Cofense Recognized for Raising the Standards of Quality Customer Service

Technical Operations Center (Support) Stands Out for Excellence in Customer Service, Winning an ISPG Award and Being Named a Finalist for the HDI Conference Awards

LEESBURG, VA. – February 13, 2019 – Today Cofense™, the leading provider of intelligent phishing defense solutions world-wide, announced the latest industry recognition for their distinguished Technical Operations Center (Support). On Feb. 4, Info Security Products Guide (ISPG) named Cofense the Bronze winner of the Customer Service Department of the Year category for the 2019 Global Excellence Awards. In addition, the department was recently named a finalist for HDI’s Team Excellence Award. Both awards represent Cofense’s high standards for quality and customer service, a key element for ensuring that organizations remain protected from the many threats being launched against them.

Here’s Proof that Corporate Board Members Want Stronger Phishing Defense

By Susan Mo

More and more, boards of directors are security decision-makers. One example: Cofense just published a case study on a company whose board lit a fire for a stronger phishing defense—and it’s paying dividends. 

This board took the lead in launching phishing simulations. 

Queensland Airports Limited (QAL) Aviation hails from my part of the world, Australia. As an aviation company, QAL has a public presence. Translation: any security issues would likely make headlines. So the QAL board mandated an anti-phishing program. Using Cofense PhishMeTM, QAL now runs phishing simulations to condition its employees to recognize and report phishing emails. 

The program is still in the early stages, but already the results are encouraging. User susceptibility to phishing emails has dropped by 10%. Moreover, the rate of users clicking on embedded links in emails has dropped by 9%. Further proof the program is not just effective but necessary: even members of QAL security teams have fallen for simulations. 

And the best proof of all: “Our security teams are stopping attacks reported by employees,” said QAL’s General Manager of Technology and Innovation. Real users are helping to stop real phishing threats. 

For further details, view the full case study. 

Cofense board reports show results and ROI. 

To make sure that boards and other leadership teams see results, Cofense provides free board reports to our customers. Cofense PhishMe customers can request a report from their dashboards or in Cofense Community. They’ll get an easy-to-read two-page summary of their program’s progress.

At a glance, each report shows susceptibility rates, rates of users reporting phishing, and the resiliency rate—that is, the ratio of users reporting emails to those that take the bait. A ratio of 1 reporter to 1 susceptible user is a good start. A rate of 5:1, for instance, would be very good. 

The reports also benchmark progress within a customer’s industry. If you’re in financial services, you can see how your anti-phishing compares to other Cofense financial customers. You can even zoom out to see a comparison covering over 20 major industries. 

One customer said their report gave them “the high-level ROI analysis our leadership needed.” It’s the kind of information security-minded boards require—and that security and awareness teams can use to justify budget. 

For a broader view of the role boards play in cyber-security, view this article in Forbes. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

 

We’re Making It Easy for MSSP’s to Deliver Phishing Defense

By John McCabe

We’re Making It Easy for MSSP’s to Deliver Phishing Defense

A new Cofense™ Managed Security Service Provider (MSSP) program makes it easy for service providers to offer phishing defense to small and medium-sized businesses. Phishing is a huge problem for SMB’s. With limited budget and expertise, they’re often targets of spear phishing, ransomware, and other attacks.

Introducing the Cofense Triage Certification Program

By Kiarra Grant

Want to be a certified expert in phishing response? Now you can.

Introducing the Cofense Triage TM Operators Certification. It’s our second industry-specific certification program, complementing our program for operators of Cofense PhishMeTM. The new program is focused on Cofense Triage, the first and only phishing-specific incident response platform. Become an expert in Cofense Triage while taking your phishing defense program to the next level.

The Cofense Triage Certification program provides:

  • Validation and certification of skills in the operation of Cofense Triage
  • Training in running a successful phishing response program
  • The ability to augment Cofense solution expertise with free threat landscape education modules
  • Complete education and testing for certification in about two hours, at the user’s pace

Upon completing the course, you may earn CPEs for your certifications by self-reporting to third-party organizations such as (ISC)² for review. This certification is included with your Cofense Triage license, so there is no charge for this program.

