Babylon RAT Raises the Bar in Malware Multi-tasking
May 15, 2019 by Aaron Riley in Threat IntelligenceCISO SUMMARY Ancient Babylon defeated its enemies with chariots, horses, and archers. Now Cofense IntelligenceTM has analyzed a phishing campaign delivering the powerful Babylon Remote Administration Tool (RAT). This malware is an open-source tool that can handle many tasks: encrypt command-and-control communication, hide from network security controls, trigger denial of service (DOS) attacks, and last but not least, steal data. Used skillfully, Babylon RAT would make the armies of Hammurabi proud. Full Details Cofense Intelligence has analyzed a phishing campaign delivering a multi-feature open source Remote Administration Tool (RAT) named Babylon RAT. Babylon RAT’s Command and Control (C2) communication is...
The Cofense Phishing Defense Center Sees Threats That Most Don’t
May 8, 2019 by Marcel Feller in Cyber Incident ResponseSEG MissesThe CofenseTM Phishing Defense CenterTM analyzes suspicious emails reported by customers’ users and alerts their security teams when they need to take action. Because we live and breathe phishing analysis and response, and because we operate 24/7/365, we have visibility into threats most teams can’t see. Here’s a Real Example Involving Compromised Email Accounts A few months back, an organization exploring our services did a proof-of-concept trial, during which we analyzed emails its users found suspicious and reported for inspection. Soon enough, we saw emails sent from compromised email accounts within the organization. In fact, they utilized a technique known...
Flash Update: Emotet Gang Distributes First Japanese Campaign
April 15, 2019 by Cofense in Threat IntelligenceCofense Intelligence™ has identified yet another change in Emotet’s behavior, this time distributing a campaign targeting Japanese-speaking recipients. The messages, which reference potentially overdue invoices and the payments thereof, deliver a macro-laden document, as per Emotet’s modus operandi. Figure one shows an example email from this campaign. Diversifying their target-base is the latest link in an ever-lengthening chain of updates and refinements being pushed by the actors behind Emotet. The targets in this campaign include Japanese academic institutions, demonstrating a keen interest in Emotet securing a presence in such networks worldwide. Appendix Subject Lines 特別請求書 三月發票 確認して承認してください。 請查看和 批准。 謝謝。...
Emotet Gang Switches to Highly Customized Templates Utilizing Stolen Email Content from Victims
April 9, 2019 by Jason Meurer in Threat IntelligenceBeginning the morning of April 9th, the Emotet gang began utilizing what appears to be the stolen emails of their victims. It was noted back in October of 2018 that a new module was added that could steal the email content on a victim’s machine. Up until now, no evidence of real widespread use was seen. This marks a major evolution in the way Emotet works.
This ‘Broken’ File Hides Malware Designed to Break Its Targets
April 2, 2019 by Max Gannon in Threat IntelligenceCISO Summary Cofense IntelligenceTM has identified a phishing campaign with a malicious attachment containing a “broken” file that actually works, in all the wrong ways. Under certain conditions, the file weaponizes in the target environment after evading both automated and manual analysis. The “break” is the lack of a file header, engineered to fool analysts into thinking the attachment is harmless, the work of threat actors too clumsy to be taken seriously. The headless file only appears when you open the attachment or use special programs in attempting to extract it. The campaign tries to exploit a common problem: information...
Emotet Update: New C2 Communication Followed by New Infection Chain
March 26, 2019 by Cofense in Threat IntelligenceCISO Summary On March 15, CofenseTM Research reported that the Emotet botnet is changing the way it communicates, in a likely attempt to evade malware detection. Since then, Cofense IntelligenceTM has seen the same trend: Geodo-Emotet isn’t relying on cookies to make certain requests, instead performing HTTP POSTs to what seems to be the C2. Baking requests into cookies is a time-honored and easily detected pattern of behavior. Switching this up makes it harder to see when the malware is calling home. Moreover, Geodo-Emotet is now using a new infection chain, utilizing JavaScript files as droppers instead of macro-packed Office...
This Phishing Campaign Spoofed a CDC Warning to Deliver the Latest GandCrab Ransomware
March 20, 2019 by Cofense in Threat IntelligenceCISO Summary Cofense IntelligenceTM reports that threat actors have spoofed a CDC email—this one warns of a flu epidemic—to deliver an updated variant of GandCrab ransomware. Besides competing for a new low in predatory cyber-crime, the phishing campaign follows the public release of a decryptor tool for infections of recent GandCrab versions, through version 5.1. The fake CDC email contained version 5.2, which renders the decryptor tool ineffective. Though ransomware has dropped off over the past year, the authors of GandCrab are still pushing out frequent, powerful updates. GandCrab is the last of the infamous “ransomware as a service” threats....
Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication
March 15, 2019 by Cofense in Threat IntelligenceWe are currently noticing a change in the way that the Emotet botnet, specifically the epoch 1 variant, is communicating with the C2. In past versions, the client would typically perform a GET request with data contained in the cookie value. As of approximately 11pm UTC on March 14, this changed. The clients have begun to perform HTTP POSTs to what appear to be their C2s. The URI’s contacted contain variable words in the paths. We are seeing form data passed with a name variable and data. This change will break researchers as well as certain detection technologies while they...
‘Read the Manual’ Bot Gives This Phishing Campaign a Promising Future
March 12, 2019 by Aaron Riley in Threat IntelligenceCISO Summary Cofense IntelligenceTM has spotted a surgical phishing campaign whose targets could easily broaden, given the sophisticated development of its tactics. For now, it’s taking aim at financial departments in Russia and neighboring countries, using the Read the Manual (RTM) Bot to deliver a banking trojan. Among other capabilities, the malware steals data from accounting software and harvests smart card information. The newest version uses The Onion Router (TOR) communication protocol, whose privacy and extra encryption are signs the threat actors could be serious about developing the banking trojan for future campaigns. Technical controls can help combat this threat,...
Phish Found in Proofpoint-Protected Environments – Week Ending August 23, 2020
August 27, 2020 by Cofense in PhishingProofpointSEG MissesAvaddon Ransomware Joins Data Exfiltration Trend
August 25, 2020 by Cofense in PhishingHumans and Machines – Phishing Mitigation Automation SOARing to New Heights
August 25, 2020 by Cofense in PhishingPhish Found in Proofpoint-Protected Environments – Week Ending August 16, 2020
August 19, 2020 by Cofense in PhishingProofpointSEG MissesPhish Found in Proofpoint-Protected Environments – Week Ending August 9, 2020
August 12, 2020 by Cofense in PhishingProofpointSEG MissesPhish Found in Proofpoint-Protected Environments – Week Ending August 2, 2020
August 7, 2020 by Cofense in PhishingProofpointSEG MissesTwitter Announces Hackers Gained Access via Phishing Attack
July 31, 2020 by Cofense in Internet Security AwarenessPhishingGuLoader Rises as a Top Malware Delivery Mechanism in Phishing
July 31, 2020 by Cofense in PhishingThreat IntelligenceDoes your Incident Response Plan include Phishing?
April 20, 2017 by Cofense in Phishing Defense CenterCyber Incident ResponsePhishingIt’s no secret that 90% of breaches start with a phishing attack. The question is: are you prepared to recognize phishing and respond to it? Many organizations are concerned with how much spam they receive and implement controls specific to spam. But you shouldn’t confuse preventing spam with responding to phishing attacks.
Wide-Spread Ursnif Campaign Goes Live
April 11, 2017 by Cofense in Phishing Defense CenterOn April 5th, our Phishing Defense Center received a flurry of emails with subject line following a pattern of Lastname, firstname. Attached to each email was a password-protected .docx Word document with an embedded OLE package. In all cases the attachments were password protected to decrease the likelihood of detection by automated analysis tools. A password was provided to the victim in the body of the email which attempts to lure the victim into opening the malicious attachment and to increase the apparent legitimacy of the message.
W-2 Fraud – Tax Season and All Year Long
April 4, 2017 by Cofense in Phishing Defense CenterIt’s the time of year when Taxes are on everyone’s mind – especially Phishers! The stress of filing. The stress of gathering all the documents. The stress of reporting. The stress of the deadline. All of that on top of everything else you have to do this time of year makes tax time phishing a favorite and highly successful annual event for phishing scams. However, once the filing is completed, it doesn’t mean the campaigns will stop. W2 and CEO fraud are timeless phishing campaigns that run all year long.
Tales from the Trenches: Loki Bot Malware
March 23, 2017 by Cofense in Phishing Defense CenterOn March 15, 2017, our Phishing Defense Center observed several emails with the subject line “Request for quotation” pretending to award Shell Oil Company contracts – a very targeted subject tailored to the receiver. As with most phishing emails, there is a compelling call to action for the receiver, in this case a contract award from a well-known organization. And, an added bonus unknown to the receiver, the emails also contained a malicious attachment designed to siphon data from its targets. Included is an example of one of these emails along with basic Triage header information. Each email analyzed contained instructions...