Domain Fronting, Phishing Attacks, and What CISOs Need to Know

CISO Summary

Cofense IntelligenceTM is seeing continued use of a cyber-attack technique known as domain fronting. It’s yet another way hackers conceal their malicious activity, in this case using work-arounds to evade security controls and gain access to command-and-control (C2) infrastructure (scroll down for a technical explanation).

Cozy Bear, the Russian threat actors, used similar tactics when they hacked the Democratic National Committee in 2016. Today, businesses are dealing with phishing and malware attacks that domain fronting enables.

While Google and Amazon have taken measures in their CDNs to curtail this trend, we have seen an uptick in C2 infrastructure hosted in Cloudflare CDNs (figures 2-4 below). Last month, Cofense Intelligence reported that Cloudflare domains were being abused by threat actors to launch malware attacks on finance departments.

Why is this a problem?

If part of your cyber defense strategy is using a web gateway to prevent employees from visiting non-categorized sites, or blocking based on a threat intelligence feed of known C2 hosts, you can’t practically block access to a CDN without disrupting Internet-reliant business processes.

CISOs should make sure their SOCs are aware of the problem when reviewing suspicious emails reported by employees. While we wait for traditional cyber perimeter controls to catch up to this threat, a phishing training and reporting program (see Cofense PhishMeTM and Cofense ReporterTM), plus a phishing-specific response capability (see Cofense TriageTM and Cofense VisionTM) is the last line of defense.

Full Details

Malware operators continue to use domain fronting to bypass security measures and reach their command and control (C2) infrastructure hosted on content delivery networks (CDN). This C2 communication technique is difficult to defend against due to the large overhead required and strong reliance on CDNs. Certain CDN providers have recently changed their network schemes and policies in response to this threat, however, domain fronting is still possible through some of the minor CDN hosts.

Domain fronting is the exploitation of an encrypted connection to a CDN to gather web resources otherwise blocked by network security measures.

  • First, the client initiates a connection to a legitimate domain (front domain) via HTTP.
  • Second, the originating connection request is read in the clear and is inspected by network security measures.
  • Third, an HTTPS connection is created when the connection is encrypted with an SSL layer, allowing the contents of the traffic to bypass inspection.
  • Finally, The HTTP Host header is read by the server for the resources needed.

The HTTP host header, for this technique, is manipulated to gather resources from a nefarious site on the same CDN. The connection to the manipulated HTTP host header inside the encrypted traffic bypasses network security measures that don’t decrypt the traffic.

For domain fronting to work, the nefarious site and the legitimate site must both be hosted by the same CDN. The ability to pull resources from other sites works because of the inner networking of the CDN and the routing access availability to other parts of their hosting environment. This technique is also utilized with The Onion Router (TOR) node bridges and the meek protocol. The Russian hacker group that breached the Democratic National Committee in 2016, APT29, also known as Cozy Bear, used the TOR meek protocol for their C2 infrastructure communication. Figure 1 gives an overview of this technique.

Figure 1 Technique of domain fronting to bypass inspection.

Google and Amazon CDNs mitigated this technique by preventing any routing from one owner’s site to another. This is done by matching the HTTP host header with the original server name indication (SNI) request, implemented in late April and early May 2018. Since then, Cofense Intelligence has seen an increase in the number of phishing campaigns delivering malware in which the C2 was hosted by Cloudflare.

Figure 2 shows the contrast in Cloudflare C2 seen used by malware before and after May 2018, when Google and Amazon imposed barriers to such activity on their CDNs.

Figure 2 Analyzed C2’s hosted on Cloudflare before and after May 2018.

Figure 3 shows the breakdown of malware families that have used Cloudflare for C2 infrastructure after May of this year.

Figure 3 Malware families utilizing C2’s hosted by Cloudflare since May 2018.

Figure 4 shows the number of different hosts hosted by Cloudflare to which each malware family connects.

Figure 4 Number of C2’s hosted by Cloudflare for each malware family.

Domain fronting has been used by hacktivists and threat actors like APT29 to conceal their malicious activity. CDNs are starting to take the necessary steps to mitigate domain fronting by negating routing from one owner’s site to another, but this ability still persists because it allows for routing to take place among a single owner’s sites.

