TrickBot Adds ‘Cookie Grabber’ Information Stealing Module

Cofense Intelligence™ has identified a new credential information stealing module for the TrickBot banking trojan being used to gather web browser cookie data. Previous versions of TrickBot allowed for minimal web browser data theft; however, this ability was within the main functionality of the trojan platform and not a stand-alone module as it is now. This new module, dubbed ‘Cookie Grabber,’ has an added feature that allows for further control and manipulation of the victim’s host.

TrickBot is a modular banking trojan that targets financial information within an infected host. The threat actors behind TrickBot are always re-tooling and adapting to threat mitigation controls. By moving the web browser credential harvesting feature to a standalone module, threat actors trim down their initial footprint of infection. This adaption allows for fewer detections and the ability to download specific modules for better results after the infected host has been fingerprinted.

Safeguarding against this attack requires educating users about the importance of not saving credentials in the browser. For protection against other attacks, use technology to limit the number of times this type of payload gets to end users and educate them on the impacts these executables can have.

Technical Findings

The ‘Cookie Grabber’ module is downloaded in the same fashion as the other modules used by TrickBot. This module’s stark difference is the ability to parse through web browser databases locally to extract the targeted information. The module is placed within the %APPDATA%/Roaming directory with the other downloaded modules, all of which include ‘cookiesDll64’ in the naming convention.

This information stealing module targets Firefox, Chrome, and Internet Explorer web browsers. With Internet Explorer, the module targets the text files that store browser cookie information located within the user profile directories, as shown in Figure 1 (Appendix A). Additionally, it targets Firefox and Chrome cookie information that is housed within a SQLite database on the local host. The ‘Cookie Grabber’ module appears to have pre-defined SQL queries to gather the targeted information from both Firefox and Chrome. This module also makes use of a SQLite 3 embedded engine to allow for further database manipulation from the threat actor.

Once the infection has taken hold on the victim’s machine and the modules have been downloaded, decoded, and injected into svchost.exe, the sample then attempts to exfiltrate the gathered information using two HTTP POST commands.

  • The first HTTP POST is a form-data content-type to the Command and Control (C2) server containing other credentials harvested outside of the web browsers. Appended to the C2 URL is a unique string identifier containing host fingerprint information. This POST contains two distinct sections of information, one is the harvested credentials, the other is the source of the credentials. Figure 2 (Appendix B) shows the first HTTP POST to the C2 and contains FTP credentials gathered from the legitimate application, WinSCP.
  • The second HTTP POST to the C2, shown in Figure 3 (Appendix B), has a different User-Agent string, which has changed from a legitimate value to ‘dpost.’ The dpost value comes from the name of the configuration file used and serves as an identifying marker for the TrickBot’s network traffic used while exfiltrating the data. The destination port has also changed from 80 to 8082. This second HTTP POST includes the harvested web browser information, which is base64 encoded. The encoded information appears to contain the user profile name, the browser the information was harvested from, the URL, user name, password, time last used, and time created. These values are separated by a pipe (‘|’) and resemble the format below:

‘User Profile | Web Browser | URL | User Name | Password | Timestamp | Timestamp |/’

Each record collected by TrickBot and exfiltrated through the HTTP POST is separated by a forward slash (‘/’) character. In both HTTP POSTs, the C2 server was named ‘Cowboy’ and replied with a HTTP 200 OK containing a small text response of ‘/1/’. Figure 2 (Appendix B) shows the first HTTP POST to the C2, while Figure 3 (Appendix B) shows the second HTTP POST to the same C2. Notice the User-Agent value differences as well as the base64 encoded data strings within the second HTTP POST.

Recommendation:

CofenseTM encourages organizations to train users to be cautious in clicking links or opening attachments that could lead to harmful malware being installed on their machine. It’s also important to encourage users to report a suspicious message even if they clicked on the link or opened the attachment as malware can still get installed in the background.

The appendices below contain figures related to this sample of TrickBot. For more information please contact Intelligence@Cofense.com.

