The Cofense Phishing Defense Center Sees Threats That Most Don’t

The CofenseTM Phishing Defense CenterTM analyzes suspicious emails reported by customers’ users and alerts their security teams when they need to take action. Because we live and breathe phishing analysis and response, and because we operate 24/7/365, we have visibility into threats most teams can’t see.

Here’s a Real Example Involving Compromised Email Accounts

A few months back, an organization exploring our services did a proof-of-concept trial, during which we analyzed emails its users found suspicious and reported for inspection. Soon enough, we saw emails sent from compromised email accounts within the organization.

In fact, they utilized a technique known as the Zombie Phish, so called because it revives a dormant email conversation the user had had to disarm the user and lure him into clicking. We provided the indicators of compromise to the customer’s point of contact, plus included a link to a Cofense blog about the Zombie Phish.

We Found Over 2000 Malicious Emails—in Just 3 Days

A couple of weeks passed uneventfully. Then, we saw a new batch of reported emails from compromised accounts, followed the next day by a spike in similar messages. In a 3-day period, we found 2053 malicious emails sent through 77 internal accounts. Subject lines varied, but every one of these emails contained a link to “Display Message,” which redirected to a login page spoofing the customer’s actual page. It asked users to enter the password for their company account.

The techniques in these emails seemed to be part of a global phishing campaign targeting UK organizations. The target’s email address was encoded in the link. When someone clicked, the login page displayed the organization’s logo. The links’ behavior varied, sometimes redirecting to a fake site instead of the spoofed login page, other times displaying a message that the URL was unavailable.

The team in the Cofense Phishing Defense Center was glad to be of assistance. Learn more about our phishing defense services.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

An Analyst’s View of Surging PowerShell-based Malware

Over the past couple of weeks, the Cofense™ Phishing Defence Center (PDC) has observed a rise in PowerShell-based malware. PowerShell is a very powerful scripting language that is legitimately used in many organisations. PowerShell is packed with almost endless capabilities, most of which are particularly interesting to threat actors who wish to abuse PowerShell for malicious purposes.

Customer Satisfaction Survey Leads to Credential Phishing

The CofenseTM Phishing Defense Center (PDC) has observed a phishing campaign masquerading as a Customer Satisfaction Survey from Cathay Pacific. Fake surveys are an old tactic, but the PDC has recently seen an increase in their use. Examining the following email will show you what to look out for.

At first look, the email appears to be a legitimate Satisfaction Survey. It is not uncommon to receive a reward for completing a survey, so that alone is not an Indicator of Phishing (IoP). However, as shown in Figure 1, the “Click here – Participate and Win” link feels out of place. This could be an indicator that something is suspicious and should be investigated further.

Figure 1 – Received “Customer Satisfaction Survey” Report

As shown in Figure 2, the From field shows that the email appears to be from Cathay Pacific, using the email address cathay[.]pacific[@]email[.]cathaypacific[.]com. The SMTP relay also appears to be from cathaypacific.com, but the IP address of the relay resolves to hostserv.eu, a European hosting provider. This is another indicator that the email could be suspicious as it seems highly unlikely that a Cathay Pacific would use a low-cost European hosting provider as their mail server.

Figure 2 – Email Details

Figure 3 – Email Header

Opening the “Click here – Participate and Win” link directs the user to hxxp://syconst[.]com/ebv/[.]uk/CathayP/. The threat actors have done a good job in making the survey look like the legitimate website of Cathay Pacific. Figure 4 shows a comparison of the fake and genuine website.

Figure 4 – Website comparison

On closer inspection of the fake website, you notice that its header is actually a picture and therefore users are unable to click on any of the links (Figure 5).

Figure 5 – HTML View of Fake Survey Page

Figure 6 – Credit/Debit Card Details Page

The victim is also required to select the credit card issuer. With this specific phishing campaign, the threat actors target the following banks:

  • Hang Seng Bank
  • Citibank
  • Hongkong and Shanghai Banking
  • HSBC UK
  • Standard Chartered Bank
  • DBS Bank
  • Dah Sing Bank
  • UnionPay Card

After submitting the credit/debit card details, the victim is redirected to a fake “Verified by Visa – MasterCard SecureCode” page that tricks the user into thinking the details submitted are processed by Visa and MasterCard (Figure 7).

Figure 7 – Fake Visa/MasterCard Verfication Page

Based on the selected credit card issuer, the victim is automatically redirected to another fake site that appears to be from the bank they chose. If the card issuer is not listed and the field is left blank, an error message appears, and the victim is redirected to the start of the survey.

