Phish Found in Proofpoint-Protected Environments – Week Ending July 5, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. The majority of this week’s examples are Credential Theft, an attack type we’ve been watching grow for some time. While not a panacea, many companies are rolling out MFA solutions to reduce the risk from compromised accounts.

TYPE: Credential Theft

DESCRIPTION: This notification-themed phish spoofs a European provider of credit and payment cards to trick victims into turning over their credentials.

TYPE: Credential Theft

DESCRIPTION: This notification-themed email delivers a .htm file pretending to be a short voice message. Instead, it spoofs Microsoft URLs with the intent to harvest login credentials.

TYPE: Malware – Mass Logger

DESCRIPTION: This finance-themed attack delivers OneDrive URLs to the unsuspecting victim, leading them to download the Mass Logger malware. This malware was recently analyzed by Cofense and noted for its capabilities as well as its frequent update cycle.

TYPE: Credential Theft

DESCRIPTION: Here’s a finance-themed phishing attack that delivers attached .html files. These files spoof a well-known brand to capture corporate credentials.

TYPE: Credential Theft

DESCRIPTION: They say sharing is caring, but not when it’s a phishing attack masquerading as a Coronavirus document. This attack uses SharePoint URLs to host credential-stealing pages. Cofense has been tracking COVID-19 scams since the beginning.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Fryday – Cutting Through the Noise at IMAX

Security analysts need data – lots of data – to do their jobs defending organizations. It’s easy to drown in all the noise, though, and not be able to find attacks and respond quickly. In this episode we speak with IMAX Information Security Analyst Rob Sipthorpe to discuss the IMAX phishing defense program and how they’re cutting through the noise and finding bad fast.

Learn more:

IMAX

Cofense Triage

Questions or comments? Reach us at phishfryday@cofense.com

Phish Found in Proofpoint-Protected Environments – Week Ending June 28, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Of note is the use of macro-enabled documents using Microsoft Office document extensions dating to versions sold prior to 2007. Organizations may want to consider ways to identify and filter these files.

TYPE: Malware – Dridex

DESCRIPTION: Macro-enabled Excel documents and Dridex malware – name a more iconic pair. This phishing attack used Microsoft Excel documents to deliver Dridex to the inbox. Just like we’ve been blogging about since 2017.

TYPE: Malware – ZLoader

DESCRIPTION: Who uses XLS files anymore? Well, attackers for one. This attack uses the long outdated file type to execute macros that download ZLoader via a VBS chain. Cofense Triage customers have been detecting and remediating attacks delivering ZLoader since 2017.

TYPE: Credential Theft

DESCRIPTION: This phish leverages a trusted cloud storage service to capture login credentials from the Danish-speaking victim. This should come as no surprise, as Cofense has been seeing the use of trusted cloud services for years.

TYPE: Malware – NetWire

DESCRIPTION: Microsoft’s Office Equation Editor vulnerability (CVE-2017-11882) has been a favorite for attackers. Discovered in 2017, malicious documents are delivered via attachment or, as in this case, embedded URL to compromise victims. This example delivers the NetWire Remote Access Trojan.

TYPE: Malware – ZLoader

DESCRIPTION: Another attack using the old XLS format with macros to deliver ZLoader. This one uses an invoice theme to trick its victims into opening the attachment.

TYPE: Malware – Agent Tesla

DESCRIPTION: This invoice-themed phish includes an embedded URL to download a .7z archive. Inside the archive is the ever-popular Agent Tesla, a top threat as recently as last year.

TYPE: Credential Theft

DESCRIPTION: While we saw plenty of malware in this week’s batch, the old standard of credential phish is still around. This profile-themed phish spoofs a state agency to capture credentials that are exfiltrated using Google forms.

TYPE: Malware – Hive

DESCRIPTION: This purchase order-themed phish delivers an embedded URL to the FireBird Remote Access Trojan variant known as Hive.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Fryday – APIs and Automated Phishing Defense

Cyber defenders are strapped for resources, having to constantly do more with less. The risks are many, the tools are multiplying, and yet the job continues to get harder. Here to talk about how automation and integration through API usage can improve cyber defenses are Pete Smith, Cofense Director of Product Management and Cofense Director of Technical Alliances Mike Saurbaugh.

