IRS Phishing Email – Up and Coming Phishing Campaign Is Taxing to Users

By Ashley Tran, Cofense Phishing Defense Center 

With U.S. tax season upon us, it’s time to remind our users to watch for emails hitting their inboxes related to tax documents. Threat actorare tuned to the seasonal theme to lure users. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that steals Microsoft credentials by acting as a file share from the U.S. Internal Revenue Service.

Figure 1 Email Body 

To begin with, the subject of the phishing email, “Y20 Reimbursement from IRS,” is topical given the current tax year, and is sure to draw attention. 

For this attack, the threat actor has spoofed both email and sender information. The email appears to come from a government website, and the “from” name is that of an actual IRS tax representative. Should a recipient attempt to verify the sender’s identity, they’ll find a corresponding LinkedIn profile. 

The email body, seen in Figure 1is similar to other documentsharing messages. It particularly resembles DocuSign with its blue background and yellow “Review Document” button.  

The use of redirect links as shown above has become increasingly common with such phishing campaigns. Hovering over the “Review Document” button reveals the destination is embedded into a redirect link: 

hXXps://t[.]yesware[.]com/tt/54912e30621e9039398d9d491631724ad94e5bcb/9308138a9b8ab6ba555023132ac7eee6/e580d1654666d58406f070acdce3bbb7/internal-revenue-service.quip.com/9IvtAsTmnGGb/Internal-Revenue-Service-2020-Reimbursement 

The final URL users would be redirected to when clicking the button is: hXXps://quip[.]com/9IvtAsTmnGGb

The corresponding page for this URL is shown in Figure 2. 

Figure 2: Secondary Lure Page 

For this attack, the threat actor has utilized Quip[.]com’s collaborative document feature to host a document with the title “Internal Revenue Service (2020 Reimbursement)” directing the recipient to click. It includes the readily recognizable IRS logo. 

Upon clicking the link to “Claim 2020 Reimbursement,” users are redirected to the start of a Microsoft phish seen in Figures 3-4. 

Figure 34: Phishing Page 

Figure 3 shows the first step of the attack which imitates a typical Microsoft SharePoint page that verifies the identity of users before they can access a document for their eyes only. On this page, users are prompted for their email address and then redirected to the final step of the attack. 

Figure 4, the last stop in the attack, shows a generic Microsoft login page prompting for the user’s password; the email address provided from the previous step appears in the login box above it.

After entering their password, users are prompted to re-enter their password, another common tactic threat actors use to obtain an additional passwordUsers are then redirected to a legitimate Microsoft Office error page as seen in Figure 5This is also a tactic commonly used by threat actors to ward of suspicion and distract users from the credential harvesting.  

Figure 5: Error Page 

Indicators of Compromise 

hXXps://t[.]yesware[.]com/tt/54912e30621e9039398d9d491631724ad94e5bcb/9308138a9b8ab6ba555023132ac7eee6/e580d1654666d58406f070acdce3bbb7/internal-revenue-service.quip.com/9IvtAsTmnGGb/Internal-Revenue-Service-2020-Reimbursement  35.239.71.225 
hXXps://quip[.]com/9IvtAsTmnGGb  50.112.33.205 
hXXps://basecet[.]com/w3ffvs/0q23he4/nriaokghnry1ky1p8r7uu0d5.php  162.0.232.161 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.  

Telegram Utilized for Harvesting Credentials

By Jake Longden, Cofense Phishing Defense Center

Telegram is popular messaging app. Its encrypted messages, and potential message self-destruct options, can be attractive to legitimate users looking for more privacy and protection than standard/legacy messaging options. This, however, can also be appealing to threat actors for illegitimate purposes.  

In addition to the standard messaging application, Telegram also offers API options that allow users to create programs that use Telegram messages for an interfaceThe Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that posts the harvested credentials utilizing the Telegram API. 

Figure 1: Email Header 

To add authenticity to the email, the threat actors have spoofed the email address so that it appears to be from an internal address (support@internal.com). Howeverthe address is an external one (support@industrydrill.com). 

