Monkeypox Phishing: Outbreak Becomes Latest Lure

By Elmer Hernandez, Cofense Phishing Defense Center

As the world recovers and learns to live with Covid-19, use of the pandemic as a phishing theme has started to wane. However, public wariness and anxiety surrounding an emerging medical concern will remain exploitable. Enter the current monkeypox outbreak. The Phishing Defence Center (PDC) has seen attempts to deceive enterprise staff with a series of monkeypox themed phishing emails. As this rare infection spreads around the globe and gains media attention, attackers are likely to continue tweaking their tactics.

In the last week at least two PDC customers have reported emails such as the one displayed in Figure 1. Both the employee’s and company’s names change depending on who is targeted, but the email body stays the same.

The pretence is similar to what we have already seen with Covid-19 themed phishing emails. It opens up mentioning updates from reputable health organizations to give the impression of veracity and seriousness. It stresses the importance of keeping staff and the company safe, in an attempt to make the employee feel like they share part of the collective responsibility. Finally, it asks all employees of the company to comply with mandatory safety awareness training.

Figure 1 – Phishing Email

Users are taken to a compromised website and are directed to either a spoofed domain or already compromised website. Looking at the URL, it’s clear the threat actor wanted to add validity to the page by naming the directory as “health”. It is the standard Microsoft credential phishing otherwise. It first asks the user for the email address (Figure 2) and subsequently the password (Figure 3), adding confidence this is necessary due to the sensitive nature of the information being accessed. Once the user has provided all credentials a confirmation page appears for a few seconds (Figure 4) before being redirected to the real Office 365 website.

Figure 2 – Phishing Site


Figure 3 – Password


Figure 4 – Confirmation


BEC Insights: The Need for Better Business Controls

Author: Tonia Dudley

In our 2022 Annual State of Phishing Report, we observed the Business Email Compromise (BEC) threat category inch up from 6% to 7% of overall threats, with the Healthcare sector still leading the way at 16%. With increased attention and speculation around BEC, otherwise known as CEO fraud, Cofense CTO & Co-Founder, Aaron Higbee, BEC specialist and Principal Threat Advisor, Ronnie Tokazowski, and myself sat down to go in-depth on our findings and insights around this threat.

One of the highlights from this webinar was a new tactic we recently observed at Cofense related to direct deposits. As you can see from the message below, this threat actor leverages what many companies use as a best practice, utilizing self-service to update direct deposit information, making this tactic more effective.

This is just one of many samples highlighted in the webinar. Below is a brief list of takeaways and topics discussed. You can hear the entire discussion on demand, plus register for additional annual report webinars on topics such as Secure Email Gateways and Ransomware.

Key Takeaway #1 – Evolution of the Threat

In late 2015, Cofense first wrote about BEC as we ourselves observed our CFO received a spoofed email from our CEO, Rohyt Belani, asking for a wire transfer. As we continue to follow the tactics related to this threat, as with any other threat, threat actors have constantly adjusted their templates to minimize the detection of the secure email gateway (SEG) and spam filters. Many of the conversational starter emails are quite vague and take 2-3 follow emails to lure the recipient to execute the desired task (i.e. purchase gift cards).

Key Takeaway #2 – Top BEC Threats for Enterprise

We dig a bit deeper into each of these topics on the webinar, but these are the top themes we have observed related to BEC.

  • Invoice Fraud – this isn’t surprising as we continue to observe this is a top theme for threat actors to gain access to one of their top objectives – MONEY.
  • Thread Hijacking – nothing adds more creditability for a recipient to interact with a threat actor than an email chain that appears as three threads deep into a conversation.
  • Gift Cards – while this threat tends to be small in currency, it tends to cost the employee directly as they’re unable to get reimbursed for this inadvertent purchase. Threat actors tend to make their request for gift card brand based on the exchange rate on the bitcoin marketplace.
  • Direct Deposit – also known as payroll diversion, where the threat actor attempts to redirect your paycheck to their bank account instead of yours.

Key Takeaway #3 – Ways to mitigate against BEC

We closed out the webinar with a few quick actions you can take to help protect your organization against this threat.

