Top Malware Trends of March Cofense Phishing Defense Center (PDC)

April 13, 2023

The Cofense Phishing Defense Center (PDC) analyzes emails on behalf of enterprise customers across the globe, in various industries, who are bombarded with phishing attacks delivering malware. To help keep up with evolving tactics and top ongoing threats affecting real customers, the PDC has created a breakdown of the top five malware families we have seen across the Managed Phishing Detection and Response (MPDR) customer base over the past thirty days.  

Top Malware Families in March: 

1. QakBot – QakBot is a modular banking trojan with worm-like features that enable its propagation across a network. Once installed, it will use a man-in-the-browser technique to harvest credentials. The campaigns delivering QakBot re-use legitimate emails to deliver zip files containing a malicious word document. 

  • Subject: Emails delivering QakBot this month were mostly replies or forwards of previous emails and so the subjects were varied.  
  • Attachment: QakBot was delivered predominantly as an attached HTML file.  
  • Behavior: HTML file will pull a .JS which will launch
  • PowerShell to pull DLLs and continue the attack.  
  • Brand: RE: / FWD: / Replies  
  • Infection Chain:  

QakBot  Infection Chain

 

2. Emotet – Emotet is a banking trojan sharing some similarities with Dridex, Cridex and other derivatives of the same codebase. When the trojan is executed, it establishes a connection with its C&C server to obtain the e-mail addresses and e-mail bodies and will start sending out messages, further spreading the malware. The core functionality of the Emotet trojan lies in its ability to collect sensitive information from infected machines and their users. 

  • Subject: Subjects for emails delivering Emotet this month were mostly forwards to previous email communications and so their content was varied. 
  • Attachment: Emotet was delivered almost exclusively inside of a password protected ZIP attached to the email.  
  • Behavior: Malicious Doc file contains macros that grab the DLL files needed to continue the attack.  
  • Brand: RE: / FWD: / Replies 
  • Infection Chain:  

Emotet  Infection Chain

 

3. Remcos – Remcos was originally a remote desktop connection tool that has since been repurposed as a remote access trojan capable of taking control of a user's system. Its chief capabilities include key logging, information stealing, and audio/visual monitoring. 

  • Subject: Subjects delivering Remcos were mostly sent using website contact forms.  
  • Attachment: Remcos was delivered as a URL instead of an attachment this month.  
  • Behavior: Compressed file (Sometimes .ZIP and sometimes .RAR) contains EXE disguised as a legitimate program that, when executed, runs in the background like your typical RAT.  
  • Brand: German / Contact Form  
  • Infection Chain:  

Remcos Infection Chain

 

4. Mekotio – This trojan targets South American users and will download its payload using various methods. The current campaign has a focus on Spain and will download a ZIP file. After running, it will download a ZIP file which contains JS, DLL, and an AHK file. The JS will use AutoHotKey (AHK) to run the DLL which is the main Mekotio payload. A new variant of Mekotio is utilizing a DLL side-loading technique where DLLs related to legitimate applications are ran, which then load in Mekotio. 

  • Subject: Typically, emails delivering Mekotio were made to look like electronic invoices for various goods.  
  • Attachment: Mekotio was delivered using a URL rather than an attachment this month.  
  • Behavior: MSI file made to look like a legitimate software installer that actually contains an EXE that when ran, will grab supporting AHK scripts.   
  • Brand: Invoice / Brazil  
  • Infection Chain:  

Mekotio Infection Chain

 

5. Agent Tesla – This information stealer is known for checking browser activity to steal banking information and will send the data through various methods. The most recent variants will use SMTP to send data through Tor, Telegram, and mail servers under the control of the threat actor. 

  • Subject: Subjects used in emails delivering Agent Tesla were made to look like POs or RFQs.   
  • Attachment: Agent Tesla’s initial delivery is done using a URL instead of an attachment. 
  • Behavior: Compressed Archive (either 7z or TAR/TGZ) contains EXE that when executed will function as a RAT using Telegram/tor server connections.  
  • Brand: PO/ RFQ  
  • Infection Chain:  

Agent Tesla Infection Chain

Summary: 

This month saw a large increase of QakBot along with the return of Emotet. Looking at past trends, it is reasonable to expect that we will continue to see high volumes of QakBot and Emotet. The use of HTML attachments to deliver both malware and credential phishing has exploded during the month of March, we recommend reviewing security practices allowing HTML attachments to be sent to your users from external sources. While Ursnif was prominent in February, the PDC has seen a decrease this month along with Agent Tesla and Mekotio. The PDC will continue to watch the evolution of these threats as they continue to change and deal with situations as they arise. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 
   
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.