Learn more

Cofense Triage

Cofense Vision

Cofense Intelligence

Questions or comments? Reach us at phishfryday@cofense.com

“You’re Invited!” to Phishing Links Inside .ics Calendar Attachments

By Ashley Tran, Cofense Phishing Defense Center

Every day threat actors find more and more ingenious ways to deliver phishing emails to end users. From direct attachments to using third party document hosting sites and… calendar invitations? The Cofense Phishing Defense Center (PDC) has unearthed a new phishing campaign in multiple enterprise email environments protected by Proofpoint and Microsoft that delivers .ics calendar invite attachments containing phishing links in the body. It’s assumed that the attackers believe stuffing the URL inside a calendar invite would help avoid automated analysis.

Figure 1: Email Body

The subject of this phish is “Fraud Detection from Message Center,” reeling in curious users. The sender display name is Walker, but the email address appears to be legitimate, possibly indicating a compromised account belonging to a school district. Cofense observed the use of several compromised accounts used to send this campaign. Using a compromised real account originating from Office 365 allows the email to bypass email filters that rely on DKIM/SPF.

The story in this phish is a version of a classic lure “suspicious activity on the user’s bank account.” This attachment, however, doesn’t jibe with the ruse considering it’s a calendar invite. A more fitting lure would have been something like “I attached a meeting invite; can you please attend?” Maybe this attacker flunked out of Internet bad guy school.

Figure 2 shows what the calendar invite looks like when opened. Note that it’s hosted on the legitimate Sharepoint.com site, an issue that continues to be problematic for Microsoft.

Figure 2: Calendar invite (.ics) Attachment

Upon clicking the link in the fake invitation, a relatively simple document opens with yet another link to follow, as seen in Figure 3 below:

Figure 3: Phishing Page

If the victim follows that link, they are redirected from sharepoint.com to a phishing site hosted by Google. Clicking anywhere on the document then redirects users to a bogus phishing page seen in Figure 4.

Figure 4: Phishing Page

As shown in Figure 4, the final phishing page users are directed to is hosted on:

hXXps://storage[.]googleapis[.]com/awells-putlogs-308643420/index[.]html

This is not the first time threat actors have utilized “storage[.]googleapis[.]com” to host their phish. In fact, it is becoming increasingly common thanks to its ease of use as well as the built-in SSL certificate the domain comes with which adds the “trusty” padlock to the side of its URL.

Once redirected here from the previous SharePoint page, users are presented with a convincing Wells Fargo banking page, as seen in Figure 4. This page asks for a variety of Wells Fargo account information including login details, PIN and various account numbers along with email credentials. At surface value, it may seem excessive to request this level of information, but under the pretense of “securing” one’s account, it may not appear to be so much.

Should users provide all the requested information, they will finally be redirected to the legitimate Wells Fargo login page to make the user believe they have successfully secured their account and nothing malicious has taken place.

And to think, all of this from a simple calendar invite. It goes to show, users and their security teams must constantly remain vigilant as threat actors continue to find new ways to slip past gateways right into inboxes.

Network IOCs IPs
hXXps://mko37372112-my[.]sharepoint[.]com/:b:/g/personal/admin_mko37372112_onmicrosoft_com/ERto2NKXu6NKm1rXAVz0DcMB431N0n1QoqmcqDRXnfKocA 172[.]217[.]13[.]240
hXXps://storage[.]googleapis[.]com/awells-putlogs-308643420/index[.]html 13[.]107[.]136[.]9
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending June 21, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We are not alone in dealing with attachment issues. This week’s batch of phish contain quite a few bearing common attachments to deliver malware and steal credentials. If only there were a better way to defend ourselves.

TYPE: Malware – NanoCore

DESCRIPTION: This purchase order-themed phish delivered a .zipx attachment that was actually a RAR archive. The attackers were kind enough to instruct the recipient what software to use to access the NanoCore Remote Access Trojan within. NanoCore resurfaced in early 2018 and still reaches inboxes.

TYPE: Malware – Dridex

DESCRIPTION: A finance-themed phish uses a macro-enabled Microsoft Excel attachment to deliver the Dridex malware. Cofense was reporting on this malware back in 2015 and it still finds success despite the latest advances in perimeter technologies.