  • Education. While we promote the optimal way to train your employees against phishing threats is phishing simulation campaigns, this threat is a bit more difficult to train using this methodology. When it comes to BEC, use your security awareness newsletters to include this topic, as well as real email images observed by your organization. By sharing a real email, it makes the threat real to your users.
  • CEO Messaging. Ensure that your users understand that your executive team isn’t going to ask them to get gift cards to award clients or their family members. Be sure to include this in your New Hire Orientation (NEO) onboarding as this group of your employees are likely to be as familiar with your business practices or executive team.
  • Implement and Enforce business process changes. When it comes to BEC, victims of these threats are all linked back to a breakdown in business controls to prevent large amounts of cash to be sent out of the organization.

SEG Effectiveness: Three Takeaways from the 2022 State of Phishing Report

Author: Tonia Dudley

Earlier this year, Cofense released its 2022 Annual State of Phishing Report highlighting insights and analysis seen in customer environments. One major takeaway, the amount of phish that continue to bypass Secure Email Gateways (SEGs). To provide more insights on this topic, Cofense CTO & Co-Founder, Aaron Higbee, and myself sat down to go in-depth and highlight findings on SEG misses.

While organizations analyze data across industries to see how they compare against peers, we also recommend you compare your organization against your technology stack. As you tune your security controls and SEG, are you able to detect and respond to new threats as they land in the inbox?

Figure 1: New Behavior for QakBot

Key Takeaway #1: Threat Actors tune their tactics.

As SEGs tune for file attachment threats, which continues to show low inbox hits, Cofense continues to see new file attachment types used to bypass the SEG. These odd file types may appear obscure to your user surfing their inbox, but often times these odd file types are very much still recognized by native Microsoft Windows endpoints. Along with odd file types, we stay abreast of new behavior tactics used by threat groups. The email in Figure 1 is related to the known QakBot malware family, but this particular campaign switched their tactic by directing the recipient to click the link that is a download of a zip file. However, when the recipient interacts with this zip file and extracts the .MSI file, QakBot is then launched onto the device.

Key Takeaway #2: The top file attachment type landing in the inbox.

Threat actors continue to leverage the one file type they know will land in the inbox and likely get engagement from the recipient – HTML / HTM files. This file type can be difficult to mitigate by configuring a hard block as many legitimate business applications or SaaS solutions use this file type. Look for ways to mitigate this risk by working with the business owners to identify the recipient population that need to receive these emails. Then provide resources that allow your users to validate a legitimate service that send this file type. The best way to condition and prepare your organization to identify and report this threat is to use this file type in simulation phishing campaign.

Key Takeaway #3: Microsoft updated Office file types – did you?

Not only are odd file types being leverage, but what about file types that have been sunset. I don’t know about you, but I’m not sure the last time I used an MS Office product that didn’t add the ‘x’ to file extension (.xlsx or .docx). This can be a simple configuration to add these to archived file types to your block list and minimize the risk of these files landing in the inbox.

As we closed out the discussion on odd file types and opened the floor for questions, we received a question that has been a discussion point lately as organizations are looking to focus their phishing defense programs.

What are you using to measure the effectiveness of your phishing defense program?

Tune into the recording for our summary and stay tuned as we publish more recommendations on this topic.

Threat actors are continuing to use emerging tactics and techniques to bypass traditional email security solutions and the only way to stay ahead of the curve is to have a comprehensive phishing defense strategy. If you’re interested in a more detailed analysis of SEG effectiveness, BEC insights or catching ransomware at the phishing stage, sign up for our upcoming webinars.

Hackers Utilize SwissTransfer To Deploy Phishing Scam

Author: Kian Maher

In recent weeks, the Cofense Phishing Defence Center (PDC) has noted a number of emails utilising the SwissTransfer service to achieve successful phishes against recipients. A common vector and preferred vector for attackers, file sharing services such as WeTransfer, Microsoft OneDrive and Dropbox have been utilized to spread files containing anything from scams to malware leading to ransomware.