Figure 8 shows the landing page for UnionPay which asks the victim to provide additional details such as email address and mobile number.

Figure 8 – UnionPay Landing Page

In Summary: Nothing New, But Still Effective

While Customer Survey Phishes are nothing new and have been around for years, we have recently observed an increase in such reports. Nowadays, threat actors deliver phishing campaigns that at first seem to be non-malicious as they include formatting and logos that make them look like valid emails from the company. The email and the surveys may also be customized to resemble the organisation’s genuine website. No matter how sophisticated the phishing campaigns are, they all follow the same old tactic:

The victim is first presented a form containing “bogus” questions, where often a response is not required. The victim is then prompted to supply credit/debit card details to supposedly receive the reward for completing the survey. However, this is entirely imaginary, and all information provided is collected and used by the threat actors.

Users should be very cautious of any messages that promise to pay a fee for completing a survey. While companies certainly conduct surveys and even offer a reward for participants in some cases, it is extremely unlikely to receive a substantial amount for completing a small and rather insignificant survey.

Tips to spot suspicious emails:

  • Check the email for grammatical errors—if there are any, there is a high probability that the survey is not genuine
  • Don’t open attachments! Even a genuine looking PDF can contain malware
  • Hover over a link to see where it really takes you and be cautious as there may be subtle differences between the fake URL and the genuine URL
  • Organisations won’t ask for your bank details, credit card information, or other personal information in exchange for money or free gifts

To stay on top of the latest phishing and malware threats, sign up for free Cofense Threat Alerts.

Indicators of Compromise (IOCs): 
Malicious URL:
hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv1[.]htm

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv2[.]htm

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv3[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv4[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/Table[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HENG/SENG[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HENG/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/CITI/CITIBANK[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/CITI/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HK/DNA[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HK/dna[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/SC[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/OCB[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DBS/DBS[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DBS/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DAH/DAH[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DAH/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/UnionPay/UnionPaym[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/UnionPay/uws[.]php

Associated IP:
211[.]43[.]203[.]23

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

 

Another Global Phishing Campaign Distributes Malware Via Fake Invoices

On Thursday June 14th, the Cofense™ Phishing Defense Center (PDC) noted a campaign targeting UK customers with several emails containing the same subject, “Invoice INV-03056,” and prompting the user to view a supposed invoice. The next day, we saw a very similar campaign that delivered French language phishing emails. Upon analyzing the emails, the PDC notified customers that received them, so they could respond as needed. We also notified all our UK customers of the IOC’s.

Careful: This “life insurance invoice” contains the Ursnif malware

Over the past couple of days, the Cofense™ Phishing Defence Centre has observed multiple campaigns that prompt the user to download what appears to be a life insurance invoice. The “invoice” gets delivered in the form of a zip file that contains a LNK file with content crafted to create an effective malware downloader tool. The malware it delivers: Ursnif.

Be Careful Who You Trust: Impersonation Emails Deliver Geodo Malware

Over the past weeks, the Phishing Defence Centre has observed several reports that pretend to come from an internal sender. While this impersonation tactic is not new, we have only recently observed an influx in emails used to deliver the Geodo botnet malware. Figure 1 demonstrates an example of an email we have received.

Fake Swiss Tax Administration Office Emails Deliver Retefe Banking Trojan

PhishMe®’s Phishing Defence Centre has observed multiple emails with a subject line that includes a reference to tax declarations in Switzerland (Original subject in German: “Fragen zu der Einkommensteuerklaerung”) as shown in Figure 1. The sender pretends to be a tax officer working for the tax administration (Eidgenoessische Steuerverwaltung ESTV) and is asking the victim to open the attached file to answer questions about the tax declaration.

NanoCore Variant Delivered Through UUE Files

Over the past few weeks, our Phishing Defense Center has observed several emails with malicious PDF attachments that prompt the user to download a .UUE file from Dropbox. UUE files (Unix to Unix Encoding) are files encoded with uuencode, a program that converts binary files to text format for easy transfer while still allowing for the files to be easily opened using Winzip or similar un-archiving applications. When file extensions are not displayed in Windows, the downloaded file looks like any other compressed file (as shown in Figure 1), which makes it harder to spot that this file is indeed malicious.

Figure 1 – Ordy Compressed File Icon

All emails contain the same message body shown in Figure 2, asking users to confirm the payment and customer details as outlined in the attached copy of the Swift advice.

Figure 2 – Email body

The messages had a PDF attachment named “MensajeSWIFTMT103.pdf” (MD5: 8b9a5e36cd1e1ec7dfd7801bfa5afa86, SHA256: 743c9ffe67a80ac84385efc8dc78c84f7b38805285dda49ac6459d17008daa17). The PDF only contains one page, characteristic of malicious PDF documents, and the PDF does not contain any text but only a link to “View File” (as shown in Figure 3).

