sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week ending October 30, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: LokiBot

DESCRIPTION: Shipping-spoofing emails found in environments protected by Proofpoint deliver LokiBot via an attached CVE-2017-0199 open XML exploit. The CVE-2017-0199 exploit downloads and runs a DOC file that exploits CVE-2017-11882 to download and run LokiBot.

TYPE: QakBot

DESCRIPTION: Response-themed email found in environments protected by Proofpoint deliver QakBot via malicious Office macros downloaded from an embedded URL.

TYPE: Remote Access Trojan

DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Remcos RAT via XXE attachments. The XXE archive contains a GuLoader executable that downloads and runs Remcos RAT.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

The Ryuk Threat: Why BazarBackdoor Matters Most

By The Cofense Intelligence Team

Ryuk Ransomware: From TrickBot to BazarBackdoor – What You Need to Know.

Listen in to the latest insights from the Cofense Intelligence experts on this threat and learn how you can defend your business

Watch On-Demand

Yesterday, the Cofense Intelligence team released the following guidance via a flash alert to Cofense Intelligence customers.

On October 28, media reports and U.S. government notifications emerged regarding an active “credible” Ryuk ransomware threat targeting the U.S. healthcare and public health sector, with plans of a coordinated attack October 29. This was reportedly based on chatter observed in an online forum that allegedly included members of the group behind Ryuk. Cofense Intelligence is conducting an ongoing investigation into this threat. While we can’t evaluate the government’s determination of this threat as credible, we are taking this very seriously and have observed increased activity against the healthcare sector. We assess with high confidence that BazarBackdoor is the primary delivery mechanism currently used for Ryuk operations. Moreover, we’ve identified that similar phishing campaigns used to establish a foothold for Ryuk infections have targeted other sectors, as well.

BazarBackdoor: Ryuk’s Inroad

Cofense Intelligence assesses that Ryuk operators typically wait until their preferred delivery mechanism is successfully deployed to an intended target prior to deploying Ryuk ransomware itself. Up until TrickBot’s disruption, Ryuk was most frequently delivered via TrickBot. However, our analysis indicates that the group behind Ryuk began leveraging BazarBackdoor to establish access to target systems in September. This aligns closely with announcements that U.S. Cyber Command had taken action to disrupt TrickBot operations. In recent weeks, we assess with high confidence that BazarBackdoor has been Ryuk’s most predominant loader. With lower confidence, we assess this wave of Ryuk activity may be, in part, in retaliation for September’s TrickBot disruptions.

BazarBackdoor is a stealthy malware downloader that we assess is used by the same group as TrickBot. Typically, emails designed to appear as internal business communications are sent to victims within an organization, often with relevant employee names or positions. These emails usually contain a link, most often to a Google Docs page, though other well-known file hosting platforms have also been used. The Google Docs page will then present a convincing image with another embedded link. This link is typically to a malicious executable hosted on a trusted platform such as Amazon AWS. This chain of legitimate services makes it difficult to detect and stop these campaigns.

Once in place on a victim’s computer, BazarBackdoor uses specialized network communications to avoid detection and to contact its command and control (C2) locations. Part of these communications involve DNS lookups for .bazar domains, which is the reason behind its Bazar name. These C2 locations also often serve as payload locations. After BazarBackdoor contacts its C2 center it will then collect additional information which the threat actors can use to deliver customized reconnaissance tools, such as Cobalt Strike payloads. The threat actors can also choose to deliver other payloads such as Ryuk ransomware. The deployment of Ryuk ransomware isn’t automated, and therefore won’t occur unless the threat actors decide the infected environment is a target.

All of us should pay special heed to any indications of BazarBackdoor compromise. Regardless of whether recent activity is in retaliation against TrickBot’s disruption, what is clear is that recent efforts by multiple parties to cripple TrickBot seem to have been effective in transitioning the Ryuk actors to leveraging BazarBackdoor. We must be mindful that there are past connections between TrickBot activity and Emotet. While there is no direct evidence of current Emotet involvement in these campaigns, we cannot rule out future delivery of Ryuk via Emotet, given historical relationships between TrickBot and Emotet. As the TrickBot infrastructure appears to be in the process of restructuring, we assess that it may find use again as a delivery mechanism. As a network defender, all three malware families should be prioritized when searching for possible compromises, with the highest priority placed on detections of BazarBackdoor in the near future.