Appendix A:

Figure 1: Locations that ‘Cookie Grabber’ searched for Internet Explorer cookies

Appendix B:

Figure 2: The First HTTP POST to the C2 containing gathered non-web browser related credentials

Figure 3: The second HTTP POST to the C2 containing the base64 encoded credential strings

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. Understand the evolving landscape—read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

This Phish Uses DocuSign to Slip Past Symantec Gateway and Target Email Credentials

By Tej Tulachan

The Cofense Phishing Defense CenterTM has observed a new wave of phishing attacks masquerading as an email from DocuSign to target the credentials of all major email providers. DocuSign is an electronic signature technology that facilitates exchanges of contracts, tax documents, and legal materials. Threat actors utilize this legitimate application to bypass the email gateway and entice users into handing out their credentials. Here’s how it works.

Email Body

At first glance, the email body looks well-presented with the correct DocuSign logo and its content. However, there is something suspicious within the first line of the message—the absence of the recipient’s name, just “Good day.” If we look deeper into the message body, we can see that there is an embedded hyperlink which directs to hxxps://ori8aspzxoas[.]appspot[.]com/gfi8we/

Figure.1

Email Header

From the email header we can see that the threat source originates from the domain narndeo-tech[.]com. Further investigation reveals it belongs to Hetzner Online GmbH which is a well-known hosting company based in Germany. We noted that there is no sign of proof this came from a genuine DocuSign domain.

From: Lxxxx Mxxx <xxxxxx22@narndeo-tech[.]com>

To: R______ L_______ <unsuspecting.victim@example.com>

Message-ID: <20190716055127.3AEBF4689BD125B3[@]narndeo-tech[.]com>

Subject: New Docu-Sign

X-Env-Sender: lesliemason22[@]narndeo-tech[.]com

Phishing Page

When users click on the embedded link, it redirects to a phishing page as shown below in figure 2. Here the attacker gives six separate options for users to enter their credentials to access the DocuSign document, increasing the likelihood this phisher gets a bite.

Figure.2

Once the user clicks on the given option, it redirects to the main phishing page as shown below in three versions, Office 365, Gmail, and iCloud.

Figure.3

Email Gateway: This threat was found in an environment running Symantec EmailSecurity.Cloud.

Conclusion:  

IOC

hxxps://ori8aspzxoas[.]appspot[.]com/gfi8we/

108[.]177[.]111[.]153

Recommendation:

Cofense™ cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that instruct users to provide their credentials. If your organization uses DocuSign as part of its business processes, remind users how they should expect legitimate notifications according to your internal standards. Cofense PhishMe™ customers may consider launching simulations that follow this style of attack to further train their users to detect and report suspicious emails.  A simulation template is available as “Completed Document,” which is based on a real phishing campaign. We also have existing newsletter (Announcement) content available to send to your users.

Reference: https://www.docusign.com/sites/default/files/Combating_Phishing_WP_05082017.pdf

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM.

Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than  Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Labs Publishes Database of Over 200 Million Compromised Accounts Targeted by Sextortion Email Campaigns

Leesburg, Va. – August 5, 2019 – CofenseTM, the global leader in intelligent phishing defense solutions, today published a database of over 200 million compromised accounts being targeted by a large sextortion scam to ensure potential victims and their employers can address the threat of sextortion and prevent lost wages and productivity. Cofense Labs, the newly formalized research and development arm of Cofense, discovered a “for rent” botnet in June 2019 used primarily to send sextortion emails. The research team is monitoring the botnet’s activity on a daily basis to observe changes in the malware it is spreading as well as tracking new email addresses being targeted for sextortion phishing emails.

Sextortion is an email-based scam that relies on emotion-driven motivators such as fear and urgency to extort a ransom payment in return for the scammer’s commitment not to leak sensitive information. The method has become an increasingly pervasive threat, with Cofense Labs analysing over 7 million email addresses impacted by sextortion in the first half of 2019 alone. Cofense also assessed that more than $1.5M in payments were made to bitcoin wallets associated with sextortion campaigns this year. Poor password hygiene, including infrequent changes and reuse across multiple sites, add further credibility to sextortion threats being made.