Users can request access to the certification by going to the “Request Cofense Triage Certification” button at the top of any Cofense Community page. Or click here.

 

Jigsaw Ransomware Returns With Extortion Scam Ploys

By Lucas Ashbaugh

Want to play a game? Jigsaw ransomware does, and it’s going to run you $400… or you could just download the free decrypter online. Jigsaw, featuring Billy The Puppet from Saw, was first released in 2016. It not only encrypts the victim’s files but deletes them at a continuously increasing rate until a payment in bitcoin can be confirmed against the bitcoin blockchain. Now, Jigsaw has been observed again, this time delivered through scam tactics.

The Delivery
Each email starts off with a ploy about how the threat actor somehow compromised the victim’s financial accounts. After shocking and scaring victims, the emails attempt to trick them into clicking on a download link disguised as if it were a stolen bank statement. This download link uses a shortened link to evade detection and then sends the user over to the payload server, where the malware is ultimately downloaded under the guise of a file named Statement.pdf.msi.

The Malware

At $400, this rendition of Jigsaw demands more than many of its predecessors, however it remains similar otherwise. As usual, a flashy dialog pops up and slowly types out its demand. It encrypts the victim’s files and then starts deleting them at an increasing pace, as outlined in the below ransom note. This escalation of file deletions is one of the reasons Jigsaw is so dangerous, heavily pressuring victims to pay the ransom in a short time frame or suffer increasing consequences.

Upon download, the file creates two malicious executables named drpbx.exe and firefox.exe., despite the different names these files are identical, they can be found at:

  • %AppData%local%Drpbx%drpbx.exe
  • %AppData%Roaming%Frfx%firefox.exe

   

Along with these executables, Jigsaw creates a new folder at %AppData%Roaming%System32Works which contains key files:

  • EncryptedFileList.txt

This document keeps a running record of all the files that have been encrypted so far.

  • Adress.txt

The bitcoin address that must receive payment is stored here.

For anyone daring enough to disregard the malware’s threat and turn off their machine, an ominous warning pops up. If the victim power cycles their machine, Jigsaw will automatically delete 1000 files.

Jigsaw is well known for its usage of the .fun file extension on its encrypted files. It has also been previously reported to use additional file extensions such as .kkk and .btc.

Jigsaw caters to a variety of different languages, selecting its language based off the victim machine’s locale setting.

Protecting Yourself and Your Company

User training. Jigsaw still relies on an untrained user to click on the infection URL in the first place. For a trained user, these scam ploy tactics should be glaringly obvious. The ploys include choppy English, urging a user to click a suspicious link. Users that are well trained with tools like Cofense PhishMeTM know to report these emails and not click.

Indicators of Compromise

Malicious File

File Name: Statement.pdf.msi

MD5: a362de111d5dff6bcdeaf4717af268b6

SHA256: 0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca

File size: 1.1 MiB (1,175,552 bytes)

 

Malicious File

File name: firefox.exe

MD5: fba7f5f58a53322d0b85cc588cfaacd1

SHA256: 1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

Filesize: 282 KB (289,280 bytes)

 

Malicious File

File name: drpbx.exe

MD5: fba7f5f58a53322d0b85cc588cfaacd1

SHA256: 1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

Filesize: 282 KB (289,280 bytes)

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Announces New Cofense Triage Operator Certification

Incident Responders Gain Deeper Knowledge of Product Capabilities and Functionality to Analyze and Respond to Active Phishing Emails Faster

LEESBURG, VA. – Jan. 23, 2019 – Today Cofense™, the leading provider of human-driven phishing defense solutions world-wide, announced their Cofense Triage™ Operator Certification. Cofense Triage is the first phishing-specific orchestration, automation and response platform that helps stop active phishing attacks in progress. The Cofense Triage Operator Certification teaches incident responders best practices to make them more efficient and assures that organizations maximize the investments that they have made in Cofense Triage. This training is interactive, self-paced, and typically completed in just two hours.