Figure 1: Common Phishing Example Delivering BazarBackdoor

The Phish

Cofense Intelligence has directly identified several campaigns, targeting multiple sectors across our customer base, that share strong similarities to the phishing emails reportedly used as initial attack vectors in Ryuk campaigns, as outlined by FireEye. Two subject themes stand out across several industry verticals we’ve confirmed were targets of BazarBackdoor. These subjects relate A) to employment termination, almost always including the word “termination,” or B) to payroll, almost always including the word “debit,” as shown in Figure 1. While the subjects remain the same, we observed two separate download services: via Google Docs or Constant Contact. The following list highlights the different industries we have confirmed were targeted by such campaigns. However, we cannot assess whether Ryuk operators intended to further infect these targets with Ryuk ransomware. It appears very likely that Ryuk operators have cast a wide net for potential infection vectors, and choose which successful footholds to manually interact with and leverage.

Figure 2: Termination List Phishing Example Delivering BazarBackdoor

It is worth noting that these campaigns began in mid-September, which corresponds with the timing of coordinated offensive operations to disrupt TrickBot. The sectors we have directly observed targeted in these campaigns include:

  • Consumer Goods
  • Healthcare
  • Mining
  • Energy
  • Insurance
  • Professional Services
  • Financial Services
  • Manufacturing
  • Retail

Assessing the Threat

As of early this morning, on October 30, there are reports of some ransomware attacks against U.S. healthcare organizations yesterday. It is possible more reports will emerge in the coming days, though initial indications suggest a healthcare sector doomsday was avoided. In recent weeks, there was an abundance of ransomware activity against the healthcare sector, and we identified an increase in BazarBackdoor targeting. It’s not for us to say whether the stated time or scope of the threat was off base, if there have been active successful countermeasures, or that the flurry of reporting has deterred some ransomware activity for now. It is possible they did/do not want to face such a well-guarded and prepared target base. Still, we are confident that Ryuk operations have recently increased, and that other sectors have come into the crosshairs of potential future Ryuk operations. It’s our assessment that the threat should be taken seriously.

Cofense Intelligence customers have received relevant indicators of compromise (IOCs) and Active Threat Reports (ATRs) as these campaigns are identified and analyzed, and some of these ATRs were first sent in September. Customers can find these ATRs and IOCs in ThreatHQ and via our API, and can access the most up to date list of all relevant Cofense Intelligence IOCs and ATRs tied to BazarBackdoor, TrickBot and Emotet via our API and on ThreatHQ.

For all readers, below is a table of relevant IOCs and Yara Rules associated with BazarBackdoor that can help your organization identify related emails should you be targeted. Gain free access to our intel here.

Register now for our live 30 minute briefing on Ryuk Ransomware & What you need to know on Thursday, November 12 at 11:00 am EST.  Listen is as our Cofense Intelligence team provides the latest insights on this threat and learn how you can protect your organization.

Active Threat Reports: BazarBackdoor 
71542 
69892 
67088 
59926 
56548 
56336 
55660 
54647 

 