“This botnet is not infecting computers to acquire new data sets – it is a true “spray and pray” attack reusing credentials culled from past data breaches to fuel legitimacy and panic through sextortion scams,” said Aaron Higbee, Cofense Co-Founder and CTO. “If your email address is found in a target list used by the botnet, it’s highly likely you will receive a sextortion email – if you haven’t already. We felt it was critical to get this information out. We hope that victims receiving a sextortion email will find our resource center so they can avoid the anxiety and stress of trying to figure out whether to pay a bitcoin ransom.”

Data breaches continue to headline the news, and as a result, massive sets of email addresses and passwords are making their way to the criminal corners of the internet. Cofense Labs’ research indicates that the hackers behind this sextortion campaign are recycling old email addresses and passwords – dating back at least 10 years – for new monetization purposes.

“Cofense Labs advises that owners of emails included in the database should change any passwords for accounts associated with that address. And most importantly, if a sextortion email is received, we do not recommend responding to the email or paying the ransom,” added Higbee. “The release of this sextortion database is just one example of the pioneering work Cofense Labs is conducting. Our team is committed to expanding visibility into the evolving phishing threat landscape and sharing tools, techniques, and insight with the security community.”

There are several actions consumers and organizations can take to prevent sextortion and deal with the threat, including: employing a password manager to keep passwords strong and unique; enabling two-factor authentication whenever this is an option for online accounts; and covering all computer cameras. To view the full database provided by Cofense Labs, as well as a guide for employers and employees, click here.

The mission of Cofense Labs is to provide leading edge, innovative research and subject matter expertise to address real-world cyber security challenges. The research and development team’s insights aim to provide actionable intelligence to assist with proactive defense. Where appropriate, Cofense Labs will make the output of its research freely available to encourage and enable collaborative defense. Projects will be made available at cofenselabs.com.

About Cofense

CofenseTM, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact

press@cofense.com

 

Cofense Labs Shares Research on Massive Sextortion Campaign

Are you one in two hundred (or so) million?  

Today, CofenseTM announced the launch of Cofense Labs. Our experts are sharing the details of some deep research into the inner workings of a large-scale sextortion campaign that to date has over 200m recipients in its sights – and you might be one of them.  

What’s Sextortion? 

You may be lucky enough to have not encountered the threatening narrative of a sextortion email. If so, the threat actor’s M.O. is typically this: 

Send an email in which they claim to have installed malware on your system and have a record of your browsing history to some websites of an adult nature, and also footage from your webcam. If you don’t pay the stated ransom in bitcoin, they will release the footage to your family, friends, and co-workers. To add credibility to their threats, they include passwords hoovered up from data breaches of old that they have found littering the web.  

Show me the money! 

Find Out If Your Business Is at Risk 

During the research into this campaign, Cofense Labs identified over 200m recipients on the target list. Over 7.8m sextortion emails have been analysed and bitcoin payments have been tracked. In this single campaign, over 17,000 bitcoin wallets were identified, with 1,265 payments being made across 321 of them, with one payment = one victim. At the time of analysis, these payments were worth over $1.8m.   

We have made it possible for you to check whether your email address, or email domain, is on the list. Just visit https://cofense.com/sextortion to perform the lookup and download an infographic and educational guide regarding sextortion campaigns and how to defend against them. 

Why Cofense Labs? 

Knowing is everything, and to be able to effectively defend against the fast-evolving phishing threat landscape, you’ve got to have a deep understanding of it. Cofense Labs allows us to share the results and the output of the pioneering research that our R&D team undertakes to provide this knowledge. By sharing what we know, we can hopefully enable organizations of all sizes to collaborate and protect their most precious assets against the latest phishing threats. 

If you’re at Black Hat in Las Vegas this week, come and see us at Booth 938 in the Shoreline Business Hall. You can meet members of the Cofense Labs team, and see whether your email address or domain is on the target list. 

 OTHER WAYS COFENSE CAN HELP 

Reports of sextortion and other ransom scams to the Cofense Phishing Defense CenterTM are increasing. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM. 

