Cofense Blog

New Phishing Campaign Targets U.S. Taxpayers by Dropping Amadey Botnet

The Cofense Phishing Defense CenterTM  has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails. Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality.Threat groups like TA505 have been known to leverage the Amadey botnet as recently as July 2019 to deliver secondary malware like FlawedAmmy (RAT) and email stealers. Here’s how a typical attack works: Figure 1: Infection chain Figure 2: Email Body The email body reports...

Healthcare’s Getting Smacked by Phishing. These Resources Can Help.

This summer, phishing attacks continued to hammer healthcare. Florida: Compromised email accounts, at last count 73, were used to send a phish which led to a breach at NCH Healthcare.1 Ohio: Eye Care Associates was hit with ransomware. The regional eye care provider’s systems were locked for several weeks. 2 New York: In the biggest healthcare breach so far in 2019, American Medical Collection Agency was breached to the tune of 25 million patient records. While phishing hasn’t been positively identified as the culprit, it’s high on the suspect list.3 Need Phishing Defense Resources? Start Here. To help healthcare companies...

Astaroth Uses Facebook and YouTube within Infection Chain

New Phishing Campaign Uses Captcha to Bypass Email Gateway

By Fabio Rodrigues Phishing threat actors are using Captcha methods to bypass automated URL analysis. By using Captcha techniques to prove human presence, the phish prevents the secure email gateway (SEG), in this case Mimecast’s gateway, from scanning the URL thereby enabling the threat to get through. Here’s how it works. Email Body The phishing email is sent from a compromised account at @avis.ne.jp as if it originated from a voip2mail service. The email alerts the recipient to a new voicemail message. The message is crafted in a simple format, with a preview of the voicemail to entice the recipient...

Is It Time to Rethink Your Phishing Awareness Program?

Part 1 of 2 As seen in Cofense’sTM 2019 Phishing Threat & Malware Review, threat actors innovate relentlessly. Technologies like secure email gateways (SEGs) can’t keep up. In fact, the vast majority of phishing emails verified by the Cofense Phishing Defense CenterTM are found in environments using SEGs. With so many malicious emails making it past security controls, the human factor becomes decisive. This means your phishing awareness program needs to stay in fighting trim. In particular, it’s important to educate users on attacks that breach your perimeter, working with your SOC to focus on the most frequent threats. If...

Phishing Emails Are Using SharePoint to Slip Past Symantec’s Gateway and Attack Banks

Hiding in plain sight by using trusted enterprise technologies almost guarantees delivery of a phishing URL. Case in point: a phishing campaign that delivered a legitimate Sharepoint URL to bypass the email gateway, in this case Symantec’s. Here’s how this increasingly popular phishing tactic works. Email Body The phishing email is sent from a compromised account at a third-party vendor asking the recipient to review a proposal document. The recipient is urged to click on an embedded URL. As seen below in figure 1, the URL has been wrapped by Symantec’s Click-time URL Protection and redirects the recipient to a...

Trickbot Is Using Google Docs to Trick Proofpoint’s Gateway

By Tej Tulachan The Cofense Phishing Defense Center (PDC) has detected a phishing campaign that delivers Trickbot embedded in a Google Docs link. Trickbot has been making the rounds for a long time now and is still considered one of the biggest malware threats targeting business today. Threat actors frequently utilize legitimate applications or trusted file sharing sites like Google Docs to bypass the email gateway and lure users to click on the link to deliver malware. In this case, the email made it through Proofpoint’s gateway utilized by our PDC customer. Email Body The email attempts to lure curious...

Advanced Phishing Campaign Delivers Quasar RAT

Cofense IntelligenceTM has uncovered an advanced campaign that uses multiple anti-analysis methods to deliver Quasar Remote Access Tool (RAT). A phishing email poses as a job seeker and uses the unsophisticated ploy of an attached resume to deliver the malware. Quasar RAT is freely available as an open-source tool on public repositories and provides a number of capabilities. Organizations find a higher degree of difficulty with the ‘.doc’ file attachment distributing Quasar RAT itself, because the document employs a multitude of measures to deter detection. Such methods include password protection—which is a built-in feature of Microsoft Word—and encoded macros. Along...