This, combined with the subject line and the heading of the email body, creates a sense of urgency and importance for the email to better attract the user’s interest

Figure 2: Email Body 

The user is presented with a notice advising that they have messages to review. The bold and large title attracts attention, and is followed by further information to clarify the purpose of the email. Then there’s a button for the user to click to “Release All” the blocked emails to their inbox.  

This follows a common style of emails sent by SEGs (secure email gateways) when they have blocked an email from reaching the users mailbox. It allows users to analyze the blocking policy, then decide if the policy was correct before opting to release the email to their inbox. Here, the threat actor has added the recipients email address to the body to provide a personal touch.  

In taking this approach, the threat actor has exploited methods used in multiple phishing campaigns designed to gain users trust (by spoofing an internal source), and then reducing critical analysis.

Upon examination of the URL, we see that the recipients email address has been coded so that the phishing page can prefill some data when it loads.  

Figure 3: Phishing Page 

Once the button is clicked, the user is redirected to a page that appears to be a Webmail login page. We can see that the page has pulled the email address from the initial URL then placed it at the top of the page and in the email address field for the login. The base domain from the user’s address has also been highlighted in bold above the login fields in the account webmail header.This construction makes the page look more legitimate and relevant to the user. However, the URL of the page gives indications that this is not entirely the case. In an attempt to further the appearance of legitimacy for the URL, the subdomain contains both account-web and office365,” two common names for login pages.  

Once the password has been entered, and the Continue button has been clicked, the credentials are posted to the Telegram API. The user is redirected with a message stating that their account has been updated successfullyFinally, the page pulls the domain from the email address, redirecting to that website. In this way, the threat actor further heads off user suspicion.  

Figure 4: Final Message 

It’s a simple matter to prevent users from posting credentials to unauthorized webpages. Once the malicious domain has been identified, it can be blocked. However, by utilizing the Telegram API, the threat actor is working to circumvent interference. They’re complicating methods for removing stored credentials that have been harvested, and can view and access these credentials at their convenience on a page they control. 

 

 

Network IOC   IP   
hXXps://www[.]epanorama[.]net/counter[.]php?url=hxxps://account-weboffice365config[.]firebaseapp[.]com/  104[.]27 [.]147 [.]211 

172 [.]67 [.]153 [.]86 

104 [.]27 [.]146.211 

hXXps://account-weboffice365config[.]firebaseapp[.]com/   

151 [.]101 [.]65 [.]195 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

 

Cofense Granted FedRAMP Moderate Authorization

Leesburg, Va. – February 18, 2021 – Cofense®, the leading provider of phishing detection and response (PDR) solutions, today announced that Cofense PhishMe® has achieved a Federal Risk and Authorization Management Program (FedRAMP) Moderate Authorization to Operate (ATO). Cofense’s FedRAMP authorization was sponsored by the U.S. Department of Health and Human Services (HHS) and was also reviewed by the FedRAMP Program Management Office (PMO). The Cofense PhishMe FedRAMP environment is architected on Amazon Web Services (AWS) GovCloud, and is the first FedRAMP Moderate authorized phishing simulation solution.

FedRAMP was created to assess the security of Cloud Service Providers (CSPs), saving time and money for U.S. government agencies that would otherwise conduct their own assessments. A Moderate-Impact Authorization requires significantly stricter security controls compared to Low-Impact Authorization, including stringent operational requirements to protect personally identifiable information, and the safeguarding of information related to phishing simulations and suspicious messages reported by employees. Cofense’s Moderate-Impact Authorization required an independent evaluation of the following:

  • Cofense’s implementation of the 325 FedRAMP Moderate NIST SP 800-53 Controls to protect the confidentiality, integrity and availability of customer data
  • Cofense’s vulnerability management practices by conducting independent vulnerability scans
  • Cofense’s web application security practices by performing independent penetration testing

Spear phishing continues to be one of the most significant concerns among federal agencies, which are challenged today by the need to protect mission critical information while supporting a growing remote workforce,” said Sylvain Lacroix, Cofense Director, Federal & Defense Contractors Sales. “Cofense PhishMe allows federal agencies to securely and proactively defend against cybersecurity threats spread via email, which is the leading cause of data breaches. Cofense is excited to continue serving the needs of highly regulated industries such as the U.S. Federal Government with our Cofense FedRAMP Moderate offering.”

