a6be5be2d16a24430c795faa7ab7cc7826ed24d6d4bc74ad33da5c2ed0c793d0

File size: 46,592 bytes (45K)

File Name: sqlite-3.8.11.2-fd78b49b-d887-492e-8419-acb9dd4e311c-sqlitejdbc.dll

MD5: a4e510d903f05892d77741c5f4d95b5d

SHA256: a3fbdf4fbdf56ac6a2ebeb4c131c5682f2e2eadabc758cfe645989c311648506

File size: 695,808 bytes (679K)

File Name: Windows8838144181261500314.dll

MD5: c17b03d5a1f0dc6581344fd3d67d7be1

SHA256: 1afb6ab4b5be19d0197bcb76c3b150153955ae569cfe18b8e40b74b97ccd9c3d

File size: 39,424 bytes (38K)

 

Malicious URL(s):

hxxps://fletcherspecs[.]co[.]uk/

hxxp://ns1648[.]ztomy[.]com

 

Associated IP(s):

109[.]203[.]124[.]231

194[.]5[.]97[.]28

 

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analysed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM.It offers a phishing simulation, “Remittance Advice – Adwind,” to educate users on the attack described in today’s blog.

Remove the blind spot with Cofense ReporterTM—give users a one-click tool to report suspicious messages, alerting security teams to potential threats.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand current threats, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations.  Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense and CNA Strengthen Security Awareness Within Cyber Insurance Industry

Leesburg, Va. – August 15, 2019 –Cofense™, the global leader in intelligent phishing defense solutions, announced its strategic relationship with CNA, one of the largest commercial property and casualty insurance companies in the United States. Cofense will provide security awareness training as part of CNA CyberPrep, the latest addition to CNA’s suite of cyber liability insurance products designed to help companies take a holistic approach to cyber threats.

Phishing attacks remain the top attack risk facing organizations. As a result, educating and training employees is a critical part of a robust cybersecurity platform. CNA policyholders can take advantage of Cofense’s world-class, human-driven training tools to include a fully functional-learning management system and more than 20 cyber-related computer-based training modules. Cofense’s Learning Management System (LMS) helps administrators manage content and ongoing education about cyber security risks, meanwhile the company’s Computer Based Training (CBT) educates users on today’s biggest threats with interactive modules. This two-pronged approach empowers users to input their own lessons and manage Cofense and non-Cofense learning materials all in the same place.

CNA policyholders will get access to all Cofense solutions at a preferred rate, and will be eligible for a Cofense Managed Phishing Assessment to provide a benchmark of their current phishing risk and resiliency. This assessment helps companies to improve their threat identification, mitigation and response operations.

“Our relationship with CNA brings together multiple types of risk management services. We are helping to create a comprehensive solution for businesses to remain prepared and competitive,” said Rohyt Belani, CEO and Co-Founder of Cofense. “Working together seamlessly with the other components of CNA CyberPrep, we are confident that our security awareness solutions can help CNA’s policyholders fight phishing threats.”

“In today’s technology-driven world, it is clear that cyber threats represent a critical and growing risk,” said Brian Robb, Underwriting Director and Cyber Industry Leader, CNA. “Businesses must stay ahead of emerging cyber risks and the security threats they pose, and we want to make sure CNA policyholders have access to the best services and technology available. Cofense is an industry leader in phishing defense solutions and security awareness training, which will deliver great value to our policyholders.”

About Cofense

CofenseTM, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact

press@cofense.com

 

Remote Access Trojan Uses Sendgrid to Slip through Proofpoint

The CofenseTM Phishing Defense CenterTM observed a malware campaign masquerading as an email complaint from the Better Business Bureau to deliver the notorious Orcus RAT, part of the free DNS domain ChickenKiller which we blogged about in 2015. Here’s how it works:

Phishing Campaigns Imitating CEOs Bypass Microsoft Gateway to Target Energy Sector

Cofense IntelligenceTM has identified a highly customized credential phishing campaign using Google Drive to target a company within the energy sector. This phishing campaign is crafted to look like the CEO of the targeted company has shared an important message with the recipient via Google Drive. The email is legitimately sent by Google Drive to employees and appears to be shared on behalf of the CEO by an email address that does not fit the email naming convention of the targeted company. By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular Microsoft Exchange Online Protection, and make its way to the end user.