Why Join Us at Cofense Submerge? Here’s What Attendees Say

Next month in Orlando we’ll be hosting CofenseTM Submerge 2019, our fourth annual user conference and phishing defense summit. As we wrap up each event, we ask attendees for feedback. What did they like best? Networking and hearing other customers’ experiences are always the top responses. As a former customer who now works at Cofense, I totally agree.    Here are some of the answers we heard last year when we asked, “Why attend Submerge?”  “Sharing ideas was tremendously helpful to me—having the opportunity to meet other people from a variety of industries doing the same thing that I do.”  We’re all on this journey...

New Phishing Campaign Bypasses Microsoft ATP to Deliver Adwind to Utilities Industry

The CofenseTM Phishing Defense CenterTM has observed a new phishing campaign that spoofs a PDF attachment to deliver the notorious Adwind malware. This campaign was found explicitly in national grid utilities infrastructure. Adwind, aka JRAT or SockRat, is sold as a malware-as-a-service where users can purchase access to the software for a small subscription-based fee. The malware boasts the following features: Takes screen shots Harvests credentials from Chrome, IE and Edge Accesses the webcam, record video and take photos Records audio from the microphone Transfers files Collects general system and user information Steals VPN certificates Serves as a Key Logger Email Body Fig1. Email Body...

New Phishing Campaign Targets U.S. Taxpayers by Dropping Amadey Botnet

The Cofense Phishing Defense CenterTM  has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails. Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality.Threat groups like TA505 have been known to leverage the Amadey botnet as recently as July 2019 to deliver secondary malware like FlawedAmmy (RAT) and email stealers. Here’s how a typical attack works: Figure 1: Infection chain Figure 2: Email Body The email body reports...

Astaroth Uses Facebook and YouTube within Infection Chain

New Phishing Campaign Uses Captcha to Bypass Email Gateway

By Fabio Rodrigues Phishing threat actors are using Captcha methods to bypass automated URL analysis. By using Captcha techniques to prove human presence, the phish prevents the secure email gateway (SEG), in this case Mimecast’s gateway, from scanning the URL thereby enabling the threat to get through. Here’s how it works. Email Body The phishing email is sent from a compromised account at @avis.ne.jp as if it originated from a voip2mail service. The email alerts the recipient to a new voicemail message. The message is crafted in a simple format, with a preview of the voicemail to entice the recipient...

Phishing Emails Are Using SharePoint to Slip Past Symantec’s Gateway and Attack Banks

Hiding in plain sight by using trusted enterprise technologies almost guarantees delivery of a phishing URL. Case in point: a phishing campaign that delivered a legitimate Sharepoint URL to bypass the email gateway, in this case Symantec’s. Here’s how this increasingly popular phishing tactic works. Email Body The phishing email is sent from a compromised account at a third-party vendor asking the recipient to review a proposal document. The recipient is urged to click on an embedded URL. As seen below in figure 1, the URL has been wrapped by Symantec’s Click-time URL Protection and redirects the recipient to a...

Trickbot Is Using Google Docs to Trick Proofpoint’s Gateway

By Tej Tulachan The Cofense Phishing Defense Center (PDC) has detected a phishing campaign that delivers Trickbot embedded in a Google Docs link. Trickbot has been making the rounds for a long time now and is still considered one of the biggest malware threats targeting business today. Threat actors frequently utilize legitimate applications or trusted file sharing sites like Google Docs to bypass the email gateway and lure users to click on the link to deliver malware. In this case, the email made it through Proofpoint’s gateway utilized by our PDC customer. Email Body The email attempts to lure curious...