Embedded URLs 
hxxps://files[.]constantcontact[.]com/0d2efd83801/b5bc005e-db6a-43c8-a967-354f28e66b47[.]pdf 
hxxps://files[.]constantcontact[.]com/0d2efd83801/ca3db959-6b1f-4df9-97b8-13772cbae8e4[.]pdf 
hxxps://files[.]constantcontact[.]com/0d2efd83801/50f95d03-8af1-4396-ac84-d6a7f1212026[.]pdf 
hxxps://files[.]constantcontact[.]com/0d2efd83801/786053b4-4dd9-418b-96bc-84fce4cd00e2[.]pdf 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQsr0bh2i5yJeikTd39t_QfodvTagGLUJNFbMXL_SPvj_x-Pl8WG8pqu6TqQykx9pRsTUvHEuthkWjE/pub 
hxxps://download2020[.]xyz/xls7f283gd283/details_0710p[.]xls 
hxxps://download2112[.]com/xls7f283gd283/details_0610p[.]xls 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vRHniSs5Zv8eT2oX5R6UMJPlmNCV_467IH7q9F_o9kwecObMgMt-p99b2ZKtfyXlPF-FdbfP4tArfHh/pub 
hxxps://getfile24[.]com/xlsaf543f/details_0610s[.]xls 
hxxps://getfile24[.]com/do[.]php 
hxxps://download2112[.]com/do[.]php 
hxxps://file2020[.]top/xlsaf543f/details_0710s[.]xls 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQI6-ZsmZthn9cMjphu3xI7yHO2XX-UGoWR5QdzQSY4hY-l0uPL-rVqMg7-Qtf1kjzwGJ0j9ZA3cSHf/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vTGg3jp69iZwWHQt_5iecBhuRO4TFrCqQGFH2SRnL7grlnhfFT_tvxB3b7MtJzcVCVKEjcoDET6WPZ1/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vSdRpDwxW652bF1MBskTuXdU21Vth9Igkq-wj-U2VyputfZw0eXOwEhB_tPm_OyXoqlwbv7JvwzOWN-/pub 
hxxps://file2020[.]top/do[.]php 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vSl5CpqIn8TdaC2meLuo5O2_65-EG7BYAVWGpRfulpB6tcL9n4pWxSvNfMAbU9lCPgyPGJgc_mHl1N6/pub 
hxxps://download2020[.]xyz/do[.]php 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQYIHCkjG5cyJ7LD20aBzlDCkuDspUXDzEHuUOZgceYCzhGuxTr3eS0CHwbgz4rB-z0-tc1PMG-G-Yf/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQihrkch2KlKXWyGgBLOOAUD8mtAQsbd33LRX382DLu29X3yXVqk0u5ZDyAQ1dxJoLAqT243vQA8zG6/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQWDqcUKNBnGdRrsYXzsk1yKMTevNW5TF_DvXV6KJkQcNS40pvDFIaTM3LLvROG270Vl_i-BfemLpeH/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vRcBIjcyojojwXhUnGOkJSHcufNT5dBBIeIjaDHJez8DNymddil19LHNH9m9txKwukWi9YweZmIYGbg/pub 
hxxps://drive[.]google[.]com/uc?export=download&id=1S_a_Wl7U6HQqmIuHyTfutFCnllQVLDBO 
hxxps://drive[.]google[.]com/uc?export=download&id=1YKT6EicsRHXPT0ecmt0y–9r-KdC0Vld 
hxxps://drive[.]google[.]com/uc?export=download&confirm=no_antivirus&id=14VEtUrQbmx68Z742YYWaChtdGhejKHwr 
hxxps://tackleadvisors[.]com/AnnualReport[.]exe 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQLld6CHo7dh7xjFodsvCIZoUgi1kChbFWe-HYCU-ehuLX5cW4S0YcIJagtcSIXrXEmLSNEFKkY2Ait/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQ2WZ6MMjC7qPmdB_EFnCyHskJ27X7rLc5pAbyxVJSpKKgcN3Q7j_b45gW6ueLliwJr4nEhVRwAM6AI/pub 
hxxps://drive[.]google[.]com/uc?export=download&id=1UFjla7rs_X9BQw0K0EaylUH2DHkkCLRz 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQl8xkPTC5qcRYddleeD1wWjcL_–hdx0xmAEkwmmMnX6FXnPPI-eTnY7H4kljKVOeNuw_n16-YWE8v/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vRD18SMRqTb8GqUi9OeZbeMGgm3qAKfP94U-8CM7s8W1RlA6CmkpJ5ZZaqAzH07yA-rflst4tJiNJ5g/pub 
hxxps://drive[.]google[.]com/uc?export=download&id=1QAxmrZowgewxFboMRcxJHfqB0ZnAiBZl 
hxxps://drive[.]google[.]com/uc?export=download&id=1l2XzQBjyqq3adWQyRJMnHHuBoFKffue0 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQHuwqSVxsGvocUT5pUK9262gOvins1zEvXWnxjeJxqOpXzZhaKj-W6uthqmCN5N-VZW2TLOmW_0I5A/pub 