Defending against this type of communication is a heavy lift for the information technology team. Stopping a malicious email campaign within the email security stack before it gets to the end user’s inbox, and training users to identify phish that do reach their inboxes, are keys to helping mitigate this evasive exfiltration techniques like domain fronting.

Learn more about how Cofense stops active phishing threats.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Bah HumBUG: 5 Recent Holiday Phishing Samples You Need to Watch Out For

Along with more online shopping, correspondence, and travel, the holiday season sees an increase in phishing operators eager to capitalize on a more-active attack surface. With Thanksgiving tomorrow, Cofense Intelligence and the Cofense Phishing Defense Center have seen a bombardment of Thanksgiving-themed phishing lures this week. Threat actors use this inundation of emails to their advantage—hoping to trick anyone looking for a good deal or eager to partake in the season’s merriment.

Phishing Emails with .COM Extensions Are Hitting Finance Departments

Cofense IntelligenceTM has seen a substantial uptick in the use of .com extensions in phishing emails that target financial service departments. In October alone, Cofense Intelligence analyzed 132 unique samples with the .com extension, compared to only 34 samples analyzed in all nine months preceding. Four different malware families were utilized.

The .com file extension is used for text files with executable byte code. Both DOS (Disk Operating System) and Microsoft NT kernel-based operating systems allow execution of .com files for backwards compatibility reasons. The .com style byte code is the same across all PE32 binaries (.exe, .dll, .scr, etc.) within the DOS stub. The subject lines and email contents of the phishing emails (Figure 1) suggest that the threat actor is targeting financial service departments. The .iso file attachment mentioned in the email contents is an archive containing a .com1 executable.

Figure 1: Email Content Suggests Targeting of Financial Services Department

If you’re a Cofense PhishMe™ customer, you can use this same lure in your phishing simulations. Look for the template we’ve created, “Overdue Invoice – LokiBot.” It conditions employees to report phishes trying to deliver the Loki Bot information stealer malware. (More on Loki Bot and other malware below).

The two most popular subject line themes we’re seeing use the lures “payment” and “purchase order.” Threat actors are likely carrying out these campaigns to target employees with financial information stored on their local machines, which explains the use of information-stealing malware as the campaigns’ payloads.

Figure 2: Subject Line Categories used in .COM Campaigns

Our analyses showed that the email subject lines were specific to the malware payloads they delivered. For example, the “payment” subject-emails delivered more AZORult information stealer, while the “purchase order” subject-emails most often delivered the Loki Bot information stealer and the Hawkeye keylogger. It is possible that different actors are distributing the unique malware families via .com files. Or, perhaps the same group is responsible and assesses which lures are most appropriate for different malware and the information they target.

Most commonly, .com payloads are directly attached to a phishing email without any intermediary delivery mechanism. However, some campaigns did include an attachment that contained such an intermediary dropper: often the attachment was weaponized to exploit a CVE or a malicious macro, which would deploy a .com payload onto the endpoint. As network defenders become increasingly aware of this direct-attachment delivery, Cofense Intelligence expects to see an increase in intermediary delivery of malicious .com files, wherein a “dropper” attachment will arrive with the phish and subsequently load the weaponized .com file onto the end point.

Figure 3: Malware Families Delivered using .com Extensions.

Loki Bot, AZORult and Hawkeye made up the far majority of malware delivered in the campaigns we analyzed, whereas Pony accounted for a very small percentage. The combination section refers to the attachment utilizing a vulnerability within a document to deploy a .com payload on the endpoint as mentioned above.

The malware families delivered with the .com extension also revealed a trend with their Command and Control (C2) communication. The samples of .com binaries that delivered AZORult communicated exclusively with domains hosted by Cloudflare. Cloudflare was also the predominant host for Loki Bot with over 75% of its C2 domains hosted with that service. It is likely that Cloudflare is not hosting the actual C2, but in fact being used as a domain front. “Domain fronting” is a technique that allows for the connection to appear to go to one domain when it is actually going to another. This is achieved by connecting securely to one domain and then passing in the target domain via the HTTP host header value. By using Cloudflare, which is typically trusted by most organizations, the attackers are able to circumvent blocks that might be put in place. Cloudflare recently changed its policies to disallow its use for malicious hosting, yet the service has continued to be used by attackers for malicious redirection.