TYPE: Malware – Agent Tesla

DESCRIPTION: The delivery-themed phishing example targets organizations in Thailand promising shipping information at the embedded link. The victim will end up with a case of Agent Tesla, a keylogger (and more) that we discussed in a recent Phish Fryday podcast.

TYPE: Malware – Remcos

DESCRIPTION: This document-themed phish includes a Microsoft Word attachment that leverages a pair of Microsoft Office vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to download a DotNETLoader to install the Remcos Remote Access Trojan. Cofense has tracked the exploitation of these vulnerabilities since 2017.

TYPE: Malware – Dridex

DESCRIPTION: Pretending to be an international logisitics company with some shipment information, the attached .zip file contains a macro-enabled Microsoft Office document that displays a fake invoice while silently installing the Dridex malware.

TYPE: Malware – Ursnif

DESCRIPTION: Attackers love to leverage legitimate cloud services to make their phish more successful. This response-themed attack makes use of Firefox Send to deliver a password-protected archive containing VBScripts that will download and run the Ursnif malware.

TYPE: Malware – TrickBot

DESCRIPTION: Spoofing a state government office, this phish delivers macro-laden Microsoft Office documents via an embedded link to a SharePoint site requiring a password for access. The victim will download the TrickBot malware.

TYPE: Credential Theft

DESCRIPTION: Attackers haven’t forgotten about the Coronavirus and continue to leverage the theme to get recipients to engage. This attack delivers an HTML attachment that spoofs Adobe to steal credentials.

TYPE: Credential Theft

DESCRIPTION: Another document-themed attack delivering a web page (.htm). This one spoofs a Microsoft login page to harvest credentials.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Practice Makes Perfect

By Noah Mizell and Kyle Duncan, Cofense Phishing Defense Center

The Phishing Defense Center (PDC) has discovered two distinct phishing campaigns found in environments protected by Proofpoint that spoof Twitter by using registered fraudulent domains.

Threat actors utilize numerous attacks throughout their careers; others stick with tried-and-true attacks proven to be effective. The latter is the case in the following scenarios with these attacks coming from the same campaign based on similar tactics: registered fraudulent domains, specifically tailored sender emails, and nearly identical phishing emails and pages.

Figures 1-2: First Iteration of Attack

The subject of the phishing email is “Security alert: new or unusual login” followed by the sender email “verify[@]tlwtttierz[.]com”.  Although it is obviously not Twitter.com, it is similar to the actual name, that users may overlook due to the urgent tone.  However, users must be careful when reacting in haste, as threat actors seek to turn quick thinking against targets to steal their credentials.

The body of the email looks like a legitimate Twitter notification. Similar font type, layout, the familiar Twitter logo showing – nothing appears to be amiss. Reading the contents of the message though, users may be surprised to see there has been a new login from a new device from Spain! Supposing the user is not connected to this location, this is likely to be cause for concern. But worry not, “Twitter” has sent a handy link to secure the account in question.

Hovering over the link “Secure my account”, it shows the redirect is:

twltt%C4%99r[.]com

However once clicked, users are sent to a URL that looks like “Twitter.com”:

twlttęr[.]com

For this attack, the threat actor uses punycode to make the final URL look like “Twitter.com”. The use of punycode has been noted as an extremely easy way to make phishing URLs look very similar to the site they are impersonating. Punycode essentially takes words that cannot be written in ASCII and puts them into an ASCII encoding that browsers will understand.

For example, the URL to which the attack directs does not actually include a letter ‘e’ ASCII would understand; it uses the hexadecimal encoding ‘C4 99’ for a character that can be seen in the first URL. When the browser gets this encoding, twltt%C4%99r, it renders the string, %C4%99, to the Polish letter ę, which just so happens to look very similar to the ‘e’ we’re used to seeing in the legitimate Twitter.com URL.

Figure 3-4: Second Iteration of Attack 

Although this second attack may appear to be the same one from Figures 1-2, it is an improvement – the threat actor made minor tweaks to enhance its believability.

The subject of the email has changed: “New login from Safari on iPhone”. Like the previous attack’s subject, this is also meant to evoke a sense of urgency. This time, however, the sender email is not the obviously wrong “verify[@]tlwtttierz[.]com” but rather a more subtle “verify[@]mobiles-twitter[.]com”.