hxxps://drive[.]google[.]com/uc?export=download&confirm=no_antivirus&id=1lGRZh86DPE59wL4OE07na0Q65YwuLWC9 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vSfT8MMEED7peY9YHyJ653d8JDvjd2EMkAiQgQ6_rEf0HoFffiKjK8-aKIBgxqXJi6wcqjOC5Mq6Pvn/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQpzU5su047G3V2PlnNgoGLChpX_QsCNaSJuarCKSHMISO4eq6vMJcrp0Jgwqwq4BAERrpgbpeiWHrO/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vRuzQGE6Z2bu5LOPwejGkGqpJ3GQU2DThVj4BArRlqbIiQCt6Q976Ncydz0NPMXgFgP2kt7PMSHG46e/pub 
hxxps://drive[.]google[.]com/uc?export=download&confirm=no_antivirus&id=1qM01ivzPpKAuwNCbRBRoI2TtV0HkrvJ9 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vRKjSRJ8GpqWEk4fINOr4nV31P9VWQ868hfqEZyNb5WhVO9Of_0AFavdwEsmlzu2LRJuNdEEA4ZYlDg/pub 
hxxp://195[.]123[.]241[.]154/fonts[.]php 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQorNnj4QnVfP_DFo6G3znMTvbPUnbkWH4QnGmIHAdDcHOCmYjqhsaI0NyUaTEJDQFPp3ZMMaowisPz/pub 
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vRR–Nv_XxP5TyJpc0w4eNrNfWtVlHnMt5nK33ZHtylR5Dl4BXijSwb722XWQXLJObB2gAziS77ZUIM/pub 
hxxp://195[.]123[.]232[.]163/abcf563px3i[.]php 
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vQ5-Kr-eOjPFeWs-MZR1Flspv0kBIQiQDeUyuTcXHHkZlEK6jDQDJnsIQqkAXQ9iRpIo5cRg73d7ztK/pub 
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vQM6VfkT7hU3MM8KJQgY7E9BnnnMVuWLws1Sl0cGPh6a_9Me8u2YsWx_j4bL5iEHQyoMSMo54twwhV1/pub 
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vQg_6O82GtGQVvwG0296E3SefhAcxhkWskkdVES3r-x774F3-kY4a6hQuYJC5SgKj3lOA2mrPx6BxGx/pub 
BazarBackdoor File  MD5 Hash 
Document3-90.exe  3826f8176445cc4291287f8aad28bb53 
Report10-9.exe  240bf9b477fe3d977acbb2726f0f12b5 
1.exe  b9e7cdd63db7ff765efeaabd0a85ca59 
2.exe  d3965ca520a87fc3ad3a874bb0bf118c 
AnnualReport.exe  ff9976d675cc1679b0b6e15323010dbf 
AnnualReport.exe  49c3639ad3cd29473e0bd047bcef8a64 
Document_Print.exe  925d730ddb4304a4bde4dfaeabb5c7b9 
Document-Preview.exe  40b17d4ca83f079cf6b2b09d7a7fd839 
t99.exe  df249304643531adb536eba89691ec91 
PreviewDoc.exe  a41429f7dbecfb76e6b7534afbeb4f74 
Preview.exe  9f00d78f2e8e4523773a264f85be1c02 
Preview.exe  5f64cc672ea13388797599b40a62d9be 
putty.exe  006f8bd0cd7e820705dec7bb3a7a7cf5 
XColorPickerXPTest.exe  cd6b9af8db078afe074b12a4fd0a5869 
PDOKGLWEER.exe  135f68e708cc04e362703ad71be5f620 
v152.exe  d55ec134a3046f289d9ebfdba1e98775 
BazarBackdoor Command 
hxxps://107[.]155[.]137[.]18/api/v150 
hxxps://107[.]155[.]137[.]18/api/v152 
hxxps://164[.]132[.]76[.]76/api/v12 
hxxps://164[.]68[.]107[.]165/api/v10 
hxxps://164[.]68[.]107[.]165/api/v12 
hxxps://185[.]99[.]2[.]196/api/v12 
hxxps://194[.]5[.]249[.]156/api/v10 
hxxps://195[.]123[.]241[.]175/api/v153 
hxxps://195[.]123[.]241[.]194/api/v153 
hxxps://212[.]22[.]70[.]4/api/v12 
hxxps://31[.]214[.]240[.]203/api/v150 
hxxps://31[.]214[.]240[.]203/api/v152 
hxxps://35[.]164[.]230[.]208/link/s 
hxxps://45[.]148[.]10[.]190/api/v150 
hxxps://45[.]148[.]10[.]190/api/v152 
hxxps://5[.]182[.]210[.]145/api/v10 
hxxps://5[.]182[.]210[.]145/api/v12 
hxxps://54[.]89[.]230[.]95/rest/t 
hxxps://68[.]183[.]214[.]30/api/v12 
hxxps://82[.]146[.]37[.]128/api/v150 
hxxps://82[.]146[.]37[.]128/api/v152 
hxxps://82[.]146[.]37[.]128/api/v153 
hxxps://82[.]146[.]37[.]128/api/v154 
hxxps://85[.]143[.]221[.]85/api/v100 
hxxps://85[.]143[.]221[.]85/api/v150 
hxxps://85[.]143[.]221[.]85/api/v152 
hxxps://85[.]143[.]221[.]85/api/v98 
hxxps://86[.]104[.]194[.]77/api/v10 
hxxps://86[.]104[.]194[.]77/api/v12 
hxxps://bubl6g[.]com:443/api/v202 
hxxps://bubl6g[.]com:443/api/v204 
hxxps://grumhit[.]com/z/report 
hxxps://onevdg[.]com/link/s 