Figure 4 below shows the C2’s for Loki Bot, AZORult, and Pony that were hosted on Cloudflare compared to every other domain hosting service provider. Hawkeye keylogger stood apart in communicating with unique email domains.

Cofense Intelligence estimates that we’ll see an increased adoption of malware using the .com extension. Similar campaigns will likely expand to other industries that have monetizable data, like the healthcare and telecommunication sectors. An increased use of the .com extensions can be harmful to enterprise networks if organizations are not prepared for it, and once they are, another file extension will surge in popularity in a constant effort to stay ahead of the defense.

To stay ahead of the latest phishing and malware threats, sign up for free Cofense Threat Alerts.

  1. Filename: overdue payment.com MD5 hash: 8e6f9c6a1bde78b5053ccab208fae8fd

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Staying King Krab: GandCrab Malware Keeps a Step Ahead of Network Defenses

GandCrab ransomware is being rapidly developed to evade the cyber security community’s defense efforts, aid proliferation, and secure revenue for those driving the malware. Cofense Intelligence TM has identified a new campaign that is delivering GandCrab version 4.4, the newest iteration of this prolific ransomware. The developers of GandCrab are aware of the research analysis done on its past versions, and release new versions rapidly to negate the solutions. These malicious developers also release versions in direct correlation to specific security companies’ findings. In the last two months, the authors of GandCrab have released version 4, and subsequent 4.x releases to improve the ransomware’s capabilities.

The email-borne campaign bearing GandCrab v4.4 (analyzed by Cofense Intelligence) did not follow the usual trends of being delivered via Microsoft Office Macro attachment. The lures employed during these previous campaigns were typically enticing recipients to download an infected resume or subpoena. The emails were written in German and had an attached .zip archive that contained an executable sample of GandCrab v4.4. The email body follows previous campaign narratives and is depicted in Figures 1 & 2.

Figure 1: The email body written in German.

Figure 2: The email body translated to English.

Once executed, the GandCrab sample will then collect information about the machine and determine if it is a viable candidate for encryption. If the machine has been deemed acceptable, files that meet specific criteria are then encrypted. After encryption, GandCrab then drops the ransom note in each directory via a .txt file. Figure 3 is a ransom note example.

Figure 3: A GandCrab ransom note example.

The fourth version of GandCrab was released in July, only six months after the first sighting of GandCrab in the wild. This latest version is a drastic change from its predecessors. Focusing on speed of encryption, this version switches from using RSA-2048 to the Salsa20 encryption algorithm. Prior to the fourth version of GandCrab the sample would need to successfully check in with its Command and Control (C2) structure before beginning the encryption process. Figure 4 documents strings found in GandCrab. referencing the developer of the Salsa20 algorithm.

Figure 4: The creator of Salsa20 algorithm is shown in the memory strings.

Versions 4 and 4.1 saw the introduction of a mechanism designed to prevent GandCrab running on undesirable machines. These specific versions would create a hex string .lock file based on specific information being present on the machine and place it in the C:\ProgramData directory. The .lock file would be queried and, if it found the binary, would terminate itself without encrypting the endpoint. Another GandCrab kill-switch is triggered when the sample looks at the language packs installed on the machine. If GandCrab finds a Russian language pack or former Soviet Union language packs, it will terminate itself without encrypting the endpoint.

Another upgrade that came with versions 4 and 4.1 was the ability to encrypt file shares and attached devices. This is done through interaction with the System Volume Manager to detect these resources. This is a big update in weaponry because it gives this ransomware the ability to engulf a network with encrypted files. This version’s ability to encrypt file shares puts a greater emphasis on the mitigation and response techniques needed within a network. The encrypted files also get a new extension and are then appended with .KRAB, as well as the ransom notes being renamed to KRAB-DECRYPT.txt. Figure 5 shows the encrypted file system, as well as the ransom note placed on the Desktop.

Figure 5: The GandCrab ransom note placement and the .KRAB extensions.