Advanced Phishing Campaign Delivers Quasar RAT

Cofense IntelligenceTM has uncovered an advanced campaign that uses multiple anti-analysis methods to deliver Quasar Remote Access Tool (RAT). A phishing email poses as a job seeker and uses the unsophisticated ploy of an attached resume to deliver the malware. Quasar RAT is freely available as an open-source tool on public repositories and provides a number of capabilities. Organizations find a higher degree of difficulty with the ‘.doc’ file attachment distributing Quasar RAT itself, because the document employs a multitude of measures to deter detection. Such methods include password protection—which is a built-in feature of Microsoft Word—and encoded macros. Along...

New Phishing Campaign Bypasses Microsoft ATP to Deliver Adwind to Utilities Industry

The CofenseTM Phishing Defense CenterTM has observed a new phishing campaign that spoofs a PDF attachment to deliver the notorious Adwind malware. This campaign was found explicitly in national grid utilities infrastructure. Adwind, aka JRAT or SockRat, is sold as a malware-as-a-service where users can purchase access to the software for a small subscription-based fee. The malware boasts the following features: Takes screen shots Harvests credentials from Chrome, IE and Edge Accesses the webcam, record video and take photos Records audio from the microphone Transfers files Collects general system and user information Steals VPN certificates Serves as a Key Logger Email Body Fig1. Email Body...

Remote Access Trojan Uses Sendgrid to Slip through Proofpoint

The CofenseTM Phishing Defense CenterTM observed a malware campaign masquerading as an email complaint from the Better Business Bureau to deliver the notorious Orcus RAT, part of the free DNS domain ChickenKiller which we blogged about in 2015. Here’s how it works:

Phishing Campaigns Imitating CEOs Bypass Microsoft Gateway to Target Energy Sector

Cofense Intelligence™ has identified a highly customized credential phishing campaign using Google Drive to target a company within the energy sector. This phishing campaign is crafted to look like the CEO of the targeted company has shared an important message with the recipient via Google Drive. The email is legitimately sent by Google Drive to employees and appears to be shared on behalf of the CEO by an email address that does not fit the email naming convention of the targeted company. By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular...

TrickBot Adds ‘Cookie Grabber’ Information Stealing Module

Cofense Intelligence™ has identified a new credential information stealing module for the TrickBot banking trojan being used to gather web browser cookie data. Previous versions of TrickBot allowed for minimal web browser data theft; however, this ability was within the main functionality of the trojan platform and not a stand-alone module as it is now. This new module, dubbed ‘Cookie Grabber,’ has an added feature that allows for further control and manipulation of the victim’s host. TrickBot is a modular banking trojan that targets financial information within an infected host. The threat actors behind TrickBot are always re-tooling and adapting...

New Phishing Campaign Targets U.S. Taxpayers by Dropping Amadey Botnet

The Cofense Phishing Defense CenterTM  has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails. Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality.Threat groups like TA505 have been known to leverage the Amadey botnet as recently as July 2019 to deliver secondary malware like FlawedAmmy (RAT) and email stealers. Here’s how a typical attack works: Figure 1: Infection chain Figure 2: Email Body The email body reports...

Healthcare’s Getting Smacked by Phishing. These Resources Can Help.

This summer, phishing attacks continued to hammer healthcare. Florida: Compromised email accounts, at last count 73, were used to send a phish which led to a breach at NCH Healthcare.1 Ohio: Eye Care Associates was hit with ransomware. The regional eye care provider’s systems were locked for several weeks. 2 New York: In the biggest healthcare breach so far in 2019, American Medical Collection Agency was breached to the tune of 25 million patient records. While phishing hasn’t been positively identified as the culprit, it’s high on the suspect list.3 Need Phishing Defense Resources? Start Here. To help healthcare companies...

Is It Time to Rethink Your Phishing Awareness Program?