Figure 1: Phishing Email

Based in Switzerland, this file sharing service has been seen mostly in attacks against users of German speaking nations. The file sharing capabilities and clean image of the site can easily trick a user into downloading a file they believe is legitimate and from a known contact; however, with the ability to add any alias to a sent file, impersonation becomes exceedingly easy.

Navigating to the link on the email will present the user with a legitimate SwissTransfer download page where a PDF file named “Portfolio Control GmbH.pdf” can be downloaded by the user, as seen in Figure 2.

Figure 2: File Download Page

Once the file has been downloaded, and the recipient opens the PDF, clicking on the link will redirect the user to a Microsoft login page.

Figure 3: PDF Document

The login page spoofs the standard Microsoft layout and the only indicator that something is amiss is the URL seen in the address bar.

Figure 4: Landing Page

Beware of emails coming from legitimate services such as SwissTransfer, WeTransfer and Microsoft OneDrive, as phishing attacks are constantly evolving and are becoming more convincing and complex by the day. Equally as important is to ensure the same password is never used for more than one account. Additionally, never perform any password resets or account retrievals outside of the legitimate website of any email provider you use or through a corporate environments’ approved methods.

Malicious emails like this are a constant threat in the enterprise space due to constant use of services such as Microsoft Outlook and it is important that users are made aware of this so that they can be more vigilant when receiving emails. With Cofense suite of products and services, malicious emails can be identified, and indicators of compromise (IOC)’s given and shared. Find out what we can do for your enterprise.


Cofense Earns 2022 Top Rated Award from TrustRadius

Cofense PhishMe recognized for Security Awareness Training category based on excellent customer satisfaction ratings

Leesburg, Va. – May 19, 2022Cofense®, the leading provider of Phishing Detection and Response (PDR) solutions, today announced that Cofense PhishMe™ has won a 2022 Top Rated Award by TrustRadius in the security awareness training software category. Top Rated awards help distinguish products that have excellent customer satisfaction ratings and are based entirely on end user reviews.

Current events highlight that mature and effective phishing defense programs must be proactive and constant, as phishing continues to be a key entry point for a majority of cyber attacks. As employees are the front line of defense against phishing, training for employees is one of the most effective ways to strengthen your company’s defense against attacks such as ransomware, malware and Business Email Compromise (BEC). When it comes to preparing and conditioning users to spot and report phish hitting their inbox, the 2022 Cofense Annual State of Phishing Report highlighted a two-point increase in resiliency rate for simulation campaigns and saw a seven-point resiliency rate among organizations that have full phishing defense programs.

“Email threats are not going anywhere. In fact, it’s quite the opposite; they’re only getting worse and continue to dominate as the primary vector behind most data breaches. Threat actors are continuing to use emerging tactics and techniques to bypass email security technologies and the only way to stay ahead of the curve is to have a comprehensive email defense strategy,” said Rohyt Belani, CEO of Cofense. “An effective email defense program operates at the intersection of human intelligence and artificial intelligence. A critical mass of vigilant humans who report suspicious emails are critical to feed machine learning powered technologies so the latter can continually evolve and create a self-healing email security system. Security training or email security technologies in isolation are not going to work.”

Cofense PhishMe, a SaaS platform trusted by over 2,500 organizations across multiple industry verticals, uses intelligent automation, advanced algorithms and active threat scenarios to reinforce positive security awareness behavior. The training brings real, active threats into realistic phishing scenarios to ensure program relevance and to provide users with insights that can help them to navigate the modern threat landscape.

To qualify for a Top Rated award, a product must have 10 or more recent reviews from the past year, a trScore of 7.5 or higher based on TrustRadius’ algorithm that calculates a product’s scores based on a weighted average of reviews and ratings, and show relevance by having earned at least 1.5% of the site traffic in the category. Cofense’s TrustRadius reviews can be viewed here.

To learn more about Cofense, please visit

About Cofense

Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of over 32 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit or connect with us on Twitter and LinkedIn.

