TrickBot Malware Delivered as Invoices

By Andy Mann and Schyler Gallant, Cofense Phishing Defense Center

During the covid pandemic, many users have been getting invoices sent via email to process for payment. Some of these are business to business, business to individuals, or vice versa. With the supply chain delays, receiving a notification that a delivery attempt was missed can lead to frustration and entice the recipient to open the invoice link to further investigate. Threat actors have taken advantage of this and, with a recent TrickBot campaign analyzed by the Cofense Phishing Defense Center (PDC), they are imitating delivery services such as U.S. Postal Service.

Figure 1: Email Body

Seen in Figure 1, the threat actor did a convincing job of making the email appear authentic to the untrained eye. With the official USPS branding included, as well as other details, one might think this was from USPS at first glance. The threat actor even added trusted third-party logos (Facebook, Instagram, LinkedIn and Twitter) at the bottom to make the email look even more legitimate. However, there are some easy indicators to raise suspicion, such as the sender address, which is manglamtech[.]in, instead of the official USPS domain. Overall, this TrickBot campaign demonstrates more effort than past campaigns relative to design, and more, in the email itself. Most of the time, the style for TrickBot campaign emails is relatively simple and can be easily spotted as suspicious.

Ultimately, the goal of the threat actor is to lure their target into believing that their package was unsuccessfully delivered, and to view their invoice by clicking on the “Get Invoice Here” button. This will lead the user to hxxps://www.zozter[.]com/tracking/tracking[.]php where a ZIP file named USPS_invoice_EA19788988US will be downloaded. This is another somewhat unique trait that is specific to this TrickBot campaign; most others do not use PHP with the initial infection URL. Usually there is a malicious attachment, or some other URL, that is used.

Figure 2: XLSM File

Once the user unzips the file, they will find an XLSM spreadsheet named USPS_invoice_EA19788988US.xlsm inside. The appearance of the file, seen in Figure 2, is not unique to this specific campaign. As with many others, when the target opens the spreadsheet, they will see that “the document is protected,” and, for anything to be done, the user will need to enable editing. Once the user clicks this button, the XLSM spreadsheet remains but the malicious process will initiate.

Step-by-Step Process

Figure 3: Step-by-Step Process

Once the excel spreadsheet has been enabled, powershell.exe will start to run. During this time, there will be a reach out to a payload URL hxxp://103[.]124[.]106[.]149/images/soccer[.]png through the PowerShell process. This will download a DLL which will run with a RunDLL32 process. Finally, the RunDLL32 process will start a wermgr.exe process into which TrickBot is injected.

TrickBot can come in many forms through a range of delivery methods. Threat actors will always be persistent, but when you suddenly get an invoice from an email claiming a USPS origination, you always must ask yourself, “Did I actually order something online?” A well-conditioned user identified this email as suspicious and clicked the Cofense Reporter button for further investigation. Even though this is a relatively new TrickBot delivery method, the Cofense PDC was (and is) able to adapt and stay on top of it after it appeared in an email environment protected by a secure email gateway (SEG). In addition, the PDC provides Cofense Managed Phishing Detection and Response, allowing enterprises to benefit from our complete view of phishing threats. Contact us to learn more.

Indicators of Compromise
File Name USPS_invoice_EA19788988US.xlsm
MD5 819b1896050b11f6ffdd835f6249874e
SHA256 ce4daac8f83a34a43b75073dcb9a17806cc47a91c2f0fba1017ee636feff53a7
File Size 110080 bytes
Infection URL hXXps://www.zozter[.]com/tracking/tracking[.]php
IP Address 104[.]238[.]111[.]151
Payload URL hXXp://103[.]124[.]106[.]149/images/soccer[.]png
IP Address 103[.]124[.]106[.]149

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cyber Gang Targets Users with Password Expiration Scam

By: Tej Tulachan, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) recently uncovered another dose of credential phishing attacks on consumers, whereby threat actors lure their victims with known social engineering tactics. Thanks to the widespread use of Microsoft Single Sign On (SSO), such as OAuth2, threat actors can use this to their advantage as a powerful means of harvesting credentials to compromise important services.