Cofense solutions deliver protection from malware threats, ransomware campaigns and scams that evade Secure Email Gateways (SEGs) every day and provide federal teams the visibility and tools to stop phishing threats in minutes, not hours. With Cofense PhishMe, federal agencies can transform employees into the last line of active defense through education, ongoing simulations and an easy to use reporting tool so organizations can swiftly detect, respond to and stop phishing attacks in their tracks.

Andrew Ledford, FedRAMP Program Manager, added, “Cofense prioritizes providing the highest level of protection to our customers, which is why we made the commitment to pursue a FedRAMP moderate impact level authorization – anything lower was just not sufficient to meet the needs of our customers. Our network of 25 million users combined with advanced automation is what makes Cofense the strongest phishing detection and response solution on the market today, and we are extremely proud of this milestone. We look forward to maintaining our status as a trusted provider of phishing defense for U.S. government agencies.”

View the authorized Cofense PhishMe listing on FedRamp Marketplace. To learn more about how Cofense and its phishing defense solutions, including Cofense PhishMe, can help secure federal networks, please visit https://cofense.com/federal-government.  

About Cofense
Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of over 25 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

Media Contact

press@cofense.com

Cofense PhishMe: Our FedRAMP Journey

By Andrew Ledford

What is FedRAMP 

FedRAMP is the Federal Risk and Authorization Management ProgramIt was developed following President Barack Obama’s policy, International Strategy for Cyberspace and Cloud First, which encourages the federal adoption and use of information systems operated by cloud service providersThe development of FedRAMP was achieved collaboratively with the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), the Department of Homeland Security (DHS), state and local government, and others.  

Consistent with the Cloud First policy, federal agencies were encouraged to utilize cloud-based information systems operated by cloud service providers. NIST, which maintains the NIST SP 800 series of computer security publications, publishes NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. This is the control catalog used for federal information systems and organizations; it contains the requirements for FedRAMP. 

The key goals of FedRAMP are to accelerate the government’s adoption of secure cloud solutions and reuse assessments and authorizations across agencies. These are accomplished through cloud service providers creating a single Authority to Operate (ATO) package, a single security assessment by an independent third-party assessment organization (3PAO), and a single set of Plan of Actions and Milestones (POA&Ms) which each agency can then access, review, and issue an ATO for on OMB Max. U.S. government agencies can request access to the Cofense FedRAMP ATO package using this form (Package ID #FR2013059515). 

 For additional information on FedRAMP refer to https://fedramp.gov/about 

FedRAMP vs. FISMA 

Both FedRAMP and FISMA are based on the NIST SP 800-53 control catalog. This catalog includes hundreds of controls and control enhancements. The applicability of these controls is determined by the types of data the system is being used to store and process, as well as the criticality of that information system to accomplish the organization’s mission. FISMA applies to agency managed systems including on-premises systems, whereas FedRAMP applies to cloud systems managed by external cloud providers. The main differences between FedRAMP and FISMA requirements are detailed in the table below.  

Baseline  NIST SP 800-53 Controls¹ Other Requirements 
FISMA Low  124  N/A 
FISMA Moderate  261  N/A 
FISMA High  343  N/A 
FedRAMP Low Impact SaaS (Li-SaaS)  36² Independent Assessor³ required to perform control assessment 
FedRAMP Low  125  -Independent Assessor³ required to perform control assessment 

-Independent Assessor³ required to perform infrastructure, database, and web application vulnerability scans 

FedRAMP Moderate  325  -Independent Assessor³ required to perform control assessment 

-Independent Assessor³ required to perform infrastructure, database, and web application vulnerability scans 

-Independent Assessor³ required to perform penetration testing 

FedRAMP High  421  -Independent Assessor³ required to perform control assessment 

-Independent Assessor³ required to perform infrastructure, database, and web application vulnerability scans 

-Independent Assessor³ required to perform penetration testing 

FedRAMP requires independent assessments to ensure the integrity and consistency of the security assessments.  

