Threat Actor Attempt At Auditing: New Business Email Compromise Tactic

By Noah Mizell and Ashley Tran, Cofense Phishing Defense Center

The tactics used for conversations in business email compromises (BEC) can vary based on topics that often appear specific to a fellow coworker or to a collaboration on a private task for the CEO or other highranking executive. The members of the Cofense PDC are all too familiar with, for example, the line, “I want to surprise the staff with gifts.” However, threat actors have caught on to the fact that their tactics are not so secret anymore, and are well documented. With this newfound awareness comes the need to evolve methods. As noted in previous Cofense blogs, this can involve soliciting end users for sensitive revenue and customs details or, in the case  shown in Figure 1, posing as an audit for open invoices between two companies.details or in this case posing as an audit for open invoices between two companies.

Figure 1: Email Body 

In Figure 1, it can be noted that an email has been forwarded by an external user who had suspicions regarding the email seen under “Begin forwarded message.” The initial email is a request detailing the need to update the impersonated company’s “account record” for the forwarding user’s company, and asks for details on “any unpaid payments or an invoice due till date.” Following this request is the forged – yet convincing – email signature for that impersonated company’s chief financial officer, complete with logo.

Because this email was forwarded, the sender details can be seen in the body of the email. The threat actor has spoofed the sender email to appear as though it really did originate from the impersonated company: [email protected][REDACTEDCOMPANY].com. However, the actual email behind this attack is in the reply-to section of this email: [email protected]

The goal of this scam is simple – to obtain the invoice information and utilize it in a follow-up attack. This attack would reference the specific confidential information that was attained to get payment in the name of the impersonated company. Although the subject and wording of this BEC is different from the typical gift card request, or favor for the CEO, the impact most likely to result remains the same: financial crime.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.  

Phish Found in Proofpoint-Protected Environments Week ending January 22, 2021

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint.

 TYPE: Trojan 

DESCRIPTION:  Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links

TYPE: Keylogger 

DESCRIPTION: Order-themed emails found in environments protected by Proofpoint and O365-ATP deliver TrickBot via Microsoft Office macroladen spreadsheets downloaded from embedded URLs. 

TYPE: Trojan  

DESCRIPTION: Impots-spoofing email found in environments protected by Proofpoint deliver the Client Maximus banking Trojan via an advanced INF installer which is downloaded from an embedded URL. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade secure email gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Zoom Phish Sent Via Constant Contact Mailer

By Ashley Atkins, Cofense Phishing Defense Center

Since the start of the pandemic, cloud-based video conferencing has been heavily utilized. Whether for work purposes or for simply keeping in touch with family and friends, access to such a tool is vital. With the increased use of video conferencing, threat actors are taking advantage and abusing well-known video conferencing brands.   

The Cofense Phishing Defense Center (PDC) investigated an email impersonating Zoom. The email claimed that a Zoom server upgrade had been performed and that the recipient would be unable to invite or join calls unless they verified their account. Upon analysis, the PDC quickly identified the email as a credential phish. Within the email headers, the from field typically shows a display name and email address such as John Doe <[email protected]>. However, instead of the display name showing a name, it showed “Zoom – [email protected](.)us” making it appear as though the email was from Zoom

Figure 1: Email Body 

While Cofense has written about Zoom in prior blog posts, it is important to note that this particular email was sent through Constant Contact, a service used to send email for marketing campaigns. As noted on the Constant Contact website, the company provides a unique campaign ID in the Message-ID field allowing them to identify the sender. The headers shown in Figure 2 confirm that Constant Contact was used in this phishing attack. The attacker may have believed that Constant Contact emails would be better able to bypass various SEGs – a maneuver that seems to have been solid given the substantial number of SEG environments in which this phish was found.

Figure 2: Headers  

Figure 3: Malicious URL 

In Figure 3, the email shows the sender’s name to be “Zoom – no [email protected].us.” However, the actual compromised sender account can be seen beside it. This suggests that the threat actor may have compromised a user of Constant Contact, and has utilized that account to send out the attacks.