Phishing Takeaways from the Conti Ransomware Leaks – Part 3

Author: Brad Haas

Conti is one of the most prolific ransomware operations in the threat landscape today. In a recent act of retaliation against Conti’s leaders for their support of Russia, an anonymous person leaked documentation and internal chat logs from the group. This blog post series covers important phishing-related takeaways Cofense Intelligence analysts discovered in the leaks. In Part 3, we discuss elements of Conti’s phishing tactics and strategy.

Conti Produces Semi-Random Phishing Templates Using Simple Themes

Although the Conti group employs other malware operators to perform the work of sending malicious emails, it appears that the group provides the templates to use in the emails. Several English-language templates were included in the leaked Jabber chats, indicating a system that randomly chooses words or phrases from short lists. The templates included text that could produce a variety of wordings for email subject lines and bodies, along with a list of attachment names to choose from. Conti member “Lemur” contributed the following order-themed template in October:


{Greetings|Hello|Good day|Good afternoon}{!|,|}

{Thank you for|We are grateful for|We are grateful for|Many thanks for} {your|your recent} {online order|purchase order|order}. {We|Our financiers have|Our team has|We have|Our shop has} {received|collected|processed|checked} your {payment|advance payment|money transfer|funds transfer} TRANSFER NUMBER. Now we {are and ready to|begin to} {pack|prepare|compose} your {shipment|order|box}. Your {parcel|packet|shipment|box} {will|is going to|would} {arrive|be delivered} to {you|your residence} within {4|5|6|four|five|six} {days|business days}.

{Total|Full|Whole} {order|purchase|payment} SUM

You {can find|will find} {all|full} {relative information|order info|order and payment details} and your {receipt|check} CHECK NUMBER {in|in the} {attached file|file attached}.

{Thank you!|Have a nice day!}

Subjects: Your {order|purchase|online order|last order} Purchase order number payment {processed|obtained|received}









Dozens of other templates appeared in the chat, with themes including invoices, shipping, payment processing, legal matters, and other business-centered subjects. In a TrickBot chat exchange, two team members discussed a more personal template impersonating a woman looking for a relationship. They went through several revisions, even incorporating feedback from an English teacher.

Conti Actively Develops and Tests Email Delivery Tactics

The spammers who work in and with the Conti organization showed familiarity with automated defenses against malicious email campaigns. In November 2021, “wind” discussed a way to abuse browser-centric email providers to send malicious emails:

wind: […] it will be necessary to create thousands of such docker containers and send only 10 letters from each mail account, sent by an AI emulator with mouse movements simulating human ones. Every mailer now has an AI, it recognizes all the movements in the browser, and their AI will just laugh out loud at the get requests to send hundreds of thousands of emails.

Another message from April 2021 shows an operator testing their emails on webmail platforms Gmail, Yahoo, Outlook,, and AOL Mail. They included screenshots showing that an Apple-spoofing email had arrived in each of the inboxes.

A test of an Apple-spoofing email in a inbox. The inbox includes several other test emails.

Phishing is Central to Conti’s Attack Strategy

Conti operators consider humans to be an effective target, and phishing is their mechanism for exploiting the human target surface with social engineering. Their “Hacker’s Quick Start” document lists dozens of OSINT sources to use, singling out people as “the weakest link.” The reference to “previously opened networks” indicates a repository of already-compromised data that can be leveraged against new targets.

Next, we look for the weakest link (see below).

Social engineering requires knowledge of personalities.

Everything is important: phone numbers, place of residence, dog’s name, hometown, favorite color, favorite band, hobbies.

Of particular importance: your candidate’s personal network of contacts, especially business contacts.

The structure of organizations reflects the structure of society.

As you move from one person to another through a network of contacts, you can change your entry point within one network, or open up new networks.

Both OSINT intelligence tools are used to gather information,

and information found in previously opened networks about contacts (Outlook address books, correspondence, etc.).


This data is then used either through phishing emails or phone calls.

In both cases, the load is triggered by a person.

Some of our previous takeaways highlight Conti operators’ consistency in dropping ineffective tactics and persisting with effective ones:

• TrickBot was effective enough for them to enjoy a tremendous amount of success early on, but when it started to cause too many problems, they shifted to other malware families.

• Despite all the attention, they used the BazarCall campaigns, knowing that the invoice theme would likely continue to succeed.