Figure 1: Email Body

The “From” address in Figure 2 uses a well-known fragrance company’s spoofed domain with an IP address of 40[.]107[.]220[.]139. Most likely for this reason, the email slipped past basic authentication checks, such as the sender policy framework (SPF). However, on further inspection, we see what is likely the actual sender’s address “Return-Path” from a compromised domain registered to a U.S. law firm, with an IP address of 10[.]217[.]135[.]43.

Attributes such as email address can be unreliable as indicators of compromise (IOCs) when creating Yara rules. Why? Because they are often quickly changed and have very brief time-to-live (TTL) periods. Strong IOCs identify repetitions and meaningful patterns, resulting in higher quality Yara rules and a lengthier period for tagging threats.

Figure 2: Header Analysis

Figure 1 shows the email body, which was found in environments protected by several secure email gateways (SEGs). We noted that the spoofed sender’s address remained static across the campaign, allowing for a high degree of signature-based detection efficacy. A bonus for defenders, this static sender address can be blocked by the endpoint detection team or even the SEG.

Threat actors sometimes use legitimate but compromised domain names to send out such phishing emails. Pivoting the domain led us to a legitimate law firm based in the United States that was registered in February 2015.

The longer a domain has been registered, the greater the chance the domain will be recognized as non-malicious. This may be a preferable approach for the adversary versus registering a new domain for the purpose of sending out credential phishing emails. That is not to say that the characteristic of being newly registered makes a malicious domain easily identifiable. Instead, it’s a combination of suspicious attributes that raises red flags.

Figure 3: Phishing Landing Page

The image in Figure 3 is what the recipient would see. It looks perfectly legitimate with all functionalities a legitimate Microsoft login page would have. At this stage, we have high confidence to state that the threat actor’s objective was to gain as many users’ credentials as possible at a given period of time.

Should the recipient provide their credentials, the web page would redirect seamlessly to the legitimate Microsoft login page, thereby deflecting suspicion.

How Cofense Can Help

Every day, the Cofense PDC analyzes phishing emails with credential phishing attacks and malware payloads that bypassed email gateways and were reported by well-conditioned users. Of the threats found, 100 percent were identified by the end user and mitigated by a human analyst. None were stopped by the endpoint detection technology.

Thanks to phishing training, users have the know-how to look out for evolving phishing attacks. Using Cofense Reporter, they can forward threats to the Cofense PDC for analysis. Cofense Triage reduces real-time exposure to threats, and combines with Cofense Vision to quarantine them.

Cofense Intelligence then protects your organization against emerging threats. Cofense Intelligence customers received additional information about this specific campaign in Active Threat Report (ATR) 222896. To learn more about what Cofense can do to protect your enterprise, contact us any time.

Indicators of Compromise

IOC IP
hXXps://ww3sXUcRltmd[.]asesiklimlendirme[.]com[.]tr/ 83[.]150[.]212[.]44
hXXps://production[.]passwordupdate00- 109[.]169[.]71[.]112
microsoftpasswordupdate00-odragrant-tooth- 104[.]21[.]75[.]60
3351[.]lllibby-webb6868[.]workers[.]dev 172[.]67[.]214[.]249
hXXps://smtpjs[.]com/v3/smtpjs.aspx

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Dept. of Labor Phish Appears for the Month of December

By Alex Geoghagan, Cofense Phishing Defense Center

Impersonating a government entity is a relatively common practice for threat actors to attempt. Through this impersonation a threat actor seeks to gain trust or authority in an interaction with a potential victim. Recently, the Cofense Phishing Defense Center (PDC) has analyzed a phishing campaign that impersonates the United States Department of Labor. In this specific campaign, the threat actor also tries to push a financial incentive with the lure of an “INVITATION FOR BID” through the Department of Labor.

Graphical user interface, text, application Description automatically generated

Figure 1: Email Body

Seen in Figure 1, the threat actor was able to spoof the dol.gov from address to increase the level of authenticity. Seen in the body, the email itself is structured to look like an RFP for “ongoing government projects.” The recipient is prompted to open a PDF attachment for information and directions for the bid invitation. A recipient who opens the attachment without realizing that this is not a legitimate government communication will be presented with a PDF document that contains a link to the phishing website.

