When You Unsubscribe to these Emails, You ‘Subscribe’ to the Loda RAT

CISO Summary

It’s critical that anti-phishing programs reflect the latest threats. Cofense IntelligenceTM has recently observed a phishing campaign that illustrates why. It entices users to download a malicious document from a seemingly legitimate source, an insurance company whose roots go back to 1896. Through a complex chain of abuse, including the exploitation of a legit subdomain hosted by Microsoft, this threat is capable of tricking users unfamiliar with wrinkles like multiple links to the same source and malicious “unsubscribe” links. If successful, the attack activates the Loda Remote Access Trojan, underscoring the importance of educating users to stop phishing emails.

Full Details

Cofense Intelligence recently observed a campaign that used convincing emails to entice recipients into downloading a malicious document from a seemingly legitimate source. These attention-grabbing emails contained multiple links to the same source, which was hosted on a subdomain of the legitimate Microsoft-owned domain azurewebsites[.]net. This source URL downloaded a Microsoft Word document that abused an object relationship to then download and open an RTF document. The RTF document abused CVE-2017-11882 to download the multi-functional Loda Remote Access Trojan. By taking advantage of users’ assumption that unsubscribe links are legitimate, along with their trust in verification, threat actors were able to craft a campaign capable of fooling even users with basic security awareness training.

What a Deal…

The emails used in this campaign have several attributes that give the appearance of legitimacy. The first email, the top of which is shown in Figure 1, impersonates Fidelity Life and claims to offer a good deal on life insurance.

 Figure 1: Body of the email spoofing Fidelity

In this email, the only actual text present is the unsubscribe information at the bottom of the email shown in Figure 2.

Figure 2: Unsubscribe section of the email spoofing Fidelity

The top three paragraphs in Figure 2 are in fact an image, while the bottom paragraph (with a pointer hovering over it) is searchable text that appears to have been added by the threat actor. All of the image shown in Figure 1 is a clickable link leading to the same URL as the unsubscribe link, hxxps://onlinefinances[.]azurewebsites[.]net/mowgli/fidelity_insurance[.]docx.

Verification Passed

If users who have been trained to be suspicious of links were to first visit the website by typing the URL into an internet browser and looking at the webpage information, they would see the information shown in Figure 3.

If users are particularly security conscious, they might even look up the domain on a website with tools that check for legitimacy. However, this would likely give them the same information as what is shown in Figure 3, because most tools will check the root domain, in this case azurewebsites[.]net, which is a completely legitimate domain owned by Microsoft. The only easily recognized indicator of malicious content is the prompt when a file is downloaded from an unsubscribe link.

Double Interest

The second email, shown in Figure 4, pretends to be a relatively benign “news” email from the company Livenlonpro about a new Amazon policy.

Figure 4: Body of the email spoofing Livenlonpro

In this case all links and images download a file from hxxps://onlinefinances[.]azurewebsites[.]net/mowgli/Amazon_Cancelled_order[.]docx. With this approach, any user that attempts to unsubscribe from what appears to be a spam email will instead download malware. Although differently named, the downloaded file is the same for both emails.

Actual Goal

Once the file is downloaded and opened, it attempts to use an object relationship to download a document with CVE-2017-11882 which, in turn, downloads the multi-functional Loda malware. Loda is capable of acting stealthily to download additional malware or provide the threat actor with full remote access to the victim’s computer.

Direct Importance

Attacks such as this demonstrate threat actors ability to adapt to changing circumstances and training methods. Organizations often focus employee training on the philosophy “don’t click suspicious links or open attachments.” While usually effective, this method can fall prey to creative threat actors. Using a training method that encourages employees to think critically can help protect organizations by avoiding situations where employees make assumptions about the nature of a link and act accordingly.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense™ Threat Alerts.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

This ‘Broken’ File Hides Malware Designed to Break Its Targets

CISO Summary

Cofense IntelligenceTM has identified a phishing campaign with a malicious attachment containing a “broken” file that actually works, in all the wrong ways. Under certain conditions, the file weaponizes in the target environment after evading both automated and manual analysis.

The “break” is the lack of a file header, engineered to fool analysts into thinking the attachment is harmless, the work of threat actors too clumsy to be taken seriously. The headless file only appears when you open the attachment or use special programs in attempting to extract it.