Although this email looks like an exact copy of the last attack, the threat actor added a small yet impactful detail: at the bottom they specifically reference the recipient: “We sent this email to _____”. Most users have been told to look out for generic “Dear sir/ma’am” terms in emails. If the email is not specifically addressed to the recipient, it is likely a mass mailing, perhaps with malicious intent. For most users, personalization adds legitimacy.

Like in the last attack, the threat actor included disclaimer under this hyperlink to “help” users know this is a legitimate email from Twitter. Both emails mention the display of a padlock to mean a secure and legitimate site. This padlock only shows that the website is using an active SSL certificate to signify encrypted communications between the user and the web server.  However, contrary to widespread belief, a padlock does not equal safe. The attacker is simply trying to erase any doubts about the site.

The final change of this second attack can be seen when hovering over the “Confirm my identity” hyperlink and finding a new fraudulent domain:

mobiles-twitter[.]comThis domain appears to be more legitimate than the one from the first attack, as it contains the word “twitter”. Considering mobile[.]twitter[.]com leads to the legitimate mobile version of Twitter, this “mobiles-twitter[.]com” was more than likely supposed to be a dupe.

Perhaps this attack may have intended to typosquatt to lure victims the attacker never initially targeted. Typosquatting, or URL hijacking, relies on users making small mistakes when typing a URL, whether adding a period where there was a dash or misspelling the domain. The attacker has registered that mistakenly typed out URL, so should anyone accidentally visit it they will be subject to whatever is on that page.

Figure 5: Phishing Page

As seen in Figure 5 above, users are presented with a login page for either attack, however this one is specifically for the phish located at twlttęr[.]com. This page is made to look extremely close to the current Twitter login page that can be seen on a desktop browser. The obvious difference between this phishing attack and the legitimate Twitter login page would be the URL, with its unusual letter ‘ę’, and the atypical tab icon.

This is just the first iteration of the threat actor’s attack. The second attack has an even more dismissible body email and a URL that looks closer to a legitimate URL. Regardless, it is no secret that users should pay close attention to the URLs in their address bar.

 

Network IOCs  IPs  
hXXps://mobiles-twitter[.]com/login/ 70[.]37[.]100[.]82
hXXps://twltt%C4%99r[.]com 70[.]37[.]100[.]82
hXXps://xn--twlttr-04a[.]com/login/ 70[.]37[.]100[.]82
hXXps://t[.]co/U6DLQ2B1xC

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Fryday – Secure Email Gateways

Phishing continues to be one of the top attack vectors faced by companies. To address this, many organizations deploy a secure email gateway – SEG in InfoSec parlance. In this episode we speak with Cofense Co-founder and CTO Aaron Higbee and Cofense Security Solution Advisor Tonia Dudley about the history and functionality of SEGs and why they aren’t the panacea they claim to be.

Additional Resources

Gartner retires their secure email gateway Magic Quadrant

Phish Fryday – Cloud Services in Phishing Attacks

Get the lowdown on SEGs

Questions or comments? Reach us at phishfryday@cofense.com

Phish Found in Proofpoint-Protected Environments – Week Ending June 14, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Cofense sees macro-laden attachments reaching the inbox so frequently, we did a Phish Fryday episode on the topic.

TYPE: Malware – NanoCore

DESCRIPTION: This phish spoofs an international lifestyle company to deliver a macro-laden Microsoft Publisher file. Once enabled, the macros download a series of HTA scripts to unpack enclosed .NET libraries which then unpack and run the NanoCore Remote Access Trojan. The use of Publisher files in phishing attacks is not new, as Cofense reported on its use in the Necurs botnet back in 2018.

TYPE: Credential Theft

DESCRIPTION: This French phish – poisson? – pretends to be a number of missed calls. The link leads to a web form designed to steal credentials. Attackers leverage the simplicity of many voicemail notification emails, as Cofense has been reporting for over a year.

TYPE: Malware – Ursnif

DESCRIPTION: This Italian-language phish uses a tactic that is successful far too often – Microsoft Office documents (in this case Excel) that contain malicious macros. This sample delivered the Ursnif data stealer. Ursnif is hardly a newcomer to the phishing threat landscape, as Cofense has been reporting on it for years.

TYPE: Credential Theft

DESCRIPTION: Got documents? This phishing attempt claims to deliver an important PDF file but leads to a website designed to steal Office 365 credentials. Once these credentials are provided, the victim is redirected to a document hosted on Google Drive.