Why did Cofense decide to pursue FedRAMP 

The federal government is experiencing an increase in phishing attacks which has been exacerbated by COVID-19 and teleworking. Agencies are looking for intelligent ways to defend against these attacks. In September 2020, NIST announced the development of Phish Scale  to “help organizations better train their employees to avoid a particularly dangerous form of cyberattack known as phishing.” Cofense provides phishing defense solutions created to address that particular attack threat. 

Cofense’s government agency customers using PhishMe were performing their own security assessments and ATOs. These assessments, and sometimes thousands of pages of ATO documentation based on agency requirements, increase the time and complexity of using Cofense PhishMe. Agencies were left without a key phishing detection capability. Our customers sought a way to implement our phishing defense solution quickly and securely. 

Based on our customers’ use cases for the Cofense PhishMe product, we determined that our system would be handling personally identifiable information (PII). It would serve as an essential protection to agencies; this resulted in Cofense PhishMe being categorized as a FedRAMP Moderate system based on Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, and the accompanying NIST SP 800-60 Volume II, Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories. See Cofense’s blog on Why ‘Moderate’ Matters for details. 

How did Cofense approach FedRAMP 

Cofense evaluated our customers and the FedRAMP requirements, and determined that building out a dedicated FedRAMP environment for federal agencies would best meet these requirementsThe Cofense PhishMe FedRAMP environment is deployed on AWS GovCloud, operated with U.S. citizens on U.S. soil.  

Cofense’s FedRAMP environment is a government-community cloud with appropriate logical separations, authentication mechanisms meeting the NIST 800-63-3 Digital Identity Guidelines for FedRAMP Moderate systems, vulnerability management, continuous monitoring and more. 

When asked how Cofense went about the FedRAMP journey, Keith Ibarguan, Cofense Chief Product Officer, said, “On the surface, it might seem that you just take your code, run it through the gauntlet and, voila, out the other side, you have an ATO. That’s definitely not the case. We worked really hard to put the software in a position where we can manage and maintain the code in the most efficient manner. We refactored everything. We uplifted the software libraries and approaches to even deploying the code end to end, across the board.”

Cofense engaged the leading FedRAMP 3PAO to conduct the assessment of Cofense PhishMe, which included an independent evaluation of the following: 

  • Cofense’s implementation of the 325 FedRAMP Moderate NIST SP 800-53 Controls 
  • Cofense’s vulnerability management practices by conducting independent vulnerability scans 
  • Cofense’s web application security practices by performing independent penetration testing 

Conclusion 

Cofense PhishMe is now FedRAMP Moderate AuthorizedWe’re excited to offer our managed PhishMe FedRAMP product to support federal defense against phishing attacksAgencies can request access to the Cofense FedRAMP ATO package using this form (Package ID #FR2013059515) or contact Cofense directly. 

_____________________________________________________

¹ 36 testable controls. Other controls are required to be attested to. 

² JAB P-ATO require that a 3PAO be used. Agencies are encouraged to use a Third-Party Assessment Organization. 

³ 3PAO as the Independent Assessor to form the CSP’s assessment.

https://www.fedscoop.com/teleworking-zero-trust-in-dod-phishing-attacks-increase/https://us-cert.cisa.gov/ncas/alerts/aa20-099ahttps://www.pcmag.com/news/phishing-attacks-increase-350-percent-amid-covid-19-quarantine 

Phish Found in SEG-Protected Environments Week ending February 19, 2021

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.  

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.   

Are phishing emails evading your Proofpoint or other secure email gateways? The following are examples of phishing emails recently seen by the PDC in environments protected by SEGs. 

TYPE: Dridex 

DESCRIPTION: Notification-themed email found in environments protected by Proofpoint and O365-ATP deliver a password protected Office macro laden spreadsheet via an embedded link. The Office macro downloads Dridex. 