The campaign tries to exploit a common problem: information overload. As they process and prioritize mountains of information, analysts and automated defenses sometimes ignore faulty files because they seem to be benign. In this campaign, the file downloads a script to fix the missing header and then run the full file, if the target environment permits it.

While multi-stage evasive techniques are the exception not the rule, they can lead to devastating results. To protect against campaigns like this, it’s smart to invest in solutions that leverage both human intuition and threat automation.

Full Details

Cofense Intelligence recently observed a campaign that delivered what appeared to be a broken executable—almost certain to evade detection as malicious—only to be fully weaponized once within  the target’s environment. By delivering an apparently broken executable, threat actors were able to disguise their intentions from several different kinds of automated and manual analyses. Cursory analysis showed that the executable was missing a proper “file header.” Because of the missing file header, it was more likely that an analyst would simply dismiss the threat actors as being incompetent and ignore the campaign. In reality, the campaign was designed so that the document would download a script to fix the “file header” and run the now complete executable, if the desired conditions within the hosting environment were met.

What’s in a Header

Essentially, a file header helps the operating system determine how to interpret the contents of the file. Header information can indicate several factors, such as whether a file is an archive or an executable. In the case of most Windows executables, the file starts with the characters MZ. This MZ header is almost always present, even when executables are packed, obfuscated, or embedded. The hexadecimal content of an executable, including the MZ header, can be seen in Figure 1.

Figure 1: Hexadecimal view of an MZ file header of an executable

If this header is not present, then the executable will simply fail to run. Some analysts as well as automated analysis systems and executable extraction programs will ignore any files without an appropriate header, under the assumption that they are broken. An example of the same executable from Figure 1, but with a missing MZ header, can be seen in Figure 2.

Figure 2: The same file as Figure 1 without an MZ header

The executable from Figure 1 no longer runs without the MZ header. Conversely, all that is needed to make the executable in Figure 2 run is the addition of “MZ” to the top of the binary.

What Happened Here

In the campaign observed by Cofense Intelligence, the malicious document drops an embedded object as a partial executable—the header of this file can be seen in Figure 2. Because this executable does not have an MZ header, it is only detected by 2/58* antivirus engines on VirusTotal. It also means that analysts who see the binary and attempt to run it as an executable will be unsuccessful and may assume that the binary is broken—and be technically correct in so doing. Once the partial executable has been dropped, the malicious document then makes use of CVE-2017-11882 to download and execute the contents of an .hta file. An example is shown in Figure 3.

Figure 3: Contents of downloaded .hta file

There are four steps of interest in this script. The first step creates a file “~F9.TMP” with the contents “MZ”:

Figure 4: First step in “creating” an executable

The second step adds the contents of the new file (“MZ”) to the start of a file named “~AFER125419.TMP”. The file “~AFER125419.TMP” is actually the name of the object embedded in the original executable:

Figure 5: Second step in creating an executable

After the “MZ” header is added, the new file is the same as the one shown in Figure 1. Although the file retains the .TMP extension it can still be run as an executable from the command line:

Figure 6: Third step in creating an executable

In the final step, the binary is copied to the Windows “Startup” folder, renaming it as an executable and ensuring that it will run on the next computer startup. This provides persistence for the malware on the targeted machine.

Figure 7: Fourth step in creating an executable

How It Helps Them and Hurts Us

The malicious document used in this instance was in fact detected by antivirus companies, largely due to its use of an equation editor exploit with minimal obfuscation and an embedded object. However, when dropped to disk the embedded object is only detected by 2/58* of the antivirus companies on VirusTotal. When the object is completed by adding the “MZ header,” this detection ratio jumps to 40/71*, demonstrating that the lack of an MZ header confuses automated systems and analysts alike. The fact that the binary can run as an executable only after being modified by a downloaded script provides several layers of distraction from the actual threat.

  • First, the computer must have access to the internet; this prevents the binary from running in some sandboxes and analysis environments which by default do not have internet access. It also ensures that any manual static analysis done on the binary will determine the binary to be “broken,” increasing the likelihood that it will be ignored.
  • In order for further analyses to take place, the script must still be available. If the script is unavailable due to the threat actor taking it down or any other reason, the binary never becomes an executable and is unlikely to be detected.
  • Finally, if the script is downloaded separately and run, it will create two 2-byte files and display an error message, further reinforcing its appearance as a poorly put together malware campaign.

