New Phishing Attacks Use PDF Docs to Slither Past the Gateway
May 30, 2019 by Cofense in Cyber Incident ResponseMimecastSEG MissesBy Deron Dasilva and Milo Salvia Last week, the CofenseTM Phishing Defense CenterTM saw a new barrage of phishing attacks hiding in legitimate PDF documents, a ruse to bypass the email gateway and reach a victim’s mailbox. The attacks masquerade as a trusted entity, duping victims into opening what appears to be a trusted link, which in turn leads to a fake Microsoft login page. Once there, victims are tricked into providing their corporate login credentials.
Patch or Pass? CVE-2017-11882 Is a Security Conundrum
May 29, 2019 by Max Gannon in Threat IntelligenceCISO Summary Since the latter part of 2018, threat actors have increasingly exploited two Microsoft vulnerabilities: CVE-2017-11882 and CVE-2018-0802. The first of these is especially popular. Cofense IntelligenceTM has seen it surge ahead of Microsoft macros as a favorite malware delivery method. CVE-2017-11882 is an older vulnerability that in fact has a patch. However, it presents a conundrum for security teams that haven’t addressed the problem. They can choose to skip the patching, live with the risks, and keep on using the legacy program. Or they can update, patch, and lose the application entirely to gain much better security. In...
Pretty Pictures Sometimes Disguise Ugly Executables
May 15, 2019 by Max Gannon in Threat IntelligenceCISO Summary Reaching deep into their bag of tricks to avoid detection, phishing emails and threat actors are using an oldie but goodie— packing image files (think tropical beach scenes) with malicious executables, usually a .jpg. The technique allows attackers to avoid detection by some anti-virus programs that merely recognize a file as an image, but don’t check its full contents. This vintage tactic works—threat actors still use it a lot. Anti-virus systems rely on file headers to detect malware. Tuning systems to rely less on file headers is difficult and sometimes impossible. One counter-measure that does work: educate employees...
Babylon RAT Raises the Bar in Malware Multi-tasking
May 15, 2019 by Cofense in Threat IntelligenceCISO SUMMARY Ancient Babylon defeated its enemies with chariots, horses, and archers. Now Cofense IntelligenceTM has analyzed a phishing campaign delivering the powerful Babylon Remote Administration Tool (RAT). This malware is an open-source tool that can handle many tasks: encrypt command-and-control communication, hide from network security controls, trigger denial of service (DOS) attacks, and last but not least, steal data. Used skillfully, Babylon RAT would make the armies of Hammurabi proud. Full Details Cofense Intelligence has analyzed a phishing campaign delivering a multi-feature open source Remote Administration Tool (RAT) named Babylon RAT. Babylon RAT’s Command and Control (C2) communication is...
The Cofense Phishing Defense Center Sees Threats That Most Don’t
May 8, 2019 by Cofense in Cyber Incident ResponseSEG MissesThe CofenseTM Phishing Defense CenterTM analyzes suspicious emails reported by customers’ users and alerts their security teams when they need to take action. Because we live and breathe phishing analysis and response, and because we operate 24/7/365, we have visibility into threats most teams can’t see. Here’s a Real Example Involving Compromised Email Accounts A few months back, an organization exploring our services did a proof-of-concept trial, during which we analyzed emails its users found suspicious and reported for inspection. Soon enough, we saw emails sent from compromised email accounts within the organization. In fact, they utilized a technique known...
Flash Update: Emotet Gang Distributes First Japanese Campaign
April 15, 2019 by Cofense in Threat IntelligenceCofense Intelligence™ has identified yet another change in Emotet’s behavior, this time distributing a campaign targeting Japanese-speaking recipients. The messages, which reference potentially overdue invoices and the payments thereof, deliver a macro-laden document, as per Emotet’s modus operandi. Figure one shows an example email from this campaign. Diversifying their target-base is the latest link in an ever-lengthening chain of updates and refinements being pushed by the actors behind Emotet. The targets in this campaign include Japanese academic institutions, demonstrating a keen interest in Emotet securing a presence in such networks worldwide. Appendix Subject Lines 特別請求書 三月發票 確認して承認してください。 請查看和 批准。 謝謝。...