TYPE: Credential Phish 

DESCRIPTION: Notification-themed email found in environments protected by Proofpoint and O365-ATP deliver credential phishing embedded in an attached HTML file. 

TYPE: TrickBot 

DESCRIPTION: Finance-themed email found in environments protected by TrendMicro and O365-ATP deliver TrickBot via Office macro laden spreadsheets. TrickBot then downloads and runs a Reconnaissance Tool. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week. 

 Recommendations  

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways. 

Interested in seeing more? Search our Real Phishing Threats Database. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in SEG-Protected Environments Week ending February 12, 2021

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.  

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.  

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint. 

TYPE: Remcos RAT 

DESCRIPTION:  Finance-themed emails found in environments protected by Proofpoint and Microsoft Defender O365 deliver an attached malware downloader that downloads Amadey and runs Remcos RAT. 

 

TYPE: BazarBackdoor 

DESCRIPTION: Invoice-themed emails found in environments protected by Proofpoint, Microsoft Defender O365 and Symantec deliver BazarBackdoor via PDF attachments. The attached PDF redirects to a site that collects invoice order numbers. Once the order number is entered, it redirects to a payload URL that downloads an Office macro. The Office macro downloads and runs BazarBackdoor. 

TYPE: Ava_Maria_Stealer 

DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver Ave_Maria stealer via embedded links. The embedded links download an Office macro that downloads an Ave_Maria executable. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week. 

Recommendations 

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways. 

Interested in seeing more? Search our Real Phishing Threats Database. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments Week ending February 5, 2021

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.  

Are phishing emails evading your Proofpoint and other secure email gateways? The following are examples of phishing emails recently seen by the PDC in environments protected by SEGs. 

TYPE: Trojan 

DESCRIPTION:  Notification-themed email found in environments protected by Proofpoint deliver Quasar RAT via Microsoft Office Macros downloaded from embedded URLs. 

TYPE: Keylogger 

DESCRIPTION: DHL-spoofing email found in environments protected by Proofpoint and Microsoft ATP deliver the Agent Tesla keylogger via embedded links. The embedded links download a 7Z archive that contains an Agent Tesla executable. 

TYPE: Trojan  

DESCRIPTION: Finance-themed email found in environments protected by Proofpoint deliver the NanoCore RAT via embedded URLs. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach and ransomware attack. The same patterns and techniques are used week after week.  

Recommendations 

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade secure email gateways.  

Interested in seeing more? Search our Real Phishing Threats Database. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense WINS Silver 2021 STEVIE® AWARD for Customer Service Department of the Year

LEESBURG, VIRGINIA – February 4, 2021 – Cofense, the leading provider of phishing detection and response (PDR) solutions was presented with a Silver Stevie® Award in the Customer Service Department of the Year (Computer Software) category in the 15th annual Stevie Awards for Sales & Customer Service.

The Stevie Awards for Sales & Customer Service are the world’s top honors for customer service, contact center, business development and sales professionals. The Stevie Awards organizes eight of the world’s leading business awards programs, also including the prestigious American Business Awards® and International Business Awards®. Winners will be recognized during a virtual awards ceremony on April 14.

More than 2,300 nominations from organizations of all sizes and in virtually every industry, in 51 nations, were considered in this year’s competition. Winners were determined by the average scores of more than 160 professionals worldwide on nine specialized judging committees.

“We are honored to receive this Stevie award,” Cofense COO Brandi Moore said. “In 2020 our support team continued to deliver a world class customer experience despite the obstacles of the pandemic. Cofense is excited to have Carolyn Merritt VP, Customer Experience, as the leader of our support team who over the course of 12 months has launched our new online Resource Center, expanded the technical support team to provide coverage for all global time zones, and delivered a customer satisfaction score of 95% in 2020. I am very proud of everyone in the Global Technical Operations Center!”

“In the toughest working environment in memory for most organizations, 2021 Stevie Award winners still found ways to innovate, grow sales, please their customers, and secure new business,” said Stevie Awards president Maggie Gallagher. “The judges have recognized and rewarded this, and we join them in applauding this year’s winners for their continued success. We look forward to recognizing them on April 14.”