TYPE: Reconnaisance

DESCRIPTION: Information gathering is often a prelude to a cyberattack and this phish used a layered approach to perform reconnaissance on the target. Using an embedded URL, the victim is lured into downloading an archive containing a VBScript (.vbs). This script then attempts to download a PowerShell script that will gather information about the infected endpoint and environment.

TYPE: Credential Theft

DESCRIPTION: With a smorgasbord of foreign language-themed attacks in this week’s catch, this Swedish phish delivers an embedded URL that leads the victim to a Microsoft OneNote-hosted page designed to steal Office 365 credentials. Once provided, the victim is redirected to a document hosted on docdroid. Attackers leveraging Microsoft infrastructure to host malicious OneNote documents is nothing new.

TYPE: Credential Theft

DESCRIPTION: Here’s another example of voicemail spoofing. This one leads to a website designed to steal Office 365 credentials and then direct the victim to office.com. Simple. Effective.

TYPE: Malware – Trickbot

DESCRIPTION: While many of us like to enjoy a cup of java in the morning, this phishing attack uses Java shortcut files – .jnlp – that pull down a Java Archive (.jar) which then downloads and runs the Trickbot trojan. Hardly something you’d like to wake up to.

TYPE: Credential Theft

DESCRIPTION: This Coronavirus-themed phish promises a survey designed to steal corporate credentials. The malicious survey is hosted on Microsoft infrastructure – SharePoint – and exfiltrates the credentials using the legitimate SubmitSurveyData Microsoft URL. Survey phish is hardly a new tactic.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

New Mass Logger Malware Could Be Massive

By Max Gannon

Cofense Intelligence is tracking a recently released keylogger named “Mass Logger” which could significantly impact the keylogger market and the phishing threat landscape.

Speedy Development Could Spur Adoption

Today, keyloggers make up the largest volume of unique phishing campaigns by malware type, and they continue to grow in popularity and sophistication. One of the key concerns with Mass Logger is its updating speed. The author of Mass Logger consistently updates and improves the malware, which allows its operators to respond quickly to overcome security measures taken to detect and defend against it. Speedy development also allows the malware’s creator to quickly add features in response to customer feedback, which may lead to an increase in this malware’s popularity.

For example, Cofense Intelligence has identified a campaign that used an attached GuLoader executable to deliver an encrypted Mass Logger binary. GuLoader has recently risen to prominence as a malware delivery mechanism which downloads encrypted payloads hosted on legitimate file sharing platforms. The email used to exfiltrate data in this campaign was also recently seen in an Agent Tesla keylogger campaign, indicating that some threat actors may already be switching from Agent Tesla to Mass Logger.

Advanced Functionality, With More Likely to Come

The creator of Mass Logger, known as NYANxCAT, is responsible for several other well-known and prolific malware types, including LimeRAT, AsyncRAT, and other RAT variants. NYANxCAT’s malware tends to be feature rich and easy to use, allowing for easy adoption by amateur threat actors. Despite this relatively low entry bar, many of the features incorporated into Mass Logger are advanced, such as its USB spreading capability.

The capable actor behind these malware families has demonstrated an investment in Mass Logger, improving the functionality of the malware with 13 updates in only a three-week time period. In patch notes, NYANxCAT references the addition of new targets for its credential stealing functionality and includes measures taken that would reduce automated detection. Based on these feature additions and improvements, it is likely that NYANxCAT will continue to invest in and update this keylogger.

Sophisticated features distinguish Mass Logger from other common malware. For example, it includes a function that enables a cyber-criminal to search for files with a specific file extension and exfiltrate them. In order to defend against Mass Logger and similar threats, network defenders should watch for FTP sessions or emails sent from the local network that do not conform to your organization’s standards. Also, tune sandbox systems to look for anti-analysis and evasion techniques and disable password-saving in applications like Firefox.

Get 3 FREE Months of Cofense Intelligence

Like what you read in this blog? Cofense Intelligence customers received the IOCs associated with Mass Logger as well as a technical analytic writeup of the new keylogger. If you are not a current Cofense Intelligence customer, this is the time to take advantage of our free 90 day access offer, allowing you to receive even more detailed insights into phishing and malware threats that evade email gateways—yours free for 3 months.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.