• They went to the trouble of bringing Emotet back, likely because it had been such a significant source of infections for them prior to its takedown.

This pragmatic approach accentuates the value that ongoing phishing activity must be providing to Conti operations. Given all of Conti’s investment in OSINT, email operations, and reviving Emotet distribution, phishing is clearly one of the group’s most important tactics, and it will likely be a staple for the group in the foreseeable future.

For more insights on Conti ransomware operations:

Phishing Takeaways from the Conti Ransomware Leaks – Part 1

Phishing Takeaways from the Conti Ransomware Leaks – Part 2

5 Tips to Thwart Business Email Compromise (BEC) Attacks

Author: Ronnie Tokazowski

For the 7th year in a row, Business Email Compromise (BEC) is the number one cybercrime, as reported by losses, according to the FBI IC3 Report. Topping in at an astonishing $43 billion dollars with victims in 177 countries and money being wired between 140 different countries, it still amazes me that people are more concerned about ransomware and nation-state attacks instead of murderous BEC actors killing in the name of evil spirits.

To add insult to injury, the same actors behind BEC are responsible for $100 billion in SBA fraud and $80 billion in paycheck protection plan (PPP) fraud. This doesn’t even begin to touch the dozens of consumer-based crimes such as check fraud, advanced-fee fraud, or romance scams, with over $223 billion now tied back to the exact same scammers.

And that’s just what we know.

Reflecting on the seven years of tracking BEC, there’s one major lesson that organizations fail to do. It has nothing to do with a shiny box, has nothing to do with buying or selling a service. It’s literally reviewing what you already have.

Here’s your BEC checklist that will mitigate 80% of attacks:

  • Review your financial processes and procedures
  • Define how wire transfers, gift card purchases, and direct deposit requests work
  • Once defined, communicate & follow the process

Most BEC attacks are successful simply because a process breaks down. Someone wired money without checking if they should, a random phone number led to gift cards being sent out, or HR made a one-time exception to update payroll via email instead of pointing employees back to employee portals. The 80% solution to mitigating many types of BEC attacks is simple: review your processes around how wire transfers, authorizations to vendor master bank account updates, money orders, gift cards, and invoices are to be paid and follow them.

Here are five tips to get you started on which processes need to be updated:

  1. Maintain a list of known and trusted phone numbers to verify wire transfer requests.
  2. Don’t accept payroll update requests via email. Point users to employee portals to make the changes there.
  3. Establish a gift card purchasing process, and if no one needs to purchase gift cards for the company…then no one purchases gift cards.
  4. Bank accounts rarely change, so clearly define what bank accounts can be used at the beginning of any business relationship. If an account needs to be changed and updated, who is responsible for verifying the new account with an external party? Implement a freeze period to the account update to ensure the bank can verify ownership details.
  5. What is the process for wiring $10,000 / $50,000 / $100,000+ dollars out of the organization? Define and follow a multi-person process to verify transactions before money gets lost.

While updating processes won’t cover every single BEC use case, a vast majority of attacks can be thwarted with these simple changes. Is it better to take a week to do the boring work of reviewing your processes and procedures or be an unhappy part of the $223 billion dollar statistic?

If you want to learn more about BEC statistics that we observed in 2021, as well as ways to mitigate this attack, sign up for our next webinar focused solely on BEC attacks.

10 Enhancements to the Cofense Triage and ServiceNow Security Incident Response Integration

Is phishing still keeping you up at night?

Do disparate systems and switching screens to analyze and respond to phishing frustrate you?

Or, what about excessive phishing alerts that could be better solved through automation?

Over a year ago, Cofense built an integration with ServiceNow® Security Incident Response (SIR). The purpose: integrate Cofense Triage™ and ServiceNow SIR to create security incidents in SIR and allow an analyst to analyze and investigate employee-reported suspicious emails in either platform. The integration was well-received for the first version, and since then, Cofense Triage has added new capabilities that have been extended to ServiceNow SIR.

Creating a security incident at the cluster-level, responding to reporters, and downloading email artifacts, are just a few features that have been added to the next version of the integration, and then some!