Hovering over the “Activate Now” button, Constant Contact’s tracking URL (r20[.]rs6[.]net) can be seen, as shown in Figure 3. When clicked, the recipient is directed to sankamilan[.]com” and is redirected to a fake Microsoft login page at “fueamgm[.]com[.]br,” as shown in Figure 4. Once credentials have been entered, the recipient is redirected again to a Microsoft inbox. 

Figure 4-5: Phishing Page 

As we can see, two different brands were used in this phishing campaign, which could result in attackers harvesting multiple sets of credentials.  

Indicators of Compromise 

hXXp://r20[.]rs6[.]net/tn.jsp?f=001SZ-07esJCtmzsTnl-2ahmSsp3CpswNGStwYWGtC_zI013A-LeFdz-SawGYz8wUt1zjLruZbLT67G_tPvkDNXRwcoznHPJSK7RS79ZwHLoicSBO6M6Tr-sPHkQ365MAq327s4IDhxhcGO2259_pUcjNZeRvwUri8p&c=3H_CP9T_hN834FXay-T3bJQcfuvdg7UAdRmIAMdqKRos8XzZ8B  213[.]190[.]6[.]27 
hXXps://sankamilan[.]com//httpd/ 

 

208[.]75[.]122[.]11 

 

hXXps://fueamgm[.]com[.]br/httd/ 

 

162[.]144[.]238[.]226 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.  

Coronavirus Screening and Testing Phishing Emails, and a Sense of Urgency Among Employees

By Ala Dabat, Cofense Phishing Defense Center

The Cofense PDC (Phishing Defense Center) has seen a continuous campaign by malicious actors exploiting the COVID-19 pandemic by using cleverly crafted phishingemail campaigns to harvest sensitive user data and spread malicious payloads across industry sectors.  

One such example seems to exploit the sense of urgency felt among employees for tests to screen for the COVID-19 virus. Recipients’ vulnerability is leveraged in attacks such as the one in Figure 1, a seeming Google form issued to employees by the targeted company(s). 

Figure 1 

The aesthetics of this particular campaign are solid and simple enough to reach users in environments protected by secure email gateways (SEGs). 

The email appears to be from the target company and its legitimacy is reenforced by references to guidelines and protocols issued by the “United States Department of Health.” Employees are advised that these protocols will facilitate the screening process, a clever way to persuade recipients to hand over credentials and other sensitive information (Figure 2). 

Figure 2 

In the above example, targeted users are redirected to a Google Doc landing page hosting the malicious website. A legitimate Googleregistered URL can often convince even security conscious users into handing over their information. 

Figure 3 

Figure 3 shows that the threat actor is blending common screening questions with the request for sensitive credentials, possibly to divert recipients from the threat. 

Figure 4 

Once the form has been completed, recipients are told to provide a digital signature to wrap up the fraudulent screening application and submit the data to a command-and-control server that stores the harvested information. 

Figure 5 

Indicators of Compromise 

Link  IP 
hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLSdoUChSaN51UxKlyDMXUCOg6v5dMrqrcbDjFhX9LEFQ0zKWDQ/viewform?vc=0&c=0&w=1&flr=0&usp=mail_form_link 

 

172[.]217[.]9[.]206 

 

All third-party trademarks referenced byCofensewhether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship betweenCofenseand the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
   
TheCofense® and PhishMe® names and logos, as well as any otherCofenseproduct or service names or logos displayed on this blog are registered trademarks or trademarks ofCofenseInc. 

Secure Mailer Phish: A New Method of Swiping Users’ Credentials?

By Zachary Bailey, Cofense Phishing Defense Center

The rise in phishing attacks and increased delivery of sensitive information over email has fueled the demand for “secure mailers.” These services encrypt and store your organizations emails, only unlocking them if the designated recipient signs in. This takes the stress off the organization’s SEGs, or secure email gateways, when it comes to checking emails for sensitive or personally identifiable information (PII). However, secure mailers can be spoofed, and their credentials harvested – creating a new threat vector relative to sensitive emails. 

 Zix is a common secure mailer that is observed by the Cofense PDC. One threat actor mimicked Zix branding to create a lookalike phishing page using a custom domain that bypassed SEG protection. The attack relies on the target’s familiarity with Zix as they click through the encryption message and land on a Microsoft phishing page.  After submitting their credentials, the victim is redirected to a legitimate OneDrive error page.  