Yara Rules for Campaign Detection 

Rule 1: 

rule PM_Intel_Ryuk_Payload_1029201 {
meta:
  description = “EDR rule for detecting Ryuk ransomware main payload”
strings:
  $ = “.RYK” wide nocase
$ = “RyukReadMe.html” wide nocase
$ = “UNIQUE_ID_DO_NOT_REMOVE” wide nocase
$ = “\\users\\Public\\finish” wide nocase
$ = “\\users\\Public\\sys” wide nocase
$ = “\\Documents and Settings\\Default User\\finish” wide nocase
$ = “\\Documents and Settings\\Default User\\sys” wide nocase
condition:
  uint16(0) == 0x5a4d and uint32(uint32(0x3c)) == 0x00004550 and all of
them
}  

Rule 2:¹ 

rule crime_win64_backdoor_bazarbackdoor1 {
meta:
description = “Detects BazarBackdoor injected 64-bit malware”
author = “@VK_Intel
reference = “https://twitter.com/pancak3lullz/status/1252303608747565057
tlp = “white”
date = “2020-04-24”
strings:
$str1 = “%id%”
$str2 = “%d”
$start = { 48 ?? ?? ?? ?? 57 48 83 ec 30 b9 01 00 00 00 e8 ?? ?? ?? ?? 84 c0 0f ?? ?? ?? ?? ?? 40 32 ff 40 ?? ?? ?? ?? e8 ?? ?? ?? ?? 8a d8 8b ?? ?? ?? ?? ?? 83 f9 01 0f ?? ?? ?? ?? ?? 85 c9 75 ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 74 ?? b8 ff 00 00 00 e9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? eb ?? 40 b7 01 40 ?? ?? ?? ?? 8a cb e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 8b d8 48 ?? ?? ?? 74 ??}
$server = {40 53 48 83 ec 20 48 8b d9 e8 ?? ?? ?? ?? 85 c0 75 ?? 0f ?? ?? ?? ?? ?? ?? 66 83 f8 50 74 ?? b9 bb 01 00 00 66 3b c1 74 ?? a8 01 74 ?? 48 8b cb e8 ?? ?? ?? ?? 84 c0 75 ?? 48 8b cb e8 ?? ?? ?? ?? b8 f6 ff ff ff eb ?? 33 c0 48 83 c4 20 5b c3}
condition:
( uint16(0) == 0x5a4d and ( 3 of them ) ) or ( all of them )
} 

¹Sourced from https://twitter.com/VK_Intel/status/1315663046694625286 and evaluated by Cofense Intelligence analysts. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Online Leader Invites You to This Webex Phish

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) team has identified a phishing campaign that attempts to harvest Webex credentials. This is not the first time we have seen an active Webex campaign, however, as we have noted before. It is actually an attack method that became increasingly common as non-essential workers were pushed into remote working conditions due to the pandemic. The previous Webex phish utilized implications of vulnerabilities and SSL certificate fixes for Webex, but this one takes a more subtle approach: acting as a Webex event invite.

Figure 1: Email Body 

The email shown in Figure 1 looks like a relatively normal Webex event invite at a glance. This email is a simple Webex invite that anyone who uses Webex may be accustomed to. This invite says that the user has been invited to the event “Leadership&Muscles,” the host is “Online Leader” and, although it is vague, the mentions of “Leadership” and “Online Leader” may have most users determine this has to do with work and  without typical phishing language urging them to join  many may not feel so threatened; they may opt to join the meeting out of curiosity.  

And should a user think to hover-check the button to “join a meeting,” the URL that will show as a preview will be:  hxxp://idbrokerwebex[.]com 

Despite the threat actor’s attempts to make this email seem legitimate, however, the subject of the email already appears off compared to what is seen in the body – a Portuguese subject paired with an English body? If that does not reveal the true nature of this email then the threat actor’s carelessness with the From and Sender fields will. Although it is obvious there was an attempt to make the email appear as though it is coming from Webex with the inclusion of “[email protected],” the real sender email is next to it: americacentral02[@]eliteddi[.]com.

Looking into the domain eliteddi.com, we can see that it was recently registered, as seen in Figure 2.  

Figure 2: Domain Registration Information for eliteddi.com 

This was perhaps done in a bid to give themselves a domain to use for sending emails. When utilizing their own registered domains, this gives the threat actor a legitimate DKIM, SPF and DMARC to bypass resources.  This domain was presumably also used as practice in setting up this attack because, as noted in Figure 3, the domain is also the host to the same Webex phish. Because the domain eliteddi[.]com is not part of the actual email itself, and isn’t actually a part that a user would typically interact with, it can be assumed that this domain was part of the threat actor’s practice attempt before launching this attack.

Figure 3: Webex phish found on the sender domain eliteddi[.]com  

Taking a look at the URL found embedded into the email itself we can see that this URL looks much more legitimate than the one seen in the threat actor’s practice attempts. This fraudulent domain was also recently registered according to information found on its corresponding WhoIs record, as seen in Figure 4. 

Figure 4: Domain information for idbrokerwebex[.]com 

One thing to note for this fraudulent domain is that the threat actor has tried to mimic a real Webex URL, one that is typically just a quick redirect when logging into Webex Teams, but would still be a familiar site to users. The small difference between the legitimate and the phishing URLs, though, is a simple “.” separating idbroker from webex – a small mistaken mistype of a user trying to get to this domain can lead to a huge mistake in this case. 

The phish itself can be noted in Figure 2.

Figure 5-6: Phishing Page 

The Webex phish similar to this has utilized the same template when phishing for credentials, essentially a perfect copy of Webex’s login page. This page does not have any noticeable flaws in grammar anywhere or weird formatting. In fact, even the URL in the address bar does not give anything away immediately should a user glance at it for any sort of validation.  