Quickly turn userreported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM. 

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains – do YOUR research with Cofense CloudSeekerTM. 

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Cofense Named a Leader in the 2019 Gartner Magic Quadrant for Security Awareness Computer-Based Training for the Fourth Consecutive Year*

Company continues to positively impact employee behavior with effective solutions for phishing protection.

Leesburg, Va. – July 31, 2019 – Cofense™, the global leader in intelligent phishing defense solutions, today announced their position in the Leaders quadrant of the 2019 Gartner Magic Quadrant for Security Awareness Computer-Based Training*. This is the fourth consecutive year that Cofense has achieved this position. Cofense believes being positioned as a leader in the quadrant is a testament to the company’s continued ability to deliver innovative solutions backed by superior customer experience.

“We are proud to be designated a leader in Gartner’s Security Awareness Computer-Based Training report,” said Rohyt Belani, CEO, Cofense. “We feel this industry recognition validates and reinforces that Cofense solutions, especially Cofense PhishMe™, offer the enterprise an effective security awareness solution that positively impacts employee behavior.”

Cofense provides a turnkey phishing defense solution that helps our customers leverage their conditioned employees to rapidly identify phishing attacks bypassing their email gateways and most importantly, give the security operations teams the products to streamline the detection and response cycle that ensues. In essence, Cofense customers are able to operationalize the training provided by Cofense PhishMe to demonstrably stop phishing attacks in their tracks.

Despite billions of dollars invested in perimeter controls, 90% of the emails reported with Cofense have bypassed at least one secure email gateway. In June, the company released its 2019 Phishing Threats and Malware Review which highlights the latest evolutions to threat actor campaigns and enhanced capacity for malware to evade perimeter controls and penetrate user inboxes. The trends further emphasize the need for all organizations to focus more on embracing the human element of cyber security.

In addition to Cofense receiving recognition for Security Education, Incident Response, Cyber Threat Intelligence and Managed Security Service in the Cyber Security Excellence Awards, the company has also received customer recognition and was also named a January 2019 Gartner Peer Insights Customers Choice for Security Awareness Computer-based Training Software.

To connect with the Cofense team at Black Hat USA in Las Vegas from August 6-8, please click here.

*Gartner Magic Quadrant for Security Awareness Computer-Based Training, Joanna Huisman, 18 July 2019. Cofense previously positioned as PhishMe.
Gartner Disclaimers
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.

 

About Cofense
Cofense™, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact
press@cofense.com

Threat Actors Subscribe To Patches

Cofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld. The patching subscription model may be a burden to some enterprise environments, but its underworld equivalent is a significant boon to law enforcement and network defenders. Personnel tasked with combating nefarious software can leverage the patching and licensing mechanisms of subscription-based malware to track down distributors.  

The Reasons Behind The Model 

Much like with legitimate software, threat actors decide what malware to buy based on several factors including the reviews, price, type (such as a keylogger or a Remote Access Tool (RAT), developer, and marketing. However, to make money in this competitive environment, malware developers need to take different approaches, such as: 

  • Sell the product for much less than similar malware. 
  • Give the product away. While this strategy may appear to be a good deal, malware developers have been known to include a back door enabling them to steal their “customer’s” stolen data.  
  • Base the new malware on a pre-existing and well-known malware, such as WSH RAT. As discussed in a previous CofenseTM report, the developers of this RAT billed it as a “new” RAT with advanced features and offered it at a starting subscription price of only $50 per month. However, in reality, WSH RAT wasn’t new at all and was a variant of the pre-existing and long-lived Houdini Worm with some minor feature improvements. 
  • Focus on spending heavily on marketing. While concentrating on marketing can be profitable, it is likely the reason that some malware perceived as the “next big threat” disappears shortly after making headlines – probably because the budget was spent mainly on marketing rather than development.  

Possibly taking a lesson from legitimate software companies and the frequent failure of the options mentioned above, more and more malware developers have started to adopt the patching subscription model. This model allows them to take the middle road, charging relatively smaller subscriptions (in the case of Alpha Keylogger, $13 per month) while claiming to deliver more and being able to delay feature release.  

