Re: The Zombie Phish
October 31, 2018 by Cofense in Phishing Defense CenterMalware AnalysisThreat IntelligenceBy: Lucas Ashbaugh, Nick Guarino, Max Gannon Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message. This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish. Not Your Average Phish The Cofense™ Phishing...
“Brazilian Election” Themed Phish Target Users with South American-Targeted Malware, Astaroth Trojan
October 31, 2018 by Max Gannon in Threat IntelligenceMalware AnalysisThreat actors attempted to leverage the current Brazilian presidential election to distribute the Astaroth WMIC Trojan to Brazilian victims. The emails had a subject line related to an alleged scandal involving Brazilian then-presidential candidate Jair Bolsonaro. Some campaigns impersonated a well-known Brazilian research and statistics company. Multiple delivery methods and geolocation techniques were used to target Brazilian users, who were encouraged to interact with the attached and downloaded archives containing .lnk files. These files downloaded the first stage of the Astaroth WMIC Trojan, previously spotted this year by the Cofense™Phishing Defense Center and known to target South American users.
Threat Actors Seek Your Credentials Before You Even Reach the URL
October 30, 2018 by Cofense in Threat IntelligenceCofense Intelligence™ has observed a phishing technique that takes a unique approach to illicitly obtain a target’s sensitive information. In a recent campaign, threat actors harvested victims’ credentials through a PDF window prompt rather than via a webpage—the more traditional credential phishing technique. Cofense Intelligence obtained a phishing email that allegedly informs the recipient of an Amazon.de bill of sale. The German language email lure claims to deliver a tax invoice and requests the recipient to view the attached PDF. The PDF, also presented in German, specifies that the document cannot be opened in a browser and must be opened...
H-Worm and jRAT Malware: Two RATs are Better than One
October 23, 2018 by Cofense in Malware AnalysisThreat IntelligenceWhen threat actors bundle two or more malware families in one campaign, they gain broader capabilities. Cofense Intelligence™ recently analyzed a phishing campaign delivering both jRAT and H-Worm remote access trojans. jRAT, aka the Java Remote Access Trojan, has the primary role of remotely controlling a victim’s machine. H-Worm, also known as Houdini Worm, operates as a remote access trojan but has worm-like capabilities, such as propagating itself on removable devices like a USB. Using a generic phishing lure pertaining to an invoice, the email below contains two attached .zip archives: one with a VBScript application and the other a...
America’s First: US Leads in Global Malware C2 Distribution
October 19, 2018 by Cofense in Threat IntelligenceMalware AnalysisBy Mollie MacDougall and Darrel Rendell Cofense Intelligence™ has found that 27% of network Indicators of Compromise (IoC) from phishing-borne malware analysed during 2018 used C2 infrastructure located in, or proxied through, the United States—making the US the leader in global malware C2 distribution. Map 1 details these observations. This does not indicate that US-based users are getting hit disproportionately, as threat actors are incentivised to host C2 infrastructure outside of their own country or countries with extradition agreements with their host nations to avoid arrest and/or extradition. However, C2 infrastructure is enormously biased toward compromised hosts, indicating a high prevalence...
Email Security Gateway (to Your Next Breach)
October 16, 2018 by Cofense in Phishing Defense CenterBY THE COFENSE PHISHING DEFENSE CENTER Email is the most common attack vector in today’s threat landscape. Not only does email deliver over 92% of malware1, but by the end of 2017 the average user received 16 malicious emails per month.2 Cyber-criminals and APT actors abuse email to deliver malware or steal user credentials and other sensitive data. Because it is ubiquitous, email is an oft-targeted, massive attack surface. Proofpoint and Mimecast Often Can’t Handle Simple Phishing Attacks That’s why companies spend thousands to millions of dollars on security technologies, including secure email gateways. Let’s be clear: it is erroneous...
Phishing Enables Domestic Violence. Education Can Help Stop It.
October 8, 2018 by Cofense in Internet Security AwarenessAccording to estimates, approximately 760 people, or more than two per day, are killed by their partners. Most of the victims are women.1 Making matters worse, abusers use “stalkerware” to track their victims online, cutting off sources of income, isolating them from friends and family, and otherwise trying to control every aspect of their lives.
Building a Security Awareness Program? Start with Strategy and Goals
October 8, 2018 by Tonia Dudley in Internet Security AwarenessPart 1 of a 4-part series on building and maintaining a security awareness program, in support of National Cybersecurity Awareness Month. In 2011, I began my journey into security awareness. At that time, there were limited resources and most programs were still compliance focused. Even though I had previously spent 5 years in IT compliance, I knew this wasn’t the right approach to get users to learn or care about security. I kept telling the director that owned the role, “Compliance focus is wrong –you have to market to the users.”
Threat Actors Customize URLs to Avoid Detection
October 4, 2018 by Max Gannon in Threat IntelligenceThreat actors have many ways to avoid being detected. Today, let’s look at how they tweak URLs to bypass firewall rules—and what you can do to stop them from succeeding.