July Malware Review: Geodo and TrickBot Flex Their Muscles

The Cofense IntelligenceTM team has wrapped up our analysis of mid-summer malware. To get this summary started, let’s look at a couple of charts. 

Chart 1: Top 5 malware delivery methods, by campaign, identified in July

Chart 2: Top 5 malware families, by campaign, identified in July

In our Strategic Analysis released on Thursday, 26th July, it was noted that Geodo and TrickBot had been unusually active in recent weeks, following a lull in June and into early July. Charts 3 and 4 expand upon this observation via side-by-side comparisons and year-to-date trends.

Prior to July, both TrickBot and Geodo tended to have peaks of activity, followed by periods of inactivity, after which the malware underwent a code update. Although still true of TrickBot, Geodo has been incessant throughout July. Chart 2 shows that TrickBot is the 5th most prevalent malware family, and Geodo does not appear at all. This phenomenon occurs due to the way different actors distribute their malware. Geodo and TrickBot, for example, are distributed in campaigns comprising hundreds of thousands or even millions of messages. These campaigns tend to be long, and go through several permutations during the distribution, but are certainly all the same campaign. In comparison, other campaigns that use off-the-shelf type malware, such as Loki, Pony, and jRAT, are distributed in much, much lower volumes, but with significantly higher variance in the message structure and IoCs. Such variance defines the campaigns.

Chart 3: A side-by-side comparison of Geodo (black) and TrickBot (green) over 2018 YTD

Chart 4: July’s Geodo (black) and TrickBot (green) campaigns

Moving into August, Geodo is still extremely active, with persistent, daily campaigns, whereas TrickBot has been comparatively silent since the 31st of July. As noted above, this behavior is likely part of TrickBot’s normal cycle, and will certainly reappear extremely soon, possibly with a new update. Cofense Intelligence, being tapped directly into the Geodo botnet, has been able to compile a database of the most frequently used terms in Geodo campaign subjects. Table 1 details the top 10 subject lines across 7 days’ worth of campaigns, spanning hundreds of thousands of messages. Although appearing to end somewhat abruptly, the subject lines have been cleansed of any potential PII, because the actors behind these campaigns typically incorporate the [purported] name of the recipient into the subject line.

Table 1: Top 10 Geodo subject lines for August. The Occurrences column reflects a representative sample of the whole collection

Typically, Geodo has been seen using mainly payment notification narratives. But in July, there was a vastly more diverse range of finance-driven subject lines, as detailed in the word cloud in Figure 1.

Figure 1: A word cloud detailing the most frequently used Geodo campaign subject lines from July 1st to August 7th, 2018

Despite being an established, modular banker with a herculean pedigree, Geodo is finding its feet as a loader and distributor of other malware. Sporting several distinct iterations of the family, Geodo is mature code backed by sophisticated threat actors, themselves supported by a robust delivery infrastructure. It is prolific and, potentially, the greatest current threat offered by any mainstream malware family. Despite the volume-to-campaign ratio, as mentioned above, being heavily skewed towards volume, their sheer magnitude, and the virulence of the malware, leave no doubt it is a force with which to be reckoned.

Keep an eye on this blog for an in-depth examination of Geodo and its infrastructure. For a look back and a look ahead at major malware trends, see the 2018 Cofense™ Malware Review.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

New Month; New Sigma

Cofense Intelligence has observed several recent Sigma ransomware campaigns that demonstrate either a new iteration or a fork of this malware. Prior to these new campaigns, the actors behind Sigma stuck rigidly to two very distinct phishing narratives, as detailed in Cofense’s recent blog post, and relied on the same infection process. With these newly observed changes, Sigma’s operators have eliminated various infrastructure concerns and improved the UX (User eXperience) of the whole ransom process, representing the first major shifts in Sigma tactics, techniques and procedures (TTPs).

Sigma Operators Craft New Techniques to Deliver Phish to Your Inbox

Cofense Intelligence recently identified a large Sigma ransomware campaign that contained significant deviations from the established TTPs employed by the actors behind this prolific piece of extortionware. These changes improve Sigma’s A/V detection-evasion and demonstrate new social engineering tactics intended to increase the likelihood that a targeted user would open the phishing email and its malicious attachment.

Italian DHL-Themed Phishing leads to Ursnif, Spambot

PhishMe Intelligence™ recently intercepted a subtle, DHL-spoofing campaign delivering a heavily-obfuscated JavaScript file. When executed, this JavaScript file downloads and runs a variant of the Ursnif/Gozi-ISFB trojan. Ursnif, in addition to its banker and stealer pedigree, acts as a downloader to serve a nasty surprise to the infected system. This is the first time PhishMe Intelligence has observed Ursnif actively delivering a spambot onto an infected system. Given Ursnif’s usually stealthy tendencies, it is somewhat unusual to see such a pairing.