Details about the Stevie Awards for Sales & Customer Service and the list of Stevie winners in all categories are available at www.StevieAwards.com/Sales.

About Cofense

Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of over 25 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate

employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

About The Stevie Awards

Stevie Awards are conferred in eight programs: the Asia-Pacific Stevie Awards, the German Stevie Awards, the Middle East & North Africa Stevie Awards, The American Business Awards®, The International Business Awards®, the Stevie Awards for Great Employers, the Stevie Awards for Women in Business, and the Stevie Awards for Sales & Customer Service. Stevie Awards competitions receive more than 12,000 entries each year from organizations in more than 70 nations. Honoring organizations of all types and sizes and the people behind them, the Stevies recognize outstanding performances in the workplace worldwide. Learn more about the Stevie Awards at http://www.StevieAwards.com.

BazarBackdoor’s Stealthy Infiltration Evades Multiple SEGs

By Zachary Bailey, Cofense Phishing Defense Center

The Cofense PDC has been tracking a stealthy malware campaign that has recently become more active compromising enterprise endpoints. The campaign, first observed in mid-Decembercarries pharmaceutical-themed invoices that contain references to a series of websites hosted on the “shop” domain but that were down at the time of initial analysis. They were classified by the PDC as malicious because of the phone numbers used on the invoices. These numbers were identical across invoices being sent in from different brands and senders, which meant these are likely coordinated. The main lures of the emails also revolved around contacting the phone number instead of visiting the site.  

Figure 1: Email Body 

New waves of the phishing emails are now being sent overnight with new brands ranging from office supplies, rose delivery and lingerie. After monitoring certain internet sources, PDC analysts were able to pull up the referenced sites while they were still live. Following an involved process of interacting with the site to request a cancellation form, a malicious Excel document was finally retrieved. This infection was the first stage of the BazarBackdoor malware. 

The invoice ruse bypassed various customer SEGs because the email had no malicious payload and could be seen as a simple phishing scam. Only a handful of recipients would think to browse to the invoice site and search for a way to cancel their order without calling the number provided.

Figure 2Invoice Attachment 

While the invoices use a basic template, they look just professional enough that an inquisitive recipient might check the site to see if its legitimate. Invoices for the older campaigns would be named after the order number, but recent campaigns are utilizing a “invoice_*.pdf” format, where the star (*) wildcard is the order number. 

It has been observed that the next stage in this social engineering attack alternates between being located on the contact, FAQ and refund pages of the website. 

Figure 3Contact Form 

If the order number is entered, the recipient will be transferred to a new website with a “.us” domain version of the prior website. There are several variations of the site, for instance using hyphens to break up the words or using only the first and third words of the fictitious brand. Examples of this would be compact-ssd[.]us and compactstorage[.]us 

Figure 4: Download Page 

Once the site is loaded, a series of images walks the user through downloading a form to cancel their order. There is a link to the request form, and a link to an email where the form is to be sent. This furthers the ruse’s legitimacy. The downloaded form is an Excel document that appears to be encrypted by DocuSign.  

Figure 5: Excel Template 

This Excel template is themed similarly to a Trickbot template reported on Twitter by @ffforward, who has been tracking the campaign closely. This connection makes sense considering the agreement in many quarters that there is a connection between Trickbot operators and the group behind BazarBackdoor.

When the form is activated, an .EXE payload is immediately launched. This executable is also a new variant of BazarBackdoor. It will reload itself into memory several times before the command-and-controls (C2s) can finally be extracted. Next, the executable queries the geographical location and IP address of the infected machine. This is a common tactic that usually ensures that the threat actor does not infect machines in their country of operation. 

Figure 6: Bazar in Memory Strings 

After the .EXE finishes loading, we see BazarBackdoor domains in the memory strings. 