Phishing Campaigns are Manipulating the Windows Control Panel Extension to Deliver Banking Trojans

By Aaron Riley and Marcel Feller

CISO Summary

Recently, CofenseTM has seen phishing campaigns that bypass email security using a .cpl file extension attachment. .CPL is the file name extension for items or icons appearing in the Windows Control Panel. These file extensions are vital for most Control Panel tools to function, making endpoint threat mitigation extremely difficult.

After evading controls and successfully executing on the endpoint, the .cpl file downloads a second-stage payload, which is typically a banking trojan. According to Cofense IntelligenceTM, most of these phishing campaigns are aimed at South American inboxes. As part of security awareness training (see Cofense PhishMeTM), organizations should condition users to identify and report .cpl files to avoid network infection.

Full Details

The Cofense Phishing Defense Center (PDC) has captured multiple phishing campaigns using a .cpl file extension attachment to bypass email security measures and download a second stage payload, which typically is a banking trojan. Cofense Intelligence has analyzed these campaigns and found that the majority of them are targeting South American citizens. Furthermore, to successfully communicate with the Command and Control (C2) infrastructure, the endpoint needs to mirror a South American computer’s settings like IP address, time zone, language pack, and keyboard settings.

The .cpl file extension is used for Control Panel tools with executable byte code. The .cpl byte code is the same across all PE32 binaries (such as .exe, .dll, .scr) within the DOS stub and is executed by control.exe. These file extensions have been used with campaigns that deliver banking trojans, most notably Banload. Cofense IntelligenceTM customers can view an analysis of Banload by logging in here. Figure 1 shows an email campaign that is used to deliver a .cpl attachment. The email is in Spanish and claims to come from ‘Servicio de Impuestos Internos,’ the Internal Revenue Service of Chile.

Figure 1 shows the email campaign used to deliver .cpl attachments.

The .cpl file attached to this campaign acted as a first-stage downloader, facilitating the retrieval and execution of a secondary payload. Figure 2 shows the HTTP POST to the C2 infrastructure during the preliminary communication. This HTTP POST contains the machine and username of the infected endpoint and is appended with a number sequence known to the C2. Figure 3 shows the fingerprinting data within the form values posted to the C2.

Figure 2 shows the HTTP POST and GET traffic originating from the .cpl file.

Figure 3 shows the information gathered by the .cpl file to fingerprint the infected machine.

After the initial connection is successful, the binary then connects to a hardcoded payload location for the second stage. Notice in Figure 2 that there was a GET request for another payload. By effectively expanding the detection surface, this two-stage download and execution actually increases the likelihood of C2 interruption.

While analyzing the .cpl binaries’ network traffic, Cofense Intelligence identified a custom User-Agent string that can be turned into network alerts within a Security Event Information Management (SEIM) system. Figures 4 and 5 shows the two different user agents connecting to the same host. Based on packet analysis, these custom User-Agents would suggest the threat operators are limiting access to their C2 infrastructure.

Figure 4 shows the User-Agent for the HTTP POST.

Figure 5 shows that the User-Agent value is ‘LA CONCHA DE TU MADRE,’ a Spanish expletive whose cleaned-up meaning is ‘the shell of your mother.’ This User-Agent string lends further credence to the idea that the User-Agent string is used to mitigate access to the C2 infrastructure and help determine the stage of infection. However, leaving such an obvious indicator for the security infrastructure to identify gives the impression this was an amateur operator.

Figure 5 shows the User-Agent string for the GET request made by the .cpl file.

After execution, this .cpl attachment followed trends and called for the second-stage payload to execute a sample of OverByte ICS Logger. This keylogger was configured with multiple modules to target and gather banking information from the endpoint. Figure 6 shows the malware family name within the memory strings. Figure 7 shows the multiple modules configured within this binary.