The glut of available products, however, often leads malware developers to over-promise on features for which they then must include a basic test or example of in their code. Expedited or rushed releases of the software lead to buggy code, in turn hurting the credibility of malware authors. For instance, Alpha Keylogger claims to have a suite of features including the ability to exfiltrate data over email, FTP, or via the API of the messaging company Telegram. In practice, customers (threat actors) can choose FTP or email, and the keylogger will still attempt to exfiltrate information via Telegram API even when the configuration data is blank. This attempt creates a distinct and apparent HTTPS request on infected machines that do not successfully exfiltrate data and can be used to help identify this malware in network traffic. 

Why Network Defenders Like Updates 

The “bug” in Alpha Keylogger that causes extraneous network traffic could allow network defenders to look for such malformed URLs as signs of malicious activity despite the involvement of a legitimate domain. Even intentional updates on the part of malware developers can assist network defenders. An example of this is when the Geodo/Emotet botnet began distributing a new module. The nature of this deployment allowed Cofense to correctly assess and prepare for the delivery of more sophisticated phishing emails. If the changes had been made by a new family of malware rather than as part of an update that Cofense was looking for, it would have been more challenging to prepare. 

Why Law Enforcement Likes Licensing 

The bugs and hints provided via malware updates are helpful to network defenders, but the licensing system behind these updates can be even more useful to law enforcement. Many RATs store the license key of the individual that purchased the malware builder as a registry entry on infected computers. Depending on the method used to obtain this license key, the payment information may be associated with the key even if it is not directly associated with the individual who purchased the key. Subsequentially, a receipt of some sort may be sent to an account that is accessed by the threat actor who bought the license key. Under the right circumstances, a license key saved as a registry entry on a victims computer could be linked with a receipt in a threat actor’s inbox, attributing them to the attack. Law enforcement organizations could then build a case using this link and additional information, such as the IP address used to access the inbox. 

Applicability In Enterprise Environments 

Organizations with enterprise-scale infrastructure often encounter “shadow IT” software or malware applications that can be difficult to spot and eradicate. The licensing mechanisms found in subscription-based malware—to include potential receipts in email—can be used by threat hunters to identify insider threats. Organizations impacted by malware akin to Alpha Keylogger can weed out further infections by leveraging incident response tools and YARA rules (such as the ones provided by Cofense IntelligenceTM) which inspect registry keys. Furthermore, the potential for attribution and legal action against a threat actor through license tracking provides large corporations with enhanced defensive capabilities. 

Table 1: Malware Artifacts 

Filename  MD5 
Company Profile.doc  b46396f32742da9162300efc1820abb3 
bukak.exe  3ceb85bcd9d123fc0d75aefade801568 

 

Table 2: Network IOCs 

IOC 
biz[@]Bootglobal[.]com 
kamonubilel[@]gmail[.]com 
hxxp://ktkingtiger[.]com/bukak[.]exe 

 

 

HOW COFENSE CAN HELP 

Cofense Intelligence processes and analyzes millions of emails and malware samples each day, providing a view of emerging phishing and malware threats. 

The Cofense Phishing Defense CenterTM identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats. 

Condition end users to be resilient to ransomware and other attacks with Cofense PhishMeTM.  It includes a variety of ransomware templates to help users recognize the threat. Empower users to report phishing emails with one click using Cofense ReporterTM. 

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM. 

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekeTM. 

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understanding, read the 2019 Phishing Threat & Malware Review. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Cofense Vision UI: Quarantine Phish Faster, Without Disrupting the Mail Team

By Karen Kokiko

The holy grail of phishing defense is now within your grasp. Cofense VisionTM now comes with a user interface that lets you quarantine phishing emails with a single click—without disrupting the mail team and slowing down your response.

Let’s stop and let that sink in. You can quarantine phish right from your desktop, without asking the busy mail team to stop and perform a search. There’s no more waiting while an active phish does the backstroke in your inboxes. Faster, more precise phishing response is here.