Compared to the phishing page seen hosted on the threat actor’s “practice” domain noted above, this one actually has a certificate for the site that, in turn, adds a lock in the address bar which, to most, indicates that a site is “secure. This is a relatively common addition, especially with the use of website builders that give creators a certificate to work with. However, as noted numerous times in other blogs, threat actors are using that perception to trick users into trusting their phishing attacks. 

The second step of this attack can be noted in Figures 7-8. This step acts more as a distraction mechanism, as the page looks like any other Webex event registration page. Here the user would input any amount of information as long as the fields are required, then move on to the final confirmation page. While this page is more than likely just an attempt to put any suspicions the user had initially to rest, this page also has the potential to garner more information about the user. 

Figure 7-8: “Event” Registration 

Indicators of Compromise 

Network IOC   IP   
hxxp://eliteddi[.]com  192.185.214.103 
hxxp://idbrokerwebex[.]com  216.172.161.34 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

New from Cofense Intelligence: Q3 Phishing Review is Now Available

By: Brad Haas, Cofense Intelligence 

Cofense Intelligence™has released the Q3 2020 Phishing Review. This report highlights key phishing trends uncovered by Cofense Intelligence analysts who spend every day studying current phishing campaigns and producing actionable phishing intelligence so that our customers can better defend themselves. This intelligence keeps our customers proactively defended against emerging phishing tactics, techniques and procedures (TTPs). Our analysts focus on campaigns that reach enterprise user inboxes, and report on the TTPs designed to evade secure email gateways (SEGs) and other network defense technology.  

Report Highlights 

In this quarterly report, you will read about this summer’s unusual phishing activity, and why we assess that overall phishing volume was higher in the third quarter of this year as compared to years past. Contributing to such high volume: Emotetwhich returned after months of inactivity, bringing new campaigns and adjusted tactics. This, paired with a continued surge in Agent Tesla Keylogger, contributed to a very active summer phishing season. 

This report reviews the most prevalent malware delivered via phishing in the last quarter, highlighting returning malware that had become relatively dormant in phishing but returned in recent months. Moreover, we dig into new malware families to the phishing landscape and explore the increase in Remote Access Trojan (RAT) and ransomware phenotypes. 

Of course, every malware requires a delivery mechanism, and we consistently track the most common malware delivery mechanisms used in phishing campaigns. Here, we dig into which filename extensions of malicious attachments most frequently reached end users in the last quarterand which extensions are most commonly associated with the targeting of particular industries 

Figure 1: A COVID-19-themed phishing email.  

Finally, though COVID-19 themed campaigns have greatly declined since peaking in Q2, they continue to reach end users. Read this report to see how pandemic-themed phishing has evolved, and to learn about the threat activity we expect in Q4 and the new year.  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

Purchase Order Phishing, the Everlasting Phishing Tactic

By Adam Martin, Nathaniel Sagibanda, Kian Buckley Maher and Cofense Phishing Defense Center

The PDC team has seen a recent up-tick in legitimate Mimecast services being used as vector for phishing campaigns found in environments protected by Microsoft ATP, Microsoft EOP and Mimecast. 

The phish leverage the Payment Order,” a common vector for enticing users into initiating the process set out by a malicious actor to attain sensitive credentials (Figure 1).

Figure 1

In this attack, as illustrated in figures, the body of the email is a reasonable facsimile of an authentic message that even replicates the style of the Mimecast heading and disclaimer. But grammatical, punctuation and spacing anomalies represent red flags. Furthermore, the email itself looks benign, simple and straight to the point, informing the recipient that the required information is behind an external service due to an issue with storage size or formatting (Figure 1). This is a common tactic that allows malicious actors to circumvent mail filters such as Mimecast, Microsoft EOP and Microsoft ATP.  

Figure 2 

Upon inspection of the Download Files button we can see that the service being used to deliver this phish is in fact Mimecast, itself a legitimate service. Combining this with the previously noted circumvention method makes standard detection almost impossible.  

Figure 3 

As seen in Figure 3, the page presented to the user is a legitimate Mimecast service being used to host the malicious file. This is compounded by the use of a key to gain access to the file by clicking the access-key button or entering a previously provided key (see Figure 3). However, both methods will direct the user to the next stage. 

Once access has been gained to the first landing page, there will be an option to download the malicious file at the side of the page. To add authenticity, the credentials of the original sender have been replicated, as shown below in Figure 4. 

Figure 4 

Figure 5 

Figure 6

Email Header analysis: Taking a look at the headers on Figure 6it is a different story altogether. IP addresses such as [10.x.x.182 and 10.x.x.36] are used bindependent operating networks. These may be as small as a single computer connected to a home gateway, and are installed in hundreds of millions of devices automatically. 