Figure 1: Email Body 

The email in Figure 1 looks typical of a secure mailer and uses a Zix message tag. The note saying “Michelle sent you a secure message” reinforces familiarity and lures the recipient into a false sense of security. The only lure here is asking the user to “Click here” to read on, while also advising how to complete the next step once they land on the website.  

Figure 2: Email Body Showing URL 

If the recipient hovers over the link, as shown in Figure 2, they will see that it goes to a “securemail” sub-domain, which is a common setup for these servicesIn the body of the message, they also see the expiration for retrieving the message

Figure 3: Phishing Page 

In Figure 2 we see the website mimics Zix landing site, which directs the recipient to interact with a click to read message” button (Figure 3)The site is also HTTPS encrypted, so any data sent through it cannot be read. If the user hovers over the button, they will notice that it leads to a different website. This is shown in Figure 4.   

Figure 4: Phishing Page 

During the transition from the secure mailer page, the title of the tab has changed from “SecureMail!” to “Sign in to your account,” accompanied by a Microsoft login page. This is an uncommon occurrence for secure mailers as they typically have their own login pages. 

Figure 5: Phishing Page 

After the user provides their credentials, a redirect occurs taking them to a OneDrive error page. Inspecting the network traffic shows that the entered credentials have been sent to the threat actor rather than Microsoft.This error page is a common tactic to convince the user that “something went wrong” and postpone or prevent recognition that their credentials were harvested.  

Indicators of Compromise 

hXXps://securemail[.]uadiaspora[.]com/  45[.]58[.]117[.]154 
hXXps://nojokemarketingpodcast[.]com/o1/main.html?  162[.]241[.]157[.]65 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.  

Phish Found in Proofpoint-Protected Environments Week ending January 15, 2021

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint.

TYPE: Credential Phish 

DESCRIPTION:  Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL. 

 

TYPE: Credential Phish 

DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL. Note: This was in Spanish. 

TYPE: Keylogger 

DESCRIPTION: Finance-themed emails found in environments protected by Symantec deliver the Agent Tesla keylogger via an embedded URL. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade secure email gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishing Emails: All I Wanted Was for 2020 to End

By Dylan Duncan

2020 was far from ordinary 

And at the end, we learned one thing for sure: threat actors’ abilities to quickly adjust their methods to world events are pretty uncannyLike the rest of us, they must be news junkies, too.  

Every year, we see threat actors improve their methods and adapt to world events, bringing new trends to the phishing threat landscape. Last year, the COVID-19 pandemic in particular brought an unprecedented amount of disruption and financial hardship, directly leading to an increase in both volume and variety of threat activity. Threat actors continued to advance their tactics, techniques and procedures to ensure their emails would reach end users throughout the year 

Here are a few things we learned from the longest March to December in history:
 

  • COVID-19 was certainly the source of the most disruption in 2020. During the peak of pandemic-themed campaigns, phishing emails predominantly delivered credential phishing and Agent Tesla keylogger, but threat actors also delivered ransomware, keyloggers, remote access trojans and information stealers. 
  • Remote work became the new standard for an unprecedented number of employees as the pandemic led to lockdown protocols and workplace restrictions. The technologies associated with remote work led to new opportunities for threat actors, such as spoofing video chat applications and collaboration platforms.  
  • The Agent Tesla keylogger has been a prolific malware family since its release in 2014. This year it was the highest-volume keylogger and one of the top malware families overall observed by Cofense Intelligence. Agent Tesla has a competitive price tag compared to other malware and provides threat actors with complex features while maintaining an easy-to-use user experience.  
  • Since 2014, the Emotet botnet has been one of the top contributors to the phishing threat landscape. The more notable changes that surfaced this year allow for it to steal email attachments from victims’ inboxes, which are then used in phishing campaigns against targets who would find the attachments familiar. 
  • Ransomware was very active throughout the year, with a high number of new families and developments compared to other malware types. During October, United States authorities warned about campaigns targeting the health care industry. The campaigns delivered BazarBackdoor, which threat actors could use later to deploy Ryuk ransomware to intended targets.  