Mutual customers operating Cofense Triage 1.24 can integrate with ServiceNow’s Quebec, Rome, or San Diego releases.

The foundation of the integration is still the same.

  • Configure authentication (Triage Host, Client ID, Client Secret, and MID Server (optional)
  • Define incident criteria that creates an SIR entry in ServiceNow.

Incident Criteria Configuration to Create Entries in SIR

Let’s look at the 10 enhancements built into this integration.

1. Clusters: Create security incidents based on cluster criteria

Cofense Triage clusters multiple reported emails. ServiceNow can then ingest Clusters based on criteria and create one security incident. For example, 5 reported emails bound to one Cofense Triage cluster, can create one security incident in ServiceNow SIR.

Security Incident Created from a Cluster

2. Reports: Ingest reports associated with clusters

When multiple reports are present in a cluster, analysts can choose to fetch all the reports from the cluster if they choose. Each report carries the relationship with the cluster and SIR record.

Fetched Reports Associated with a Cluster and Linking to SIR

3. Fetched Reports Associated with a Cluster and Linking to SIR

Want to add the original email to the SIR? ServiceNow can download the full email(s) as .eml

Report Downloaded as .eml File

4. Attachments: Download attachments from reported emails

Attachments can be downloaded on demand and packaged into the SIR for additional analysis and research.

Download Attachment Capability for Additional Analysis

5. Relationships: Links between security incident and other reports

In addition to getting all reports, SIR will link and show the relationship between a cluster and reports.

Fetched Reports Linking to SIR

6. Fetched Reports Linking to SIR

Execute a playbook to categorize reports, single or multiple, from a cluster within ServiceNow SIR.

Categorize Reports as Malicious or Non-Malicious

7. Execute Playbooks to: Respond to Reporters and teams/groups

It’s important to keep reporters informed so that they continue to report suspicious emails that evade SEGs. Choose from various notification templates ingested from Cofense Triage into SIR so that specific responses can be sent to reporters and cybersecurity and IT team members.

Response to Reporters and Team Members

8. Execute Playbooks to: Apply tags to reports

When executing a playbook, tag reports in Triage to help security analysts keep track of various reports and workflow being conducted.

Add Tags When Processing and Executing Playbooks

9. Comments: Get comments from reports

Cofense’s Managed Phishing Detection and Response service uses report comments that provide clients with other threat indicators associated with a reported email. These are typically indicators that are not visible in the email, but if clicked, redirect to other nefarious sites or link to more malware.

Sample Comments with Other Indicators From Reported Email

10. Threat Indicators: Get more threat indicators from reports

Analysts designating threat indicators across URLs, domains, and attachments in Cofense Triage, can set them to Malicious, Suspicious, or Benign. ServiceNow will ingest these indicators to be used in additional operational workflow. Additionally, other observables in Cofense Triage, such as headers, are populating SIR’s observable table, too.

Suspicious Hash Threat Indicator Finding


Benign Domain Threat Indicator Finding


Malicious URL Threat Indicator Finding

Cofense Triage and ServiceNow SIR are more tightly integrated to allow security teams to create a unified workflow that leverages the power of both platforms. By determining criteria to create an incident, security teams can ingest, prioritize, and close security incidents without flipping back and forth between screens.

Phishing Takeaways from the Conti Ransomware Leaks – Part 2

Author: Brad Haas

Conti is one of the most prolific ransomware operations in the threat landscape today. In a recent act of retaliation against Conti’s leaders for their support of Russia, an anonymous person leaked documentation and internal chat logs from the group. This blog post series covers important phishing-related takeaways Cofense Intelligence analysts discovered in the leaks. In Part 2, we discuss Conti’s collaboration with other malware groups, as well as their reaction to scrutiny from security researchers.

Conti-Emotet Link Cemented

When Emotet resurfaced in November 2021, some cybersecurity researchers reported that it was at the behest of Conti leadership. The leaked Conti logs confirm the collaboration, as Emotet’s primary operator was present in Conti chats using the alias “Veron” and in TrickBot forum chats as “Aron.” An exchange from the TrickBot forum chat establishes his identity:

[14.01.22 10:08:50] angelo: who is Veron ?

