Over the past weeks, the Phishing Defence Centre has observed several reports that pretend to come from an internal sender. While this impersonation tactic is not new, we have only recently observed an influx in emails used to deliver the Geodo botnet malware. Figure 1 demonstrates an example of an email we have received.
Emails in which the sender appears to be from someone you know and trust create some of the greatest threats to enterprise security. If they are familiar with the sender, victims are tricked into trusting a phishing email and are more likely to click on the link or open the attachment. Always verify the sender if things look suspicious. You should never click on links or open attachments from unknown senders. Remember: Things are not always as they seem.
Figure 1 – Example Impersonation Email
These phishing emails were crafted to make it appear as if they originate from an internal source to build rapport and trust with the recipient. However, after investigating the email header, it becomes obvious that the email address is spoofed and that the message actually originates from djaozan(at)plataran[.]com, as shown in Figure 2.
Figure 2 – Email Header of Example Impersonation Email
The link (hxxps://dieterprovoost[.]be/Change-of-Address), provided in the email above, downloads a Word document (Recent money transfer details.doc) that contains a macro. Allowing this macro to run in that Word document will facilitate the download an executable file (fcOihu.exe) from one of the five payload domains (guysfromandromeda[.]com, materialstestingequip[.]com, lctn[.]org, promacksfarm[.]com, fourchamberforge[.]com).
Analysing a memory dump that was captured while the malware was running revealed seven command and control servers supporting the Emotet/Geodo botnet malware. This malware is a banking trojan and botnet malware that shares a history with the same codebase spawning the Cridex and Dridex botnet malware.
One of the most interesting features of this malware is its worm functionality that leads it to generate new phishing emails to propagate additional infections. Once this malware is in place on infected computers, it will obtain email addresses from its command and control hosts that it uses for destinations to which new phishing email is sent to further spread this malware.
Presented as internal communication, these phishing emails attempt to convince users they were sent from a trustworthy source and pose no risk. This is another example of how a holistic phishing defense strategy built upon empowering and preparing users to respond critically to phishing narratives is a critical element in an enterprise’s security posture.
Don’t ever miss another cyber threat – sign up for PhishMe® Threat Alerts today and receive fresh updates on new and emerging phishing and malware threats delivered straight to your inbox, completely free.
Indicators of Compromise (IOCs)
Malicious Word document
File name: Recent money transfer details.doc
File size: 139.26KB
Macro Payload URLs
Malicious Geodo executable
File name: fcOihu.exe
File size: 98.3KB
Geodo Command and Control hosts