Products
Products
Response
Intelligence
About Cofense
About Cofense
Leadership

Cofense Phishing Prevention & Email Security Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

Dyre Configuration Dumper

June 11, 2015 by Cofense in Internet Security Awareness

It’s been over a year since Dyre first appeared, and with a rise of infections in 2015, it doesn’t look like the attackers are stopping anytime soon. At PhishMe we’ve been hit with a number of Dyre attacks this week, so to make analysis a little easier, I tossed together a quick python script that folks can use for dumping the configurations for Dyre.

READ MORE

Forget About IOCs… Start Thinking About IOPs!

June 9, 2015 by Aaron Higbee in Internet Security Awareness

For those who may have lost track of time, it’s 2015, and phishing is still a thing. Hackers are breaking into networks, stealing millions of dollars, and the current state of the Internet is pretty grim. We are surrounded with large-scale attacks, and as incident responders, we are often overwhelmed, which creates the perception that the attackers are one step ahead of us. This is how most folks see the attackers, as being a super villain who only knows evil, breathes evil, and only does new evil things to trump the last evil thing. This perception leads to us receiving...

READ MORE

Disrupting an Adware-serving Skype Botnet

June 3, 2015 by Cofense in Internet Security Awareness

In the early days of malware, we all remember analyzing samples of IRC botnets that were relatively simple, where the malware would connect to a random port running IRC, joining the botnet and waiting for commands from their leader. In this day and age, it’s slightly different. Whereas botnets previously had to run on systems that attackers owned or had compromised, now bots can run on Skype and other cloud-based chat programs, providing an even lower-cost alternative for attackers.

READ MORE

Surfing the Dark Web: How Attackers Piece Together Partial Data

June 2, 2015 by Aaron Higbee in Internet Security Awareness

The recent Carefirst breach is just the latest in a rash of large-scale healthcare breaches, but the prevailing notion in the aftermath of this breach is that it isn’t as severe as the Anthem or Premera breaches that preceded it. The thinking is that the victims of this breach dodged a bullet here, since attackers only accessed personal information such as member names and email addresses, not more sensitive information like medical information, social security numbers, and passwords. However, attackers may still be able to use this partial information in a variety of ways, and a partial breach should not...

READ MORE

Has Your Yahoo Password Been Stolen?

May 14, 2015 by Cofense in Phishing

Has your Yahoo password been stolen? Would you be aware if that was the case? Many people who have fallen for the latest Yahoo password stealing scam will be unaware that their account is no longer secure. PhishMe researchers are always finding new tactics used by the top phishers to steal login credentials for popular on-line services, and attacks on Yahoo users are incredibly common. We recently found a very clever phisher using the idea of strengthening your password against you. Let’s explore this phishing scenario in detail. Since the beginning of May, the URL: hxxp://markspikes.com/2/us-mg5.mail.yahoo.com/ has loaded a page...

READ MORE

Updated Dyre, Dropped by Office Macros

May 4, 2015 by Cofense in Internet Security AwarenessMalware Analysis

Whenever attackers make a shift in tactics, techniques, and protocol (TTP), we like to make note of it to help both customers and the rest of the Internet community. We recently analyzed a sample that started out appearing to be Dridex, but quickly turned into a headache leading to Dyre that featured some notable differences to past Dyre samples. One PhishMe user was targeted to their personal account, and here’s a copy of the phishing email: Once opened, we’re presented with the very familiar story of “please enable this macro so you can get infected”. This time, they do give...

READ MORE

Detecting a Dridex Variant that Evades Anti-virus

March 25, 2015 by Cofense in Internet Security AwarenessMalware Analysis

Attackers constantly tweak their malware to avoid detection. The latest iteration of Dridex we’ve analyzed provides a great example of malware designed to evade anti-virus, sandboxing, and other detection technologies. How did we get our hands on malware that went undetected by A/V? Since this malware (like the majority of malware) was delivered via a phishing email, we received the sample from a user reporting the phishing email using Reporter.

READ MORE

The Return of NJRat

March 19, 2015 by Cofense in Internet Security Awareness

NJRat is a remote-access Trojan that has been used for the last few years. We haven’t heard much about NJRat since April 2014, but some samples we’ve recently received show that this malware is making a comeback. ( For some background on NJRat,  a 2013 report from Fidelis Cybersecurity Solutions at General Dynamics detailed indicators, domains, and TTP’s in conjunction with cyber-attacks using NJRat.)

READ MORE

Dridex Code Breaking – Modify the Malware to Bypass the VM Bypass

March 18, 2015 by Cofense in Malware Analysis

Post Updated on March 25 The arrival of spring brings many good things, but it’s also prime season for tax-themed phishing emails. A partner of ours recently reported an email with the subject “Your Tax rebate” that contained an attachment with Dridex and password-protected macros to hinder analysis. If you read this blog, this story should sound familiar, but this particular strain took new precautions, such as adding a longer password and using VM detection inside of the code.

READ MORE