Since this April, Cofense Intelligence™ has observed a sustained increase in the financially motivated targeting of United Kingdom-based users with phishing lures imitating brands like Her Majesty’s Revenue & Customs (HMRC), Lloyds Bank, and HSBC Bank. The most common final payloads delivered by these campaigns are designed to compromise victims’ financial accounts and provide illicit access to financial information. This surge in targeting almost certainly represents a stage in the “whack-a-mole” strategy long employed by threat actors: expand campaigns against a segment of the vast vulnerable attack surface until those users catch on to the threat, then move to the next target.
Cofense Intelligence™ uncovered a resurgent Sigma ransomware campaign on March 13, 2018 following a noted three-month hiatus of the malware. Although many aspects of this campaign—including its anti-analysis techniques—are consistent with previously analyzed Sigma samples, its return is in and of itself atypical.
In 2017, PhishMe® analyzed over 40 Italian-language phishing campaigns that targeted victims with Zeus Panda. This popular multipurpose banking trojan is primarily designed to steal banking and other credentials, but is capable of much more as it provides attackers with a great deal of flexibility. Although some variation was observed, many of these campaigns demonstrated a large degree of shared tactics, techniques and procedures (TTPs). Given the prolific nature of these campaigns, it is likely that Italian-language phish will continue to deliver Zeus Panda in 2018. Organizations should be alert to the indicators of compromise and phishing TTPs to prevent infection.
On 1 December 2017, PhishMe Intelligence™ identified a new delivery technique for Sigma ransomware, which was most likely employed to evade automated detection and mitigation by email and anti-malware defenses. Potential victims received phishing emails with an embedded image as the message body that also included an attached Microsoft Office document containing a malicious macro. The embedded image contained a password that could be used to open the Microsoft Office document.
In a recent Strategic Analysis, we outlined how malicious actors leveraged Microsoft Office’s Dynamic Data Exchange (DDE) protocol functionality to compromise victims with Chanitor malware within days of SensePost publicly disclosing the risks. PhishMe® has since observed the weaponization of this tactic to deliver other types of malware in several campaigns that support some of the most lucrative current online criminal operations.
Less than a week after a Sensepost blog highlighted how to abuse Microsoft Office functionality to deliver malware to systems via phishing messages, PhishMe® observed attackers abusing this feature of Microsoft Windows. This highlights how quickly malicious actors capitalize on such revelations, outpacing many organizations’ abilities to understand and respond to emerging threats.