However, IP 41.x.x.131 belongs to MimecastSA (according to VirusTotal and Whois), and could be the reason it escaped SEG detection. 

Figure 7 

Having accessed the malicious link, the user will see the above page displayed (Figure 7) with request for the userMicrosoft email address and password. Unlike other credential phishing pages, the Microsoft background and logo aren’t displayed. The simplicity of the page, combined with a URL lacking indicators of Microsoft or associated domains, is suspect. The third field is the most obvious red flag (Figure 7): A recovery option is made available even though an incorrect password hasn’t been entered. This is done to prompt the victim into providing a phone number.  

 Figure 8 

Having inserted test credentials, the information is exported to the phishing campaign URL address. This site is hosted by hxxps://www.docdroid[.]net/OwKxXnZ/purchase-order-00177389-pdf. Entering information will continually refresh the page regardless of credentials supplied.  

Indicators of Compromise

Network IOC   IP   
hXXp://biz267.inmotionhosting[.]com/~craneo5/pow/po[.]php 

 

23[.]235[.]212[.]50 
hXXps://www.docdroid[.]net/OwKxXnZ/purchase-order-00177389-pdf 

 

 

 54[.]37[.]79[.]95 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

How phishing will forever be a problem

Two-plus decades ago Aaron Higbee, now Cofense CTO and co-founder, was hired by a company to help counter their exploding email spam problem, a role that evolved to addressing other internet-abuse issues. He took on threat tactics that evaded technical controls, and he never looked back.  

 Aaron shares what he learned in his article, My ‘Ah-Ha’ Moment: Phishing Will Forever Be A Problem, published by the Forbes Technology Council. In the article, he discusses what he‘s seen and uncovered about phishing attacks on organizations during his lengthy career in cybersecurity.  

In particular, Aaron mentions that he has learned: technologies can’t predict the future and that when attackers are sufficiently frustrated by an emerging preventative control, they will innovate around it.” But that by, “Actively training users to report suspicious email through carefully crafted simulations that immerse them in the experience from end to end will improve your organization’s resiliency to attacks. 

Get the rest of the story about Aaron‘s “Ah-Ha” moment, here 

 

Exploiting the Current COVID-19 Health Crisis Through Multiple Email Providers

By Ala Dabat, Cofense Phishing Defense Center

TheCofense Phishing Defense Center (PDC) team has seen the continued exploitation of the current COVID19 health crisis as an effective attack vector across all industries. 

A common theme seen is the use of cloned Dropbox landing pages requesting that users log in via well-known email service providers in order to view important documentation relating to COVID19. 

One such instance had escapedProofpoint’s secure email gateway (SEG), having bypassed spam filtering due to the benign appearance of the email, and the lack of spammy characteristics. Also bypassed were Microsoft’s EOP and ATP. 

Figure 1 – Original body of the email urging the target to download urgent information relating to COVID19      

The origin of the email appears to be a legitimate sender. It passed SPF checks, which also helped the email appear legitimate. It is likely that the campaign was launched from a compromised email account and that is why it was able to bypass SPF checks. Despite the message failing DKIM checks due to a difference of the value stored in the DKIM’s txt record bh=, it was not enough to raise any red flags because of the weighted system used to verify whether the email was malicious. 

As per the email headers we can see that the email did not contain enough spammy characteristics to meet the threshold required by Proofpoint’s Secure Email Gateway (SEG) to be categorised as being malicious.  

Figure 2 – Email originated from a legitimate sender and passed SPF record checks 

Microsoft’s EOP and ATP also miscategorized this email due to the lack of spammy characteristics and gave it a spam score of 0: 

Figure 3 – Microsoft EOP spam score of 0 

Once the target has clicked on the link, they are redirected to a landing page masquerading as Dropbox using original logos and fonts to fool the target.  

Figure – a Dropbox themed landing page with convincing logos and fonts 

The target is then prompted to authenticate against several email service providers to access the document. This method of Phishing widens the net for the attacker to harvest more credentials. 

Figure 5 – Login page for Gmail 

Figure 6 - Fraudulent login page for Yahoo  

Once the target has entered their credentials using one of the login options, their credentials are sent to a database via HTTP POST to a PHP script, which then stores all the credentials that have been harvested by the attacker. Although this attack is not as technically sophisticated as other more targeted attacks, it exploits a number of key vulnerabilities:  

  1. Exploits the COVID19 pandemic 
  1. Uses aesthetics that look and feel convincing to the target  
  1. Bypasses spam filtering by limiting the characteristics of the email body that would be considered spammy by most spam filters

Once the target has entered their credentials, they are redirected to a legitimate landing page owned by Accenture, and then to a document that is completely unrelated to the COVID19 crisis. 