Emotet Gang Switches to Highly Customized Templates Utilizing Stolen Email Content from Victims
April 9, 2019 by Cofense in Threat IntelligenceBeginning the morning of April 9th, the Emotet gang began utilizing what appears to be the stolen emails of their victims. It was noted back in October of 2018 that a new module was added that could steal the email content on a victim’s machine. Up until now, no evidence of real widespread use was seen. This marks a major evolution in the way Emotet works.
This ‘Broken’ File Hides Malware Designed to Break Its Targets
April 2, 2019 by Max Gannon in Threat IntelligenceCISO Summary Cofense IntelligenceTM has identified a phishing campaign with a malicious attachment containing a “broken” file that actually works, in all the wrong ways. Under certain conditions, the file weaponizes in the target environment after evading both automated and manual analysis. The “break” is the lack of a file header, engineered to fool analysts into thinking the attachment is harmless, the work of threat actors too clumsy to be taken seriously. The headless file only appears when you open the attachment or use special programs in attempting to extract it. The campaign tries to exploit a common problem: information...
Be Cyber Smart: Four Steps to Protecting Your Business or Home
October 5, 2021 by Tonia Dudley in Internet Security AwarenessPhishingTools & Team Together — How Tetra Defense and Cofense Fight Phishing
September 30, 2021 by Cofense in Internet Security AwarenessPhishingThree is the Magic Number
September 23, 2021 by Cofense in Internet Security AwarenessPhishingPhishing as a Ransomware Precursor
September 21, 2021 by Cofense in Internet Security AwarenessPhishingIT Support Lures Users into Mimecast Phish
September 16, 2021 by Cofense in Internet Security AwarenessPhishingMobile Messaging Service Abused for Phishing
August 26, 2021 by Cofense in Internet Security AwarenessPhishingDoes your Incident Response Plan include Phishing?
April 20, 2017 by Cofense in Phishing Defense CenterCyber Incident ResponsePhishingIt’s no secret that 90% of breaches start with a phishing attack. The question is: are you prepared to recognize phishing and respond to it? Many organizations are concerned with how much spam they receive and implement controls specific to spam. But you shouldn’t confuse preventing spam with responding to phishing attacks.
Wide-Spread Ursnif Campaign Goes Live
April 11, 2017 by Cofense in Phishing Defense CenterOn April 5th, our Phishing Defense Center received a flurry of emails with subject line following a pattern of Lastname, firstname. Attached to each email was a password-protected .docx Word document with an embedded OLE package. In all cases the attachments were password protected to decrease the likelihood of detection by automated analysis tools. A password was provided to the victim in the body of the email which attempts to lure the victim into opening the malicious attachment and to increase the apparent legitimacy of the message.
W-2 Fraud – Tax Season and All Year Long
April 4, 2017 by Cofense in Phishing Defense CenterIt’s the time of year when Taxes are on everyone’s mind – especially Phishers! The stress of filing. The stress of gathering all the documents. The stress of reporting. The stress of the deadline. All of that on top of everything else you have to do this time of year makes tax time phishing a favorite and highly successful annual event for phishing scams. However, once the filing is completed, it doesn’t mean the campaigns will stop. W2 and CEO fraud are timeless phishing campaigns that run all year long.
Tales from the Trenches: Loki Bot Malware
March 23, 2017 by Cofense in Phishing Defense CenterOn March 15, 2017, our Phishing Defense Center observed several emails with the subject line “Request for quotation” pretending to award Shell Oil Company contracts – a very targeted subject tailored to the receiver. As with most phishing emails, there is a compelling call to action for the receiver, in this case a contract award from a well-known organization. And, an added bonus unknown to the receiver, the emails also contained a malicious attachment designed to siphon data from its targets. Included is an example of one of these emails along with basic Triage header information. Each email analyzed contained instructions...