Fast and Flexible Searching

Traditional email search and quarantine tools are slow and inflexible, offering limited search scope like ‘Sender’ and ‘Subject.’ It’s difficult to find the entire attack fast enough and account for the way tactics, techniques, and procedures morph.

The Cofense Vision user interface allows SOC analysts to search by combinations of fields, grouping emails together by selected criteria. You can search for recipients, senders, MIME type, attachments, a specific time, and more, essentially creating your own cluster. Then quarantine one or hundreds of malicious emails with a simple click. If you later determine that emails are harmless, you can “un-quarantine” them just as easily.

Built for Companies of All Sizes

The new Cofense Vision UI supports smaller customers who don’t have engineering teams or power users to write scripts and code. You can simply search natively and quarantine quickly. An hour after installation, analysts are ready to defend.

For example, an end-user at a small business sends a suspicious email to IT for investigation. IT determines it is malicious and wants to find out if anyone else received it. With the new Cofense Vision UI, they can search on key criteria found in the malicious email to determine if more than one instance of the message is in their environment, then quarantine the email in seconds.

If your company is larger, the interface improves the experience of power users and operators who are writing scripts or otherwise programmatically interacting with Cofense Vision. Proactive analysts, those with some information about where and how the bad guys are likely to attack, can use the UI to identify and quarantine malicious actors before any damage is done. SOC analysts can write rules to look for signs of malicious activity, searching criteria such as To, From, Subject, Attachment Hash, and the content of the message.

All of this shortens “dwell time” and the amount of damage an attacker can cause in your email environment. According to a SANS Institute survey, 75 percent of respondents say they reduced their attack surface by through more threat hunting. Fifty-nine percent believed that threat-hunting enhanced the speed and accuracy of their company’s incident response.1

The new Cofense Vision UI makes threat-hunting faster, easier, and more effective. Learn more or sign up for a demo now!

More Ways Cofense Can Help

90% of phishing threats observed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Then reduce exposure time by rapidly quarantining threats with Cofense Vision.

Be proactive against evolving phishing threats. Easily consume high-fidelity phishing-specific threat intelligence to defend your organisation with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threat than Cofense. Understand the current phishing threat – read the 2019 Phishing Threat & Malware Review.

 

1SANS Institute, “2018 Threat Hunting Survey”: https://www.sans.org/media/analyst-program/Multi-Sponsor-Survey-2018-Threat-Hunting-Survey.pdf

  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways

By Jake Longden

The Cofense Phishing Defense Center has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. Here’s how they work.

Email Body:

The email body is a genuine notification from WeTransfer which informs the victim that a file has been shared with them. The attackers utilise what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel straight through security checks at the gateway.

WeTransfer allows for the addition of a note to the email to clarify why the file was sent. Here, the threat actor will often write a note stating that the file is an invoice to be reviewed. This is a commonly observed phishing technique to pique the user’s interest.

Fig 1. Email body

Phishing Page:

When the user clicks on the “Get your files” button in the message body, the user is redirected to the WeTransfer download page where a HTM or HTML file is hosted and thus downloaded by the unsuspecting victim. When the user opens the .html file, he or she is redirected to the main phishing page.

Fig 2. WeTransfer Hosted file

In the final stage of the attack, victims are asked to enter their Office365 credentials to login. More often than not, we see a Microsoft Service being targeted, however we have observed other targeted brands.

Fig 3. Phishing Page

Gateway Evasion

As WeTransfer is a well-known and trusted file hosting system, used to share files too large to attach to an email, these links will typically bypass gateways as benign emails, unless settings are modified to restrict access to such file sharing sites. The PDC has observed this attack method to bypass multiple gateways. These include ProofPoint, Office365 Safe Links,  and Symantec.

Useful Resources for Customers

Description
Triage Yara rule: PM_WeTransfer_File_Download
PhishMe Templates: “File Transfer”
Cofense Intelligence: https://www.threathq.com/p42/search/default#m=26412&type=renderThreat 


Other Ways Cofense Can Help

The Cofense Phishing Defense Center identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats.