Figure 7 – Landing page targets are redirected to after they authenticate  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Mandatory Internal Company Communications: The Best Time to Phish

By Ashley Tran, Cofense Phishing Defense Center

Companies are awash with numerous corporate communications: open enrollment notifications, new policies and so forth. With this crush of mandatory emails being sent out, threat actors are given the right amount of noise in a user’s inbox to slide their own attacks in without being heavily scrutinized. They are received as “just another HR email” that users may be hasty to quickly read, sign and be done with. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials by disguising as an HR document that must be signed.

Figure 1: Email Body 

The threat actor has attempted to manipulate the “from” fields in the headers of emails for this campaign. As seen in Figure 1, the threat actor has changed the “sender name” field of the headers to appear as though this email was sent from “Human Resources” when in reality the real sender’s email can be viewed in the field next to it: [REDACTED]@ntlworld.com. Every email for this campaign originated from a unique sender from this domain, which suggests that the threat actor utilized compromised accounts to send out this attack. 

The subject for this campaign generally had a theme of “Reminder for [User’s Name] Reviewed Employee Handbook” with the user’s organization email ID being replaced into the subject each time. The context of this email is simple: there is a new employee handbook, everyone must review and sign the acknowledgement of this handbook upon receipt of this email. Interestingly enough, this phishing email was sent out well past the intended due date which simply adds to the urgency of the request – or the threat actor overlooked a variable that needed an update for their template. 

Within the body of the email, the threat actor has noticeably failed to disguise the URL. In fact, it is clear this supposed handbook is hosted on SharePoint in some way. 

The first step of this attack takes place on a SharePoint hosted document that users are redirected to from the email itself. This document, as seen in Figure 2, looks similar to any page one may see in an HR handbook except this one appears to outline the “Remote Working Policy” for the user’s organization. At the end of the described policy there’s a hyperlink to “proceed with acknowledgement” which, if you hover over it as shown in Figure 3, is simply another redirect to the same SharePoint. Except, this time, it directs to a survey hosted on it. 

Figure 2-3: Phishing Page 

Once users click on the link to presumably acknowledge this new policy, they are redirected to an “Acknowledgement Section” seen in Figure 4. On this page, users are prompted to enter their Microsoft credentials as a way to identify themselves, and “for successful submission of acknowledgement.” The threat actor in this case has utilized the Microsoft Excel web app to create and host a survey to harvest credentials, but this is far from uncommon. In fact, a lot of phish tend to utilize this method, exploiting the fact that these Excel surveys are hosted on SharePoint and leverage the trust most users place in the domain SharePoint.com as a whole.

Figure 4: Phishing Page   

Network IOC   IP   
hXXps://netorgft6696135-my[.]sharepoint[.]com/:w:/g/personal/hr_hrhandboook_com/Efj4moxVJidCogbJKcnVuQUBuhnrbvfNNdoq49e7ztvopQ?e=QpXfQL  104[.]146[.]136[.]48 
hXXps://netorgft6696135-my[.]sharepoint[.]com/:x:/r/personal/hr_hrhandboook_com/_layouts/15/WopiFrame.aspx?guestaccesstoken=EiYjYkpbbdYnGHOdsn0%2fA9ofWLWdjKnx0g5atRlMHTE%3d&docid=1_1c88d073e14d04676b3274b6a31ae8900&wdFormId=%7B72299567%2DF59D%2D40B1%2D8CAA%2D6E6DED3D7529%7D&action=formsubmit  104[.]146[.]136[.]48 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

FISSEA Recognizes Cofense with the Best Security Blog Award

This week, the Cofense blog post, Invoice Themed Phishing Emails Are Spreading from Trusted Linkswas named 2020 Best Security Blog by Federal Information Security Educators (FISSEA). Founded in 1987, FISSEA is an organization run by and for federal government information security professionals to assist federal agencies in strengthening employee cybersecurity awareness and training programs. Each year – with dozens of entries in varied categories – FISSEA recognizes a best entry in the FISSEA Training Exercise ContestTo meet the criteria, training exercises must have a security theme and be a part of an organization’s current security training program. Judging is based on originality, security message and graphic concept

“We are honored to be recognized for our efforts to help companies find and remove phish in their environments,” said Michael CallahanCofense SVP of MarketingCofense believes that a comprehensive phishing detection and response program is key to stopping phishing attacks, and we appreciate that the FISSEA program continues to raise awareness of resources like our blog designed to educate on the latest phishing techniques. 

Our analyst (and winning blog post author), Kian Mahdavi, and his coworkers in the Phishing Defense Center (PDC), devote their time to identifying and stopping phishing attacks. In addition, they provide insightful information about the dangers of phishing and how threat actors succeed in evading standard defensesThey, and the 24-plus million customers in our community who report phish daily, make the difference in our mission to rid organizations worldwide of phishing attacks.  

Read the winning blog post here. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.