Why It Matters

Information overload is a serious problem for any enterprise. To quickly process and prioritize information, both analysts and technical defenses will sometimes ignore “broken” files that do not run. If these files are recognized as a threat, analysts are often still forced to prioritize more obviously damaging malware instead of fixing a “broken” sample. Even if these steps are taken, the binary delivered in this campaign was only functional if a very specific set of criteria were met. This type of multi-stage execution designed to avoid detection is infrequent yet no less dangerous. To protect themselves from similar threats, organizations need to invest in both preventative programs and training as well as resources that use human experience in addition to automated malware analysis to uncover threats.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense Threat Alerts.


Table 1: File IoCs

File Name MD5 Hash
9t3R1Ng5(.hta) c0266ac68a5de7c08fee0e7bd4b3b4aa
Enerson Energy_2018&2019_quotation.doc fa447b70e2550d66f0ebfa704a4c9552
~AFER125419.tmp 32c4c5186c0affa8c5f630253bbf5acc
~191AEF9.tmp 135dedc1e10a7d78f906cb485b328145


Table 2: Network IoCs**




All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.


* These statistics were from a sample analysis done on 2019-03-25.

** pastebin[.]com is not inherently malicious

A Closer Look at Why the QakBot Malware Is So Dangerous

CISO Summary

Cofense Intelligence ™ recently reported a phishing campaign distributing the QakBot malware. QakBot infestation is a significant threat, so be sure to share today’s follow-up post with your SOC analysts.

We’ll drill down into the novel techniques QakBot uses to stymie detection and manual analysis. This sophisticated banking trojan, which Cofense™ has seen distributed via the Geodo/Emotet botnet, uses multiple tools to cover its tracks and steal credentials. The threat actors who have developed it are creative and aggressive.

With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat

CISO Summary

The Revenge RAT malware is getting stealthier, thanks to unusually advanced delivery techniques and support infrastructure. Cofense IntelligenceTM has recently seen this basic and widely available Remote Access Trojan benefit from these upgrades, which help it to access webcams, microphones, and other utilities as Revenge RAT does recon and tries to gain a foothold in targeted computers. When they succeed, RATs enable threat actors to wreak havoc, including monitoring user behavior through keyloggers or other spyware, filching personal information, and distributing other malware.

Exploiting an Unpatched Vulnerability, the Ave_Maria Malware Is Not Full of Grace

CISO Summary

CofenseTM has seen a rise in phishing campaigns designed to deliver a type of stealer malware called Ave_Maria. It contains a capability, DLL hijacking, that uses a vulnerability with no forthcoming fix. With origins in a publicly available utility, DLL lets Ave_Maria gain greater admin privileges and avoid detection, then steal information so it can download additional plugins and potentially other payloads. This malware can bypass detection and privilege restrictions on many endpoints.

“Brazilian Election” Themed Phish Target Users with South American-Targeted Malware, Astaroth Trojan

Threat actors attempted to leverage the current Brazilian presidential election to distribute the Astaroth WMIC Trojan to Brazilian victims. The emails had a subject line related to an alleged scandal involving Brazilian then-presidential candidate Jair Bolsonaro. Some campaigns impersonated a well-known Brazilian research and statistics company. Multiple delivery methods and geolocation techniques were used to target Brazilian users, who were encouraged to interact with the attached and downloaded archives containing .lnk files. These files downloaded the first stage of the Astaroth WMIC Trojan, previously spotted this year by the Cofense Phishing Defense Center and known to target South American users.

Potential Misuse of Legitimate Websites to Avoid Malware Detection

Sometimes, common malware will attempt to gather information about its environment, such as public IP address, language, and location. System queries and identifier websites like whatismyipaddress.com are often used for these purposes, but are easily identified by modern network monitors and antivirus. It’s important to know, however, that everyday interactions with legitimate websites provide much of the same information and are not monitored because the interactions are legitimate. In other words, threat actors can bypass automated defenses by abusing legitimate websites that often cannot be blocked for business purposes.