Part 1 of 2 As seen in Cofense’sTM 2019 Phishing Threat & Malware Review, threat actors innovate relentlessly. Technologies like secure email gateways (SEGs) can’t keep up. In fact, the vast majority of phishing emails verified by the Cofense Phishing Defense CenterTM are found in environments using SEGs. With so many malicious emails making it past security controls, the human factor becomes decisive. This means your phishing awareness program needs to stay in fighting trim. In particular, it’s important to educate users on attacks that breach your perimeter, working with your SOC to focus on the most frequent threats. If...

Why Join Us at Cofense Submerge? Here’s What Attendees Say

Next month in Orlando we’ll be hosting CofenseTM Submerge 2019, our fourth annual user conference and phishing defense summit. As we wrap up each event, we ask attendees for feedback. What did they like best? Networking and hearing other customers’ experiences are always the top responses. As a former customer who now works at Cofense, I totally agree.    Here are some of the answers we heard last year when we asked, “Why attend Submerge?”  “Sharing ideas was tremendously helpful to me—having the opportunity to meet other people from a variety of industries doing the same thing that I do.”  We’re all on this journey...

New Phishing Campaign Bypasses Microsoft ATP to Deliver Adwind to Utilities Industry

The CofenseTM Phishing Defense CenterTM has observed a new phishing campaign that spoofs a PDF attachment to deliver the notorious Adwind malware. This campaign was found explicitly in national grid utilities infrastructure. Adwind, aka JRAT or SockRat, is sold as a malware-as-a-service where users can purchase access to the software for a small subscription-based fee. The malware boasts the following features: Takes screen shots Harvests credentials from Chrome, IE and Edge Accesses the webcam, record video and take photos Records audio from the microphone Transfers files Collects general system and user information Steals VPN certificates Serves as a Key Logger Email Body Fig1. Email Body...

Phishing Campaigns Imitating CEOs Bypass Microsoft Gateway to Target Energy Sector

Cofense Intelligence™ has identified a highly customized credential phishing campaign using Google Drive to target a company within the energy sector. This phishing campaign is crafted to look like the CEO of the targeted company has shared an important message with the recipient via Google Drive. The email is legitimately sent by Google Drive to employees and appears to be shared on behalf of the CEO by an email address that does not fit the email naming convention of the targeted company. By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular...

TrickBot Adds ‘Cookie Grabber’ Information Stealing Module

Cofense Intelligence™ has identified a new credential information stealing module for the TrickBot banking trojan being used to gather web browser cookie data. Previous versions of TrickBot allowed for minimal web browser data theft; however, this ability was within the main functionality of the trojan platform and not a stand-alone module as it is now. This new module, dubbed ‘Cookie Grabber,’ has an added feature that allows for further control and manipulation of the victim’s host. TrickBot is a modular banking trojan that targets financial information within an infected host. The threat actors behind TrickBot are always re-tooling and adapting...

This Phish Uses DocuSign to Slip Past Symantec Gateway and Target Email Credentials

By Tej Tulachan The Cofense Phishing Defense CenterTM has observed a new wave of phishing attacks masquerading as an email from DocuSign to target the credentials of all major email providers. DocuSign is an electronic signature technology that facilitates exchanges of contracts, tax documents, and legal materials. Threat actors utilize this legitimate application to bypass the email gateway and entice users into handing out their credentials. Here’s how it works. Email Body At first glance, the email body looks well-presented with the correct DocuSign logo and its content. However, there is something suspicious within the first line of the message—the...

Threat Actors Subscribe To Patches

Cofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld....

Cofense Vision UI: Quarantine Phish Faster, Without Disrupting the Mail Team

By Karen Kokiko The holy grail of phishing defense is now within your grasp. Cofense VisionTM now comes with a user interface that lets you quarantine phishing emails with a single click—without disrupting the mail team and slowing down your response. Let’s stop and let that sink in. You can quarantine phish right from your desktop, without asking the busy mail team to stop and perform a search. There’s no more waiting while an active phish does the backstroke in your inboxes. Faster, more precise phishing response is here. Fast and Flexible Searching Traditional email search and quarantine tools are...