GandCrab v4.1 had also shown new network traffic not previously seen with the older versions. This version will use a custom Domain Generation Algorithm (DGA) to create URLs and POST the information collected from the machine to the DGA created URL. These POSTs are not to a GandCrab C2 infrastructure, rather they are legitimate domains. However, some researchers have theorized that these POSTs might be the Proof-of-Concept (PoC) for a future feature yet to be fully utilized. Other researchers believe that these POSTs are meant to fill the network with false positive C2s. Figure 6 shows the multiple POSTs to DGA created URLs.

Figure 6: The network POSTs to the DGA created URLs.

Version 4.1.2 was created out of necessity because of the work done by AhnLab, Inc. and their vaccine software. AhnLab found that the .lock file could be impersonated and placed on the machine beforehand. By doing this, the GandCrab sample would find the .lock file and terminate itself, thus preventing it from successfully encrypting the machine. The vaccine provided by AhnLab was negated within four days by the ransomware developers by utilizing the Salsa20 encryption algorithm to create the .lock file. Less than one day later, AhnLab provided v2.0 of the vaccine. Two days later, a new variant of GandCrab was spotted which checked for a mutex instead. GandCrab v4.1.2 also added anti-sandbox techniques, such as checking the allocated memory and registry for indicators of a virtual environment.

The updated version 4.1.2 became the basis for v4.2+ and brought about a PoC weapon aimed at AhnLab. This PoC is source code that claims it can cause a Denial of Service (DoS) attack on the AhnLab anti-virus solution used on endpoints. The PoC claims that this can cause a Blue Screen of Death (BSOD) on the targeted system. GandCrab’s anti-sandbox techniques, as discussed above, were also removed in v4.2.1. Figure 7 shows the link to the PoC within the running memory.

Figure 7: The BSOD PoC link in the memory strings.

Version 4.3 was simply a re-compile and re-organization of the code as well as adding anti-disassembly techniques. Version 4.4, the latest version, was built upon previous versions with a few new features of its own. The latest version comes with a stealth mode which, when enabled, queries the information gathered. It then determines if any processes on the endpoint need to be terminated before GandCrab starts its infection. Most of the processes targeted for termination are anti-virus products and those which may hold handles to important files (such as database files) which GandCrab intends to encrypt. This allows for the sample to have a non-disruptive and stealth-like file encryption process. The latest version also comes with a self-kill switch. This version can create the .lock file and place it in the %ProgramData% directory before infection as a nod to AhnLab’s vaccine. If the .lock file is found, the sample then sleeps in the background indefinitely. Figure 8 shows the stealth mode strings in memory.

Figure 8: Stealth mode in the memory strings.

What You Can Do

As with any ransomware, especially GandCrab v4.4, you need to have the proper mitigation in place in case an endpoint on the network becomes encrypted. Proper mitigation involves having up-to-date software from the manufacturer; network segmentation from resources that are considered critical; re-occurring and tested backups of all business-critical data; an email security stack that can sanitize emails as they arrive to the end user; and a response plan that has been practiced and refined. Having these things in place can help you withstand a ransomware incident.

GandCrab blasted onto the scene in early 2018, and since then has made great strides in staying relevant in the shifting landscape. The latest rendition employs tactics, like offline encryption, that had not yet been seen by prior iterations. GandCrab v4 has been able to change and adapt to the mitigation tactics of the cyber security community within the span of two months. The developers of GandCrab have been able to quickly evolve their malware based on anti-virus research analysis, which allows for more effective and lasting infections for the ransomware operators. This rapid development cycle of ransomware is a new trend that could likely lead to more malware developers taking research analysis as constructive criticism, then making their samples more robust in the future.

To stay abreast of developments in malware and phishing attacks, sign up for free Cofense Threat Alerts.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

AZORult Malware Finds a New Ride with Recent Stealer Phishing Campaign

Cofense Intelligence™ has uncovered a recent AZORult stealer phishing campaign that delivers the malware via malicious attachments. Older versions of AZORult stealer have been delivered via intermediary loaders, typically Seamless or Rammnit malware. In this latest campaign, the attached documents use multiple techniques to download and execute an AZORult sample, indicating a shift by the threat actors behind the campaign to adopt more evasive delivery techniques.