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.  Our solution offers a phishing simulation to protect against file-transfer attacks like the one described in this blog.

According to the Cofense Phishing Defense Center, over 91% of the credential harvesting attacks they identify bypassed email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understand, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Ransomware: A Mid-Year Summary

By Alan Rainer

Recently, ransomware has given off the appearance of widespread destruction and rampant use. 2019 alone has seen headlines such as “Florida City Agrees to Pay Hackers $600,000” and “Baltimore City Operations Impaired by Cyber Criminals.” Yet, despite the resurgence of large-impact headlines, phishing campaigns have delivered less ransomware overall since 2016, per Cofense analytics. The decline in Ransomware-as-a-Service (RaaS) operations demonstrates an impact on threat actor ransomware activity. Attackers find that emerging protection technology, improved law enforcement tracking of cryptocurrency payments, systems patching, and costly infrastructure upkeep all pose a deterrent to broad-spectrum targeting.

Ransomware Is Down Holistically, But Targeted Infections Are Up

Threat actors find that targeted ransomware attacks against high-value victims can be accomplished with greater efficiency, enabled by other malware families such as Emotet/Geodo. These secondary malware families provide an effective attack vector that increases the success of phishing attempts and targeted ransomware campaigns. Emotet—an email-borne Trojan which actors use to install other nefarious tools—has gone offline with no activity since June 2019. If the Trojan were to resurface, we assess that threat actors could rather easily carry out more email ransomware attacks on a broader scope. Without the efficiency provided by Emotet or even a Ransomware-as-a-Service such as GandCrab (which has supposedly shut down permanently), targeted infections continue to be the more lucrative option for ransomware operators.

Recent headlines have drawn attention to exceptionally costly targeted ransomware attacks against local US governments, healthcare services, and the transportation sector. Also spurring great debate: cyber insurance companies are recommending payment of ransom and are directly contributing to those payments as part of their insurance coverage. Taking this into account— along with the hefty price tags associated with the recovery costs of cities who have not elected to pay the ransom, such as Atlanta and Baltimore—Cofense Intelligence™ assesses this could lead to an uptick in ransom payments and further embolden an increase in targeted ransomware campaigns.

Only last week, the cyber insurer of La Porte County in Indiana contributed $100,000 toward an equivalent of $130,000-valued Bitcoin demand. The firm advised La Porte County to pay the threat actors, who infected local networks using the Ryuk ransomware. Similar stories have emerged across the United States. What remains to be seen is how effective recovery is following payment. Often, decryption is not as immediate or successful as ransomware operators would have their victims believe.

Will Cyber Insurance Create New Targets?

It makes sense that organizations seek indemnity to protect their financial portfolios. But while everyday scams or fraud occur in a traditional insurance setting, cyber criminals may look to specifically target insured organizations for a guaranteed return in the future. Cyber insurance companies known to pay out ransom could present a surefire target for actors.

Regardless of targeting potential, all organizations should engage in appropriate planning and preparation with defense technology and user awareness. Threat intelligence will help to ensure that your organization’s defense is as proactive as possible. Educating and enabling your users to identify and report phishing messages ensures preparedness at every line of defense. As an industry leader in phishing defense solutions, CofenseTM provides security professionals with tools and skills to combat email-borne threats, so that you can defend against even those threats that bypass your perimeter technologies and reach user inboxes. Only by stepping up our collective defense will we reduce the efficacy and proliferation of ransomware campaigns for good.

More Ways Cofense Can Help

Cofense IntelligenceTM processes and analyzes millions of emails and malware samples each day, providing a view of emerging phishing and malware threats.

The Cofense Phishing Defense CenterTM identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats.

Condition end users to be resilient to ransomware and other attacks with Cofense PhishMeTM.  It includes a variety of ransomware templates to help users recognize the threat. Empower users to report phishing emails with one click using Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understanding, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

This Phishing Attacker Takes American Express—and Victims’ Credentials

Recently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.