Phishing emails weaponizing the COVID-19 pandemic, remote work environment and presidential election were more effective than generic phishing templates. As the pandemic continues into the coming year, we expect that some related themes will continue, and we stand at the ready (as does our network of 25 million around the world identifying and reporting phishfor newly emerging themes and trends. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.   
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

Emotet is Back for the Holidays with Updated Tactics

By Brad Haas

After a lull of nearly two months, the Emotet botnet has returned with updated payloads. The changes are likely meant to help Emotet avoid detection both by victims and network defenders. Apart from these updates, the campaigns’ targeting, tactics and secondary payloads remain consistent with previous active periods. Cofense Intelligence™ released a flash alert on the newest Emotet activity to customers with details about its new features. 

Emotet Background and 2020 Activity 

The Emotet botnet is one of the most prolific senders of malicious emails when it is active, but it regularly goes dormant for weeks or months at a time. This year, one such hiatus lasted from February through mid-July, the longest break we’ve seen in the last few years. Since then, we observed regular Emotet activity through the end of October, but nothing from that point until today. 

Figure 1: This is an invoice-themed Emotet email with a malicious document attached. 

Emotet has a few primary functions. It acts as an information stealer, harvesting credentials, contact lists and email content from an infected machine. It adds the contacts to its target list, and builds and sends authentic-looking emails using the stolen email content. Finally, it can deliver other malware as a secondary payload, often leading to separate attacks such as ransomware. In October the most common secondary payloads were TrickBot, Qakbot and ZLoader; today we observed TrickBot. 

Emotet targets a wide variety of users spanning dozens of countries and many languages. Email themes are also varied–some are created from victims’ stolen data, while others use generic templates, which can be adapted to current topics. For example, today’s campaigns include some emails using a holiday theme. Each email uses one of a few different delivery mechanisms: embedded links, attached documents, or attached password-protected zip files. All techniques attempt to deliver a malicious Microsoft Office document (maldoc). 

Updates Make Infection Less Obvious 

The new Emotet maldoc includes a noticeable change, likely meant to keep victims from noticing they’ve just been infected. The document still contains malicious macro code to install Emotet, and still claims to be a “protected” document that requires users to enable macros in order to open it. The old version would not give any visible response after macros were enabled, which may make the victim suspicious. The new version creates a dialog box saying that “Word experienced an error trying to open the file.” This gives the user an explanation why they don’t see the expected content, and makes it more likely that they will ignore the entire incident while Emotet runs in the background. 

Figure 2: A fake error message is created when macros are run in a new Emotet maldoc. 

The Emotet malware itself, which is installed if a user does run the malicious macros, also had a few updates. The malware was previously a standalone executable file with a “.exe” filename, but is now a DLL file initialized using the built-in Windows program rundll32.exe. This makes the presence of the malware a little more difficult to detect. Emotet’s command-and-control (C2) communication has also been changed to use binary data rather than plain text, which will likely make it more difficult to detect at the network level. Finally, the authors changed the binary to thwart extraction of C2 details and other indicators of compromise (IOCs). 

Conclusion 

Emotet’s active periods have been unpredictable, and its authors have made an effort to adapt both the email campaigns and the malware to spread more effectively. Cofense Intelligence customers have received relevant IOCs and Active Threat Reports (ATRs) as these campaigns are identified and analyzed. Customers can access the most up to date list of all relevant Cofense Intelligence IOCs and ATRs tied to Emotet via our API and on ThreatHQ. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

Phish Found in Proofpoint-Protected Environments Week ending January 8, 2021

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint.

TYPE: Trojan 

DESCRIPTION: Information on staffing updates-themed email found in environments protected by Proofpoint deliver TrickBot via attached Microsoft Office macroladen spreadsheets. 

TYPE: Trojan 

DESCRIPTION: Finance or response-themed email found in environments protected by Proofpoint deliver Microsoft Office macroladen documents directly attached or via attached passwordprotected archives. The documents download Emotet. 

TYPE: Credential Phish 

DESCRIPTION: Notification-themed email found in environments protected by Proofpoint deliver credential phishing via embedded links. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade secure email gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.