About Cofense
About Cofense

Cofense Phishing Prevention & Email Security Blog


Updated Dyre, Dropped by Office Macros

May 4, 2015 by Cofense in Internet Security AwarenessMalware Analysis

Whenever attackers make a shift in tactics, techniques, and protocol (TTP), we like to make note of it to help both customers and the rest of the Internet community. We recently analyzed a sample that started out appearing to be Dridex, but quickly turned into a headache leading to Dyre that featured some notable differences to past Dyre samples. One PhishMe user was targeted to their personal account, and here’s a copy of the phishing email: Once opened, we’re presented with the very familiar story of “please enable this macro so you can get infected”. This time, they do give...


Detecting a Dridex Variant that Evades Anti-virus

March 25, 2015 by Cofense in Internet Security AwarenessMalware Analysis

Attackers constantly tweak their malware to avoid detection. The latest iteration of Dridex we’ve analyzed provides a great example of malware designed to evade anti-virus, sandboxing, and other detection technologies. How did we get our hands on malware that went undetected by A/V? Since this malware (like the majority of malware) was delivered via a phishing email, we received the sample from a user reporting the phishing email using Reporter.


The Return of NJRat

March 19, 2015 by Cofense in Internet Security Awareness

NJRat is a remote-access Trojan that has been used for the last few years. We haven’t heard much about NJRat since April 2014, but some samples we’ve recently received show that this malware is making a comeback. ( For some background on NJRat,  a 2013 report from Fidelis Cybersecurity Solutions at General Dynamics detailed indicators, domains, and TTP’s in conjunction with cyber-attacks using NJRat.)


Dridex Code Breaking – Modify the Malware to Bypass the VM Bypass

March 18, 2015 by Cofense in Malware Analysis

Post Updated on March 25 The arrival of spring brings many good things, but it’s also prime season for tax-themed phishing emails. A partner of ours recently reported an email with the subject “Your Tax rebate” that contained an attachment with Dridex and password-protected macros to hinder analysis. If you read this blog, this story should sound familiar, but this particular strain took new precautions, such as adding a longer password and using VM detection inside of the code.


Decoding ZeuS Disguised as an .RTF File

March 4, 2015 by Cofense in Malware Analysis

While going through emails that were reported by our internal users using Reporter, I came across a particularly nasty looking phishing email that had a .doc attachment. At first when I detonated the sample in my VM, it seemed that the attackers weaponized the attachment incorrectly. After extracting and decoding the shellcode, I discovered a familiar piece of malware that has been used for some time.


Dridex – Password Bypass, Extracting Macros, and Rot13

February 27, 2015 by Cofense in Malware Analysis

When attackers decide to password protect something, it can be very frustrating as an analyst, because we are often left with few options to find out what they are protecting. If this happens, we can always try to straight up brute force the password, but unless the attackers use something like 1q2w3e4r, we’re up a creek without an oar. If it’s an MD5 hash of a password, we have many more options to crack it. In the case of xls files, we have the option to essentially “wipe out” the password and give it our own password. In a recent...


Dyre Trojan Expands to Career Website Targets

February 18, 2015 by Cofense in Malware Analysis

The MAAWG conference in San Francisco provides an opportunity for the leading hosting companies, Internet Service Providers, and Internet and email security companies to collaborate, develop best practices, and share information. We took the opportunity to speak to attendees about Dyre malware, and how the Trojan is now a serious concern. In recent days, we have seen an aggressive expansion in the targets that Dyre is configured to steal credentials from. Dyre malware is currently being spread via spam email and the Upatre downloader. We have already reached out to many of the newly impacted brands, several of which had a...

READ MORE, Adobe Flash Player, and Your Email

February 13, 2015 by Cofense in Internet Security Awareness

What do the three topics in today’s title have in common?  Quite a bit if you are in the malware business!  Near the top of the Tech news today is the story that, the 61st most popular website in the United States, has been distributing malware through it’s “Thought Of The Day” advertisements application. When first visiting Forbes, regardless of which article link you have clicked on from your websearch, newsreader, Facebook/Twitter link, or email recommendation, you don’t go directly to the article.  Instead you are taken to a “Thought Of The Day” page, where Forbes is able to...


Anthem and Post-breach phishing awareness

February 9, 2015 by Cofense in Internet Security Awareness

The Anthem data breach on February 5, 2015 raised the high-water mark on healthcare data breaches. The Anthem breach smashed all previous records, exposing close to 80 million members’ records. It was the largest healthcare data breach ever discovered by a considerable distance. Only a very small number of healthcare data breaches have been reported that have exceeded 2 million records. In the United States, data breaches impacting the protected health information of patients and health plan members are required to be reported to the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR). OCR maintains a searchable...