First, cookies—easily accessible records of a user’s interactions with a webpage—are often stored on the local machine and can be accessed by malware.  Second, some servers include additional information about the local machine in the response header. Though this is not as easily accessible to the average computer user, it could be leveraged by malicious actors to gain information related to the local machine’s settings, location, operating system, public IP address, language, region, and unique identifiers.

This information about the local environment could be used to avoid directly querying the local machine, avoiding techniques that trigger automated defenses. For example, a malicious document could determine the region of an infected computer from wikipedia.org to bypass network monitoring systems looking for web traffic to identifier websites like whatismyipaddress.com and then download region specific malware that is tailored to combat the antivirus software used in that region.

What Information Can Be Derived

Wikipedia’s response headers highlight the wealth of valuable information available to a malicious actor (Figure 1). Here, the “set-cookie” field contains the cookie value, which includes the GeoIP of the browser, consisting of the country, city, and GPS coordinates. The “x-client-ip” in the header records the public IP address of the local machine (redacted).

Figure 1: A response header from Wikipedia

Google has a useful cookie to track if a user has accepted their terms of service. As seen in Figure 2, this small cookie contains the state of agreement, the country where the computer is located, and the language of the browser used.

Figure 2: Matching contents of Google’s CONSENT cookie

How This Information Is Used

Some of this information, such as the IP address, can be leveraged by threat actors to determine if the infected computer is within a certain IP range of particular interest, such as Amazon Web Services or Microsoft Azure. Other malware families will not run unless the infected machine is located in a specific country. Malware that downloads additional files uses many different sources to obtain a variety of information about the local environment including:

  • Using the location and language to determine what to deliver (as discussed in a prior blog)
  • Noting the operating system to determine what kind of malware to deliver
  • Determining the use of a VPN based on the IP address to decide whether to run

What Actions Look Suspicious

Automated systems and malware sandboxes often monitor a list of events that are rarely made by legitimate software. These events include system queries for information such as the system language, generating cryptographic key, or the operating system version, as well as network traffic. Certain language checks or domains appearing in network traffic will trigger alerts, as seen in Figure 3.

Figure 3: A moderate event alert from a Cuckoo sandbox execution

Avoiding Alerts When Seeking Valuable Information

By making web requests to legitimate websites, malware can obtain additional information about its environment while avoiding detection. Suspicious system calls or network traffic that might alert automated systems can be avoided by deriving information from these web requests. There is nothing inherently malicious about contacting legitimate websites, and no suspicions would be raised simply based on such contact.  Many of these checks can be done unobtrusively. This leads researchers to assume the malware is not functional rather than that it is detecting an analysis environment. For example, the same cookie shown in Figure 2 can also be used to detect a mismatch between the browser language and endpoint country (shown in Figure 4).

Figure 4: The endpoint is recorded as Germany (DE,) but the browser language is French(fr)

Potential Impact

This technique is not currently widely used, but offers several benefits to attackers and would be difficult for organizations to defend against. Websites such as Wikipedia and Google cannot simply be blocked, and current local and network defenses may not be able to distinguish traffic that is not inherently malicious. Although this does not disguise the connections that malware makes to its command and control hosts or payload servers, it does hinder analysis and allows an infection to progress further before it is detected.

Given the ease with which threat actors are able to bypass automated defenses by abusing legitimate websites and tools that often cannot be blocked for business purposes, it is imperative that individuals be trained to recognize the initial threat and to report it. Combining this training with human verified intelligence helps to ensure a successful defense strategy.

Learn how Cofense PhishMe™ helps thousands of organizations train users to spot and report phishing emails.

For more information on the abuse of legitimate websites for data exfiltration and malware delivery, as well as the abuse of Microsoft Utilities to avoid detection, see these previous Cofense™ blogs:  “Threat Actors Abusing Google Docs” and “Abusing Microsoft Windows Utilities.”


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Abusing Microsoft Windows Utilities to Deliver Malware for Fun and Profit

Last year, Cofense Intelligence™ observed an increase in abuse of features built into platforms that are all but ubiquitous throughout the corporate world. An overview of these developments in 2017 was covered in our 2017 Malware Review, which highlighted the abuse of Microsoft features such as Object Linking and Embedding (OLE) and Dynamic Data Exchange (DDE) to deliver malware. Since last year, this trend has continued as threat actors are exploiting a greater variety of features as well as combining multiple techniques into one campaign.