Figure 6: Global heatmap of C2 sources. Darker shades reflect more IP addresses.

Finished Intelligence: Topics and Trends

Throughout Q3 2022, Cofense Intelligence performed in-depth analysis on various threats to provide you with a strategic understanding of the phishing threat landscape and notify you of sudden or upcoming developments. Below, we summarize finished intelligence reports and flash alerts that Cofense Intelligence produced on notable topics and trends identified during this period. Along with these, Cofense Intelligence customers will also find a brief overview of the highlights among Cofense Intelligence product updates for the first half of 2022!

The Tactics of a Prolific Phishing Campaign Abusing Dropbox

During August and September of 2022, Cofense observed an effective credential phishing campaign abusing Dropbox and reaching end users across many industries. The threat actor(s) behind the campaign have put in a considerable amount of effort to increase the chances of successfully stealing the email login credentials of enterprise users. By utilizing various tactics, techniques, and procedures (TTPs), the phishing emails have been very successful at reaching inboxes. These phishing emails reached inboxes in August at a volume far outscaling any other campaign that Cofense has seen effectively abuse Dropbox this year. However, monthly volume from this phishing campaign has been inconsistent, dropping drastically from August to September.

Credential Phishing Targeting Government Contractors Evolves Over Time

Threat actors are running a series of campaigns spoofing several departments of the United States government. The emails claim to request bids for government projects but lead victims to credential phishing pages instead. These campaigns have been ongoing since at least mid-2019 and were first covered in our Flash Alert in July 2019. These advanced campaigns are well crafted, have been seen in environments protected by secure email gateways (SEGs), are very convincing, and appear to be targeted. They have evolved over time by improving the email contents, the PDF contents, and the appearance and behavior of the credential phishing pages.

Snake Keylogger – Phishing Malware Baseline

Snake Keylogger, a staple in the phishing threat landscape throughout 2021 and 2022, is a keylogger written in .NET. It can monitor a user’s keystrokes, scan applications to steal saved credentials, and exfiltrate this data through a variety of protocols. Although it is not as popular as other malware families such as FormBook or Agent Tesla, it does maintain a significant presence, and its usage is increasing. In this report, we take an in-depth look at Snake Keylogger, including background information, Snake Keylogger’s capabilities, its behavior observed in the wild, and some characteristics that can help with mitigation

Top Domain Names in Evasive Credential Phishing Attacks

A domain name is an essential part of a malicious URL used in a credential phishing attack. Following on our research into the most-used top-level domains (TLDs) in credential phishing threats, we analyzed recent data to look for trends in full domain names. We found that no single domain name appeared in more than a relative handful of campaigns. The only domain names that are both consistently reused by threat actors and consistently reach inboxes are those that belong to legitimate, implicitly trusted services.

DocuSign-Spoofing Campaign Heavily Targets Executives

Cofense Intelligence has identified an ongoing credential phishing campaign that spoofs DocuSign and has bypassed secure email gateways. Through initial collaboration with Cofense Intelligence customers and subsequently with the Cofense Phishing Defense Center (PDC), we determined that the campaign was almost exclusively targeting executive-level employees, primarily CFOs.

An Introduction to Phishing Malware Types

This Cofense Intelligence report is part of a small group of reports that are intended to provide introductory understanding of the phishing threat landscape. With very few exceptions, the malware that Cofense Intelligence finds being delivered through phishing campaigns generally falls into one of the following malware types: Banker, Information Stealer, Keylogger, Loader, Ransomware, and Remote Access Trojan (RAT). These malware types are important to track because they can provide valuable insight into the landscape. For example, Information Stealers becoming more common than Keyloggers in 2021 could provide some indication of a shift in focus on the part of the threat actors. In this report, we explain each of the types, some of the challenges they present, how they apply, and why using them is valuable.

Projections for Q4 2022 and Beyond

Qakbot Still the Malware Family to Watch, with Version 5 and New Tricks.

Qakbot continues to be the top malware family seen in phishing emails reported to the Cofense Phishing Defense Center from users in environments protected by SEGs. The success rate of the phishing emails reaching enterprise inboxes can be attributed to the use of hijacked email threads and embedded URLs, among other TTPs that are known to aid in bypassing security. In late Q3, threat actors using the new version 5 of QakBot have been seen making several changes to their phishing tactics. The most notable new tactic employs attached malicious HTML files to deliver the payload. This new tactic does not utilize an embedded payload or redirect URL, as typical of most malicious emails delivering via HTML file attachments. Instead, the malicious payload is hardcoded into the HTML file, dropping when the HTML is executed inside the browser. This makes the delivery mechanism versatile (since every browser can read and execute HTML files) and stealthy (since the HTML file drops the payload locally without having to reach out to an external resource). QakBot continues to evolve defensive mechanisms against malware analysis, and phishing emails delivering QakBot continue to successfully reach inboxes. This makes QakBot the malware family to continue to watch as we enter Q4 2022, especially since a successful QakBot infection can lead to more costly threats like ransomware.

Other Malware Delivery Campaigns Copycatting Successful Tactics of QakBot.

Threat actors are known for collaborating, sharing, or even just taking successful ideas from others in their practice. One way this is apparent is that successful TTPs used in phishing campaigns entering the wild tend to emerge in other campaigns later on. During Q2 and continued into Q3, phishing campaigns delivering QakBot started using malicious HTML attachments as the first step of the infection chain in their highly successful and prolific phishing emails. Since this tactic emerged at such a large scale and had success reaching end users, other malware campaigns have been seen utilizing this tactic. Campaigns using malicious HTML files to download archives have emerged, delivering a variety of information stealers and RATs, most notably including a large NetSupport Manager RAT campaign. We anticipate this type of TTP to continue to be adopted by other malware delivery campaigns due to its versatility, stealth, and success in reaching inboxes protected by SEGs.

Emotet is Missing, What’s Next?

In the beginning of Q3, we continued to see large volumes of Emotet emails, until about mid-July when Emotet phishing activity ceased. Following a spike in Emotet C2 traffic observed by Cofense on Oct. 10, 2022, it is plausible that Emotet itself will recommence sending malicious emails at some point in the coming quarter. However, for as long as this lull lasts, other malware families have an opportunity to step in and fill the void. With the high-volume return of QakBot in late Q3, along with its continual evolution of analysis evasion and TTPs, we may see a significant increase in QakBot volumes across Q4 to make up for the current lack of Emotet distribution.