Diagram Description automatically generated

Figure 2: PDF Attachment

The PDF, shown in Figure 2, is carefully crafted to lend credence to the scam, as well as to apply pressure with time sensitivity by reminding them of a “10:00 A.M.” deadline. It contains a list of instructions for filling out information that will allegedly be used to apply for the bid, however, this is simply done to make the phish appear to be more legitimate. The “BID” button contained within the PDF is the true goal of the threat actor, as clicking on it will direct the recipient to a fraudulent Department of Labor site.

Graphical user interface, website Description automatically generated

Figure 3: Phishing Page

The fraudulent page, Figure 3, is almost a 1:1 of the legitimate Department of Labor’website at dol.gov. Even with the domain, openbid-dolgov[.]us, the threat actor crafted it to be believable to the untrained eye. Upon reaching this page there will be a small popup that reiterates the instructions that are contained in the PDF. This page also contains a “Click here to bid” button that takes the recipient to the phishing page requesting their credentials, as seen in Figure 4.

Figure 4: Phishing Page

Oddly enough, the threat actor has specifically asked for either their Microsoft Office 365 credentials OR their business email credentials (widening the net to collect anything the user might be willing to divulge). Once the credentials are submitted, the user is redirected to practically the exact same page, but it is asking the user to solve a captcha instead of signing in. An interesting note added to the page is reassuring the recipient their data will be cleared within five minutes, most likely mimicking the legitimate bidding site.

A communication appearing to come from a government source may also be seen as more official, especially if the attacker is able to spoof a .gov email address. With how carefully crafted it is, this phish can pose a threat to any email environment, even ones protected by a secure email gateway (SEG). With the help of watchful users reporting suspicious email, analysts at the PDC can quickly identify threats like this one, and enterprises can benefit from our entire view of the threat. Reach out to us to learn how we can help you.

Indicators of Compromise IP
hXXps://openbid-dolgov[.]us 199.231.162.106

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishing Campaign Leverages Covid-Induced Adjustments to Banking Practices

By Abhiram Jayakumar, Cofense Phishing Defense Center

For the past many months, covid-themed phishing emails have convinced users to relinquish valuable credentials. Phish impersonating major banking firms have been around for quite some time, but they are always evolving. The Cofense Phishing Defense Center (PDC) has observed a recent phishing campaign that focused on harvesting New Zealand’s ASB banking credentials via covid-themed lures. The pandemic is affecting the lives of everyone in the world and threat actors are attempting to hook their targets by relying on changes in banking practices related to the pandemic.

Graphical user interface, text, application Description automatically generated

Figure 1: Email Body

Seen in Figure 1, the first flaws evident with this phish is that the email is obviously not from an official ASB address. The body of the email seems somewhat legitimate at first glance with a convincing email signature and an apparent reference ID. The most telling sign that this email is a phish is how the link within the body is weirdly formatted. The email prompts the user to click on the URL so they can update the so-called covid “Code of Banking Practices.” Hovering over the link will reveal the embedded malicious URL with the domain cleusbmontreal[.]ca.

A screenshot of a computer Description automatically generated with medium confidence

Figure 2: Phishing Page

Upon clicking the link, the user is directed to the webpage in Figure 2. It’s a near-exact replica of the legitimate ASB login page. All the icons, with the exception of the login button, redirect to legitimate ASB webpages. This is a simple – but often effective – trick implemented by the threat actor.

A screenshot of a computer Description automatically generated with medium confidence

Figure 3: OTP Page

Once the login button is clicked, the target is taken to the page shown in Figure 3 where they are prompted for a one-time password (OTP). The threat actor may have tools to automatically use this information in real time. It may also be possible that the user received an OTP triggered by the attacker’s tools during a legitimate transaction initiated by them after harvesting credentials through the malicious webpage. Once the target provides their credentials, and OTP, they are then redirected to the authentic ASB home page.

This is another example of attackers leveraging covid and a well-designed phishing page to launch a dangerous campaign, one that found its way into inboxes under SEG (secure email gateway) protection. Cofense, and well-conditioned users, contained what standard security controls couldn’t. Contact us to learn how we can help to better protect your organization.

Indicators of Compromise IP
hxxps://cleusbmontreal[.]ca 104[.]21[.]46[.]246
hxxps://conz-aso-7725[.]heavy[.]jp 118[.]27[.]125[.]223
hxxps://photos[.]azyya[.]com/.co.nz/.respond[.]abs[.]co[.]nz-NZ70194135/auth[.]php 95[.]216[.]33[.]120

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.