Summer Reruns: Threat Actors Are Sticking with Malware that Works
September 5, 2018 by Neera Desai in Malware AnalysisLet’s take a look back at this summer’s malware trends as observed by Cofense IntelligenceTM. Summer 2018 has been marked by extremely inconsistent delivery of TrickBot and Geodo, though volumes of lower-impact malware families like Pony and Loki Bot remained consistently high. What’s more, improvements to the delivery and behavior of Geodo and TrickBot accompanied the resurgence of two updated malware families—Hermes ransomware and AZORult stealer—in reaffirming a preference by threat actors to update previous tools instead of developing new malware. Because threat actors will continue to improve their software to ensure a successful infection, it’s important to understand these...
Recent Geodo Malware Campaigns Feature Heavily Obfuscated Macros
August 30, 2018 by Darrel Rendell in Malware AnalysisPart 3 of 3 As we mentioned in our previous overview of Geodo, the documents used to deliver Geodo are all quite similar. Each document comes weaponised with a hostile macro. The macros are always heavily obfuscated, with junk functions and string substitutions prevalent throughout the code. The obfuscation uses three languages or dialects as part of the obfuscation process: Visual Basic, PowerShell, and Batch.
Twin Trouble: Geodo Malware URL-Based Campaigns Use Two URL Classes
August 29, 2018 by Darrel Rendell in Malware AnalysisPart 2 of 3 As discussed in our prior blog post, URL-based campaigns – that is, campaigns that deliver messages which contain URLs to download weaponised Office documents – are by far the most prevalent payload mechanism employed by Geodo. Indeed, analysis of ~612K messages shows just 7300 have attachments; a trifling 1.2% of the total. The structure of the URLs falls into two distinct classes. Cofense Intelligence™ analysed a corpus of 90,000 URLs and identified 165 unique URL paths. There are two distinct classes of URLs employed by Geodo. A detailed breakdown of these URL structures follows.
Phishing-Specific SOAR Gets You to Mitigation Faster
August 28, 2018 by John Fitzgerald in Cyber Incident ResponseWhen a malicious email slips past perimeter tech defenses, you need to find it and respond in minutes, not two or three months. But no one has unlimited budget or staffing to sift through phishing alerts, verify threats, and help stop attacks in progress.
Into a Dark Realm: The Shifting Ways of Geodo Malware
August 27, 2018 by Darrel Rendell in Threat IntelligenceThe Geodo malware is a banking trojan that presents significant challenges. For starters, it conducts financial theft on a vast scale and enables other financially driven trojans. Also known as Emotet, Geodo has a rich history, with five distinct variants, three of which are currently active according to Feodo Tracker. Geodo’s lineage is incredibly convoluted and intertwined with malware such as Cridex as well as the later iterations known as Dridex. This blog is the first of a CofenseTM three-part series on Geodo. Our analysis of Geodo focuses not on code analysis, rather on observed behaviours, infrastructure choices and proliferation....
Ask the DNC: #fakephishing Phishing Pen-Tests Are Still a Bad Idea.
August 24, 2018 by Aaron Higbee in Internet Security AwarenessCliff notes: Phishing “tests” at best are a waste of time, and at worst, disruptive and weaken your ability to defend against real phishing.
Another Holiday-Themed Phish: Eid al-Adha is the Pretext for an Agent Tesla Campaign
August 23, 2018 by Neera Desai in Threat IntelligenceHolidays and global events provide timely material for threat actors to use as phishing lures. This technique is a common practice, and can sometimes be convincing to targets, especially just before a major holiday. On Sunday, August 19, 2018, Cofense Intelligence™ received an Eid-themed phishing email. Eid al-Adha, the Islamic festival/holiday, began this week.
UPDATE: Necurs Botnet Banks on a Second Bite of the Apple with New Malware Delivery Method
August 22, 2018 by Jason Meurer in Malware AnalysisThreat IntelligenceLast week, Cofense™ research uncovered and broke the news that the Necurs botnet began a highly-targeted campaign aggressively attacking more than 3,000+ banks worldwide with a malicious PUB file that drops the FlawedAmmyy malware. You can read the full analysis in last week’s research blog.
5 Steps to Targeting Newbies with Phishing Awareness Training
August 21, 2018 by Alexandra Wenisch in Internet Security AwarenessWhen it comes to phishing awareness training, new hires need special attention. While most may know what phishing is, many won’t have received formal training in recognizing and reporting a phish. This chart shows sample data from a CofenseTM customer whose newbies struggled to spot phishing emails during simulation training. Before they develop bad inbox habits, it’s important to welcome your brand-new users to your training program, especially if your company has fairly high turnover. Following are 5 tips to make the transition smoother and, ultimately, help your security teams stop phishing attacks. Step 1: Announce and Set the Stage...
The Lazy Man’s Guide to Phishing
August 16, 2018 by Cofense in Phishing Defense CenterBy Lucas Ashbaugh Laziness and sloppy work are the twenty first century’s newest business model, and for phishing actors it’s a gold rush. The real winners from modern phishing have taken a chapter out of the entrepreneur’s handbook: The Lean Startup. For them, phishing isn’t about artisanal fraud and refined skills, it’s about starting cheap, failing quickly, and getting their head back in the game. It’s horrendously brilliant. In a world where SOCs are constantly grinding to block that IP, scan for that hash, disable macros, etc., automated solutions just can’t keep up. When it comes to phishing, speed is king....