[14.01.22 10:09:07] manuel: veron )) Well, he’s [Emotet]


[14.01.22 10:09:58] angelo: but [Emotet]

[14.01.22 10:10:11] angelo: I thought it was aron


[14.01.22 10:11:33] manuel: yes in our [chat] it is

On February 24, 2021—less than a month after the law enforcement takedown of Emotet—Conti members discussed his joining them:

stern: Is veron up and running?

bentley: He starts in March.

Veron was active in the chat starting in early March 2021, with many messages corroborating cybersecurity reporting on Emotet activity and its cooperation with Conti. For example, on November 23 he discussed the use of Windows App Installer packages as a delivery mechanism. Within a week, Emotet emails started to include links to those packages.

Starting in December, Emotet occasionally installed Cobalt Strike payloads, which matches Conti’s tactics. This represents a combination of two very significant phishing threats: Emotet’s massive installation base and email sending power could give Conti operators access to more victims than ever.

TrickBot is Virtually Defunct, Superseded by BazarBackdoor and Emotet

Like Emotet, TrickBot started as a banking trojan, but evolved to a more general-purpose malware family serving other groups. Conti operators used it heavily, but found that it had unnecessary features that increased risk of detection by target organizations. In May 2021, high-ranking Conti member “Stern” suggested trimming away the extra functionality:

stern: let’s modify the trick, remove the excess

stern: we don’t really need the admin logpost etc.

In the same conversation, he highlighted that its role was to enable Conti operators to explore a target network using Cobalt Strike:

stern: he says that bots don’t connect, and if they do, it’s hard to bring them to cobalt later

In a later exchange, “Mango” expressed difficulty getting a prospective team member to work with it.

mango: they’re ready. i offered them a job on trick.

mango: they said that trick is dirty s*** that no one supports

mango: I justified myself as best I could, but it’s hard to argue, of course

TrickBot has been virtually absent from the phishing threat landscape since Emotet started sending email again in November 2021. Based on frequent mentions in the chat logs, Conti operators favored BazarBackdoor as an alternative. Emotet’s major growth in February 2022 also likely provides Conti with ample opportunities to replace the functionality provided by TrickBot.

Conti Actors Stick With Effective TTPs Despite Public Scrutiny

One of the leaked internal documents is a “Hacker’s Quick Start” guide, with basic guidance concerning all aspects of Conti operations. It ends with a note instructing new employees to pay attention to the work of cybersecurity researchers, but not to let it discourage them:

Analyzing open sources about your activities is important: you will know the part of the tricks that have already been uncovered, and therefore they have become ineffective.

However, you do not know the part of the tricks that have not been disclosed. For the sake of this, the adversary may launch disinformation, concealment, and deception.

Chat logs and real-world Conti activity show that the group takes this advice seriously. In April 2021, Cofense reported on new BazarBackdoor campaigns (also called “BazarCall”) that used unique tactics, including the use of a telephone call center. Other cybersecurity researchers picked up the story as well, including one who recorded his phone conversation and published it on YouTube. Conti members noticed the attention, but didn’t believe it would impact their operations:

derek: here’s more interesting stuff – [researcher] called us, it shows all how the infection looks

stern: hi, great

derek: but I think it won’t affect the job much as the invoice theme is still alive and guys are still just spamming and making bots

Later in the year, they did proceed with using BazarCall to deploy their ransomware, despite the published research. DFIR Report researchers showed how a BazarCall campaign followed the Conti playbook: it installed TrickBot, which collected information and then executed Cobalt Strike. Within three days, the threat actors had gained sufficient access to execute Conti’s ransomware across the domain.

Similarly, despite the leaks’ exposure of a massive amount of internal chats and information, Conti is still moving forward with ransom operations. On March 15, 2022, they announced another victim on their public website.

Up Next

This blog series will conclude with Part 3, which will cover more of Conti’s phishing strategy and tactics. If you missed the first blog in this series, we discussed the background of the leaks, Conti’s segmentation of the attack chain, and how Conti operators use OSINT to select and harass their targets.