Figure 7: C2s for Bazarbackdoor 

We also can find this campaign’s C2 for dropping the next stage by searching for IP addresses in the strings. There is often a common word in the C2s, such as “cleaner” or “book” or “snow” that differentiates between campaigns. In the observed campaign for this article, that word is “round_table”. 

Figure 8: DNS traffic 

An analysis of the machine’s network traffic reveals that DNS requests are being sent by BazarBackdoor. This is a common technique the malware employs to mask the servers behind the “bazar” domains. The TCP connections to the three “round_table” servers will drop a data file that is likely part of the next stage. 

Recent invoice templates have shifted from using the “.shop” domain to “.net” domains. This campaign was also referred to as “BazarCall” by @ffforward. It is widely believed that this campaign, like prior BazarBackdoor campaigns, will distribute Ryuk ransomware across the network. An analysis by The DFIR Report found Cobalt strike beacons in their environment, and PowerShell scripts that are seen in conjunction with Ryuk. However, no Ryuk was deployed during the analysis. 

The Cofense PDC is still looking into the connection between Kontakt Kegtap and the Bazarloader/Bazarbackdoor campaigns being delivered from Google Docs and GetResponse.

Indicators of Compromise 

 

Domain  IP   
hxxp://flowersny[.]net/ 

 

104[.]21[.]7[.]245 
hxxp://flowersny[.]us/ 

 

104[.]21[.]23[.]158 
hxxp://ttoffice[.]net/ 

 

104[.]21[.]84[.]40 
hxxp://ttoffice[.]us 

 

162[.]255[.]119[.]138 
hxxp://toptipsoffice[.]us 

 

194[.]147[.]115[.]9 
hxxp://ajourlingerie[.]net 

 

104[.]21[.]8[.]207 
hxxp://ajourlingerie[.]us/ 

 

104[.]21[.]4[.]188 

 

 

Command and Control URLs  IP   
hxxps://18[.]188[.]232[.]155:443/leading/crisis26/snow11 

 

18[.]188[.]232[.]155 
hxxps://18[.]191[.]220[.]165/leading/crisis26/snow11 

 

18[.]191[.]220[.]165 
hxxps://54[.]190[.]50[.]234/organization/round_table 

 

4[.]190[.]50[.]234 
hxxps://54[.]215[.]217[.]171/ 

 

54[.]215[.]217[.]171 
hxxps://34[.]209[.]41[.]233/foreground/suspect/context59  34[.]209[.]41[.]233 
hxxps://34[.]220[.]167[.]220/organization/round_table 

 

34[.]220[.]167[.]220 
hxxps://34[.]221[.]125[.]90/foreground/suspect/context59  34[.]221[.]125[.]90 
hxxps://japort[.]com/suret/victory[.]php  50[.]87[.]232[.]245 

 

