Beginning the morning of April 9th, the Emotet gang began utilizing what appears to be the stolen emails of their victims. It was noted back in October of 2018 that a new module was added that could steal the email content on a victim’s machine. Up until now, no evidence of real widespread use was seen. This marks a major evolution in the way Emotet works.
Last week, Cofense™ research uncovered and broke the news that the Necurs botnet began a highly-targeted campaign aggressively attacking more than 3,000+ banks worldwide with a malicious PUB file that drops the FlawedAmmyy malware. You can read the full analysis in last week’s research blog.
Recently, an older email security detection bypass method was seen being used to successfully surpass Microsoft’s spam and phishing filters. This technique described above makes use of two methods and was dubbed “ZeroFont Phishing” by Avanan. ZeroFont Phishing is the method when attackers insert random strings within keywords or phrases that many artificially intelligent systems use to identify malicious or suspicious content. When these strings are placed within the HTML span tags mixed with setting the font-size attribute to zero, they become invisible to the end user, but simultaneously appear to neuter the ability of existing Natural Language Processing (NLP), Machine Learning (ML), and Artificial Intelligence (AI) systems to understand what is in the plaintext of the email. In the majority of implementations NLP attempts to understand the meaning of email text to determine context and patterns that will assist in overall classification. These methods are not new, so we decided to take a deeper look at these older techniques and explore the potential variants that could have similar results.