Cofense Intelligence™ recently analyzed a phishing campaign that distributed Microsoft Excel Query files in an infection chain to deliver the AmmyyAdmin remote access trojan (RAT). But analysts noted that this latest campaign bore a striking resemblance to another campaign in March 2018 in which phishing emails were used to distribute .URL internet shortcut files.
Calling it “one of the most advanced defenses against phishing,” CSO has included Cofense TriageTM in its Best Security Software for 2018. Our incident response and phishing defense platform helps to stop attacks in progress and minimize the risk of breach—in minutes, compared to the average detection time of 100+ days.
On Monday May 28, 2018, during routine operations, Cofense Intelligence™ identified traits across several campaigns that indicated they were linked. In fact, this discovery helped to reveal a sprawling criminal enterprise that uses linked infrastructure to host nearly 100 domains, along with corresponding malware campaigns.
At Cofense™, we’ve known for some time that phishing attacks using MS Office attachments were a big problem. That’s why our solutions help you combat these attacks in important ways.
On May 22, 2018, the Cofense Phishing Defense Center observed a Microsoft credential phishing attack that was received by one of our Managed Service customers. The Phishing Defense Center’s goal is to provide our customers all the relevant information on an attack against their employees, within an hour of an email being reported, so customers can take the necessary steps to prevent further attacks. By doing a deep dive investigation into this attack we were able to find multiple other phishing attacks listed on the site, the kits used to create the phishing pages, and several other domains created by...
Recently, Cofense IntelligenceTM reported on a new mechanism used to distribute Dreambot malware, where a malicious page impersonating Microsoft Office Online entices victims to download the banking trojan. We have noted a similar delivery technique in the distribution of a TrickBot sample where targets are required to download a “plugin” to interact with a PDF, adding to the iteration of purported “plugin” downloads for malware delivery. The detailed campaign leverages social engineering techniques to gain access to victims’ sensitive information and also contains code obfuscation to evade detection by security technologies.
Regular followers of Cofense™ know that phishing threats evolve. For detailed evidence, read the Cofense Malware Review 2018 and see the techniques threat actors employ to keep security teams on their toes.
Cofense Intelligence has observed several recent Sigma ransomware campaigns that demonstrate either a new iteration or a fork of this malware. Prior to these new campaigns, the actors behind Sigma stuck rigidly to two very distinct phishing narratives, as detailed in Cofense’s recent blog post, and relied on the same infection process. With these newly observed changes, Sigma’s operators have eliminated various infrastructure concerns and improved the UX (User eXperience) of the whole ransom process, representing the first major shifts in Sigma tactics, techniques and procedures (TTPs).
An employee goes on Facebook and makes a snarky comment about his boss. Or posts a picture of a co-worker that includes a confidential document open on her laptop. Or simply mentions your company name when sharing something online. All of these are examples of potential trouble.
Cofense Intelligence recently identified a large Sigma ransomware campaign that contained significant deviations from the established TTPs employed by the actors behind this prolific piece of extortionware. These changes improve Sigma’s A/V detection-evasion and demonstrate new social engineering tactics intended to increase the likelihood that a targeted user would open the phishing email and its malicious attachment.