DNS IOCs   IP  
51[.]254[.]25[.]115:53   51[.]254[.]25[.]115  
193[.]183[.]98[.]66:53   193[.]183[.]98[.]66  
91[.]217[.]137[.]37:53   91[.]217[.]137[.]37  
87[.]98[.]175[.]85:53   87[.]98[.]175[.]85  
185[.]121[.]177[.]177:53   185[.]121[.]177[.]177  
169[.]239[.]202[.]202:53   169[.]239[.]202[.]202  
198[.]251[.]90[.]143:53   198[.]251[.]90[.]143  
5[.]132[.]191[.]104:53   5[.]132[.]191[.]104  
111[.]67[.]20[.]8:53   111[.]67[.]20[.]8  
163[.]53[.]248[.]170:53   163[.]53[.]248[.]170  
142[.]4[.]204[.]111:53   142[.]4[.]204[.]111  
142[.]4[.]205[.]47:53   142[.]4[.]205[.]47  
158[.]69[.]239[.]167:53   158[.]69[.]239[.]167  
104[.]37[.]195[.]178:53   104[.]37[.]195[.]178  
192[.]99[.]85[.]244:53   192[.]99[.]85[.]244  
158[.]69[.]160[.]164:53   158[.]69[.]160[.]164  
46[.]28[.]207[.]199:53   46[.]28[.]207[.]199  
31[.]171[.]251[.]118:53   31[.]171[.]251[.]118  
81[.]2[.]241[.]148:53   81[.]2[.]241[.]148  
82[.]141[.]39[.]32:53   82[.]141[.]39[.]32  
50[.]3[.]82[.]215:53   50[.]3[.]82[.]215  
46[.]101[.]70[.]183:53   46[.]101[.]70[.]183  
5[.]45[.]97[.]127:53   5[.]45[.]97[.]127  
130[.]255[.]78[.]223:53   130[.]255[.]78[.]223  
144[.]76[.]133[.]38:53   144[.]76[.]133[.]38  
139[.]59[.]208[.]246:53   139[.]59[.]208[.]246  
172[.]104[.]136[.]243:53   172[.]104[.]136[.]243  
45[.]71[.]112[.]70:53   45[.]71[.]112[.]70  
163[.]172[.]185[.]51:53   163[.]172[.]185[.]51  
5[.]135[.]183[.]146:53   5[.]135[.]183[.]146  
51[.]255[.]48[.]78:53   51[.]255[.]48[.]78  
188[.]165[.]200[.]156:53   188[.]165[.]200[.]156  
147[.]135[.]185[.]78:53   147[.]135[.]185[.]78  
92[.]222[.]97[.]145:53   92[.]222[.]97[.]145  
51[.]255[.]211[.]146:53   51[.]255[.]211[.]146  
159[.]89[.]249[.]249:53   159[.]89[.]249[.]249  
104[.]238[.]186[.]189:53   104[.]238[.]186[.]189  
139[.]59[.]23[.]241:53   139[.]59[.]23[.]241  
94[.]177[.]171[.]127:53   94[.]177[.]171[.]127  
45[.]63[.]124[.]65:53   45[.]63[.]124[.]65  
212[.]24[.]98[.]54:53   212[.]24[.]98[.]54  
178[.]17[.]170[.]179:53   178[.]17[.]170[.]179  
185[.]208[.]208[.]141:53   185[.]208[.]208[.]141  
82[.]196[.]9[.]45:53   82[.]196[.]9[.]45  
146[.]185[.]176[.]36:53   146[.]185[.]176[.]36  
89[.]35[.]39[.]64:53   89[.]35[.]39[.]64  
89[.]18[.]27[.]167:53   89[.]18[.]27[.]167  
77[.]73[.]68[.]161:53   77[.]73[.]68[.]161  
185[.]117[.]154[.]144:53   185[.]117[.]154[.]144  
176[.]126[.]70[.]119:53   176[.]126[.]70[.]119  
139[.]99[.]96[.]146:53   139[.]99[.]96[.]146  
217[.]12[.]210[.]54:53   217[.]12[.]210[.]54  
185[.]164[.]136[.]225:53   185[.]164[.]136[.]225  
192[.]52[.]166[.]110:53   192[.]52[.]166[.]110  
63[.]231[.]92[.]27:53   63[.]231[.]92[.]27  
66[.]70[.]211[.]246:53   66[.]70[.]211[.]246  
96[.]47[.]228[.]108:53   96[.]47[.]228[.]108  
45[.]32[.]160[.]206:53   45[.]32[.]160[.]206  
128[.]52[.]130[.]209:53   128[.]52[.]130[.]209  
35[.]196[.]105[.]24:53   35[.]196[.]105[.]24  
172[.]98[.]193[.]42:53   172[.]98[.]193[.]42  
162[.]248[.]241[.]94:53   162[.]248[.]241[.]94  
107[.]172[.]42[.]186:53   107[.]172[.]42[.]186  
167[.]99[.]153[.]82:53   167[.]99[.]153[.]82  
138[.]197[.]25[.]214:53   138[.]197[.]25[.]214  
69[.]164[.]196[.]21:53   69[.]164[.]196[.]21  
192[.]71[.]245[.]208:53   192[.]71[.]245[.]208  
185[.]120[.]22[.]15:53   185[.]120[.]22[.]15  
45[.]71[.]185[.]100:53   45[.]71[.]185[.]100 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.