Figure 6 shows the malware family name within the memory strings.

Figure 7 shows the multiple modules that were used to configure this binary.

This sample of OverByte ICS Logger went after banking information, specifically South American banks. The banking information gathered includes usernames, passwords, Personal Identification Numbers (PINs), and any element ID that was selected during the login process. Element IDs are unique identifiers that facilitate accurate targeting for JavaScript and CSS. Use of element IDs means modifications to the page can be made accurately, provided the author adheres to the standards.

After gathering the information, this sample then sends it to the C2, which in this case was the same as the second-stage download. This OverByte ICS Logger persisted on the machine and gathered banking information at predetermined times to be sent to the C2. Figure 8 shows a list of banks (redacted) in the memory strings of the running sample.

Redactions in Figure 8 show where the references to banks would be within the memory strings.

The use of .cpl file extensions are a necessary item for most Control Panel tools to function properly. The operating system’s need for this extension makes the mitigation and remediation extremely difficult within the security stack. The trend to deliver banking trojans to the endpoint is a looming threat of these extensions. Educating end users on how to properly identify and report these types of files when they are encountered is the best way to avoid this type of infection on a network.

To stay abreast of the latest phishing and malware trends, sign up for free Cofense Threat Alerts.

Indicators of Compromise

Observed URLs: hxxps://gentsilen[.]com[.]mx/cl/factura[.]php?folio=1&Importancia=Urgente&descarga=true&impuestos=servidor_alerce&site=www[.]sii[.]cl

185-35-139-197[.]v4[.]as62454[.]net

185-35-139-190[.]v4[.]as62454[.]net


Observed IPs:

185[.]35[.]137[.]85

185[.]35[.]137[.]80
185[.]35[.]139[.]190

 

Observed Files:
File Name: Sii_Documento_TVLN11.zip
MD5: 9ace92029ad8f1516b141de7022d3c42
SHA256: 15f107a75f166b519ce7ca8da094c9b915aa7a6b44fade360535e5112bfd2f5f
File size: 718,191 Bytes

File Name: Sii_Documento_TVLN11.zip
MD5: 7e8edf93d3565c4eacbbea19615d21d3
SHA256: 5c908e77c0e2f14f757d9b0b2d63f661bc277eb70e8caa46d85f038cb87f2c2b
File size: 717,935 Bytes

File Name: Sii_Documento_K3YLT2WJNU.cpl
MD5: 541a3aaf1f70c473f0018c9aa951fb9a
SHA256: d9e3913e5e6d151dd487d9e174c9e3e73d1883ea0c78cf97909caaf76dd4e618
File size: 761,902

File Name: mTjdyis.exe
MD5: b2218df5c3373a9a1b619e53281e9806
SHA256: 681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c
File size: 400.872 Bytes

File Name: shfolder.dll
MD5: 037bb84e2aab7ab4df2e0c752c61233a
SHA256: b8af00e8e89583a529284496949cc2c10684b035
File size: 42.466.735 Bytes

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Launches MSSP Program to Provide Essential Phishing Defense Capabilities to Small and Midsized Businesses

Program will provide global MSSPs world-class, human-driven anti-phishing offerings that increase attack resiliency and speed response times to stop phishing in its tracks

LEESBURG, VA. – January 16, 2019 – Today Cofense™, the leading provider of human-driven phishing defense solutions world-wide, launched its Managed Security Service Provider (MSSP) program to provide small and medium-sized businesses (SMBs) across the globe with essential human-driven phishing defense solutions designed to stop active phishing attacks. SMBs are highly susceptible to phishing attacks, and often lack the resources necessary to stop advanced threats. In response, Cofense has partnered with a targeted group of elite service providers to provide their customers the dedicated resources required to strengthen defenses, build attack resiliency and ultimately stop real attacks in progress.