Figure 3 – PDF Document – View File

The link takes the user to the Dropbox site hxxps://www[.]dropbox.com/s/2dwqt0x2s0l0rr6/Ordy[.]uue?dl=1 to download Ordy.uue (MD5: 673d3a374900a23ecec3acc092fe8dba, SHA256: d476a35f392a1c616f045418ce9c3c6645ac6886a6195ef1ec578e6bbe15a48b). After downloading the file, it appears that a compressed file has been downloaded, as previously discussed. Unpacking the file extracts the executable Ordy.exe (MD5: 1A9E533E870C4B0B5D6126A3E7609601, SHA256: F76A8BED84ED4177626A4B7B3ECED4AEABE93BE8CB500A1B2D5F3A662539C98D), with an Acrobat PDF icon (as shown in Figure 4), which tricks the user in thinking that this is a genuine PDF file.

After executing Ordy.exe, it creates a copy of itself in \AppData\Roaming\taskprocess.exe while Ordy.exe hides itself, and it adds taskprocess.exe to the scheduled tasks (as shown in Figure 5).

Figure 5 – Scheduled Tasks

Additionally, it creates a Registry entry to start itself automatically when Windows starts (as shown in Figure 6).

Figure 6 – Registry Key Entry

The malware reads the machine GUUID and creates a directory in \AppData\Roaming with the GUUID as well as two subfolders: \DPI Subsystem and \Logs. The directory \DPI Subsystem contains a copy of Ordy.exe called dpiss.exe which gets executed after reboot.

The logs directory contains a .dat file with the naming convention of KB_XXXXXXX.dat. Opening the .dat file reveals some hexadecimal values (as shown in Figure 7).

Figure 7 – Hex contents in .dat file

After converting the hexadecimal values from the .dat file to ASCII, it becomes apparent that the malware captures keystrokes and stores them in the .dat file (as shown in Figure 8).

Figure 8 – Ascii decoded hex from .dat file

Analysing the malicious network traffic reveals active communication with IP 154.16.63.108 over TCP port 6777 (as shown in Figure 9). After a three-way handshake is completed, the host and server exchange a PSH, ACK, ACK communication sequence a few times per second. Often, keylogger and remote access trojan malware will communicate using HTTP requests sent to a webserver. However, this TCP communication indicates a different, perhaps more difficult to stop, means for exfiltration.

Figure 9 – Wireshark Capture

Figure 10 – TCPView Outbound Connection to malicious IP

After reboot, dpiss.exe is executed instead of Ordy.exe and a new .dat file is created in \AppData\Roaming\{machineID}\Logs.

This malware application also reveals analysis and sandbox evasion characteristics in which a functional Internet connection is verified and will not attempt to make any outbound connections when executed in a sandboxed environment with restricted Internet access. It still copies itself and adds itself to the registry and scheduled tasks as well as capturing keystrokes, but it only tries to communicate to the server once a valid Internet connection has been established.

This malware contains a keylogger that actively captures keystrokes and transfers them to the server in the hope of capturing login details and other valuable information. While delivery using .UUE files has been around for a while, it is not commonly used at this point, and, to end users, these files appear as genuine compressed files. Most firewalls and endpoint security solutions only alert on or block .zip or .rar file extensions, ignoring .UUE and making it easier for attackers to bypass security solutions.

During analysis, we have observed this malware behaving like NanoCore. NanoCore is a remote access trojan (RAT) that is used to steal sensitive information such as passwords from victim computers.

However, Ordy.exe doesn’t contain any hardcoded “NanoCore” strings which is the reason why current NanoCore Yara rules will not detect this variant of NanoCore. Figure 11 shows the strings typically found in NanoCore samples, while Figure 11 shows the ones found in Ordy.exe.

Figure 11 – Identifiable NanoCore strings

Figure 12 – Ordy.exe strings

NanoCore first appeared in 2013 and has since gained popularity due to its modularity, which allows attackers to expand its functionality and performance. Several cracked versions of NanoCore exist in the wild, allowing attackers to use and modify the core functions to create new variants, and Ordy.exe is no exception. As our research suggests, Ordy closely resembles NanoCore, but the delivery through .UUE files is still very rare and can be seen as an attempt to bypass malware defences. Attackers will continue to create new malware as well as modify existing malware to pass through security perimeters; so, always act on the side of caution and only open links and attachments you trust.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe® Threat Alerts today.