On July 13, 2017, the Phishing Defense Center reviewed a phishing campaign delivering Hawkeye, a stealthy keylogger, disguised as a quote from the Pakistani government’s employee housing society. Although actually a portable executable file , once downloaded, it masquerades its icon as a PDF.
A ransomware victim must have a compelling reason to go through the burdensome process of obtaining Bitcoin and paying the ransom. For many victims, the threat of permanently losing access to their files is enough. However, some ransomware authors and criminals seek to push victims harder by raising the stakes even further.
A key part of phishing threat actors’ mission is to create email narratives and leverage malware delivery techniques that reduce the likelihood of detection. By combining compelling social engineering with seemingly benign content, threat actors hope to bypass technical controls and to convince their human victims of a phishing email’s legitimacy. One method with a long history of use is the abuse of Google Docs file sharing URLs to deliver malware content to victims. Because Google Docs and other cloud services may be trusted within an enterprise, threat actors will continue to abuse file sharing services to possibly bypass firewalls and anti-virus technologies.
For the second time in as many months, networks around the world have been attacked using a worming ransomware that gains new infections by exploiting a recently-patched Windows SMB vulnerability among other proven techniques. What has been described a ransomware bearing significant similarities to the Petya encryption ransomware ravaged numerous companies and networks around the world with disproportionate impact in Ukraine and Eastern Europe but also inflicted harm to significant numbers of victims in Western Europe and North America.
The Zyklon HTTP Botnet malware is a tool that is readily accessible to threat actors in online criminal marketplaces and has been observed in use for various criminal activities. Among its features is the ability to log the keystrokes typed by a victim as well as to collect other private or sensitive information, and one of the most notable uses for Zyklon has been as a downloader and delivery tool for the Cerber encryption ransomware. Over a dozen unique campaigns to deliver this malware have been identified and reported by PhishMe Intelligence and it represents one of the most rapidly-growing constituents on the threat landscape. Each time the Zyklon malware is identified, it has followed a relatively-straightforward and mainstream method for infecting victims. With only one exception, Zyklon has been delivered using Microsoft Word documents with hostile macro scripting used to deliver the botnet malware payload.
The TrickBot financial crimes and botnet malware has seen mild usage since its introduction in late 2016. While it is able to emulate many of the features that made the Dyre trojan so successful, many aspects of its deployment left it rough around the edges. Examples of this roughness like persistence via a scheduled Windows task named “Bot” limited this malware’s evasion and anti-forensic capabilities. Furthermore, previous deliveries leveraged relatively simplistic techniques such as relying on executables in archives attached to phishing emails securing new infections. However, with some very minor refinements to both the malware resident and delivery processes, threat actors have evidenced a renewed drive to explore the possibilities this malware tool has to offer. The exploration of malware technologies and delivery processes are both trends that have been previously addressed in PhishMe® reporting and, as threat actors continue to turn to commoditized delivery methods, will continue to evolve.
TrickBot is a robust financial crimes and botnet trojan that shares a number of characteristics with the infamous Dyre banking trojan. Despite sharing similar functionality, TrickBot is an approximation of Dyre, not an exact copy. While this extends to the theft of online banking credentials, this botnet tool is flexible enough to provide threat actors with the ability to adapt and customize their intrusion based on information collected about machines infected by TrickBot.
One of the most tenacious and recurring delivery methodologies featured within the current threat landscape is the combination of PDF documents with an embedded Microsoft Word document. This document in turn contains macro scripting used to download and deobfuscate an XOR-ciphered executable payload. A number of current top-tier malware varieties have been deployed using this methodology. Criminals delivering the Jaff encryption ransomware and before it the Locky encryption ransomware both harnessed this technique as have the Dridex threat actors. This technique is popular because it provides some advantages over using a PDF or Word document with macros alone. The first and most obvious is the appearance it presents to its recipients. While awareness of Word documents with macros has proliferated in recent years due to its prolific use in phishing attacks, by adding just one step, unprepared users can be convinced to engage with the infection method.
Figure 1 – PDF reader requests permission to extract and open a Word document as seen with Jaff, Locky, and Dridex
This technique has now been employed as a means of delivering the TrickBot malware along with a renewed use of standalone Office documents with macro scripting. The phishing emails delivering these infection utilities featured no message content, no narrative, and in some cases, no subject line. This employs a different social engineering technique that, rather than relying on persuasive argumentation, appeals to the recipient’s curiosity.
|Attachment Filename||MD5 Hash|
Figure 2 – Example indicators from campaigns using this attack method
However, this renewed threat actor utilization also brings a very subtle refinement to the overall polish of the TrickBot deployment intended to improve its rate of successful infection as well as its likelihood to persist undetected on infected endpoints. The TrickBot malware relies on a Windows Task to ensure its persistence within infected environments. This task is defined by an XML file written to disk after TrickBot is initially run. Early examples of this persistence task were named “Bot” and would show up as such during audits of system tasks. However, this most recent iteration of task from “Bot” to the much less obvious “services update”. While this refinement may seem insignificant, it portends a much more serious approach on the part of the threat actor. One of these two filenames would look entirely out of place within an infected environment while the latter would be more reasonable–perhaps reasonable enough to escape detection.
Figure 3 – An excerpt from the “services update” Windows task
This renewed interest and exploration into distribution of the TrickBot malware comes with a handful of refinements in delivery and persistence. By harnessing a successful distribution methodology and refining their persistence mechanism, criminals using TrickBot are attempting to take their success using this botnet malware to another level. The challenge for security professionals is to develop a comprehensive defense against these improvements. The best approach is to combine tactical observations and atomic indicators with a strategic view of threat actors’ goals. Ultimately, defenders should not focus on just one attack vector or malware tool, but instead should anticipate the strategy threat actors use to accomplish their mission. In many cases, this mission is predicated upon the success of phishing emails.
Understanding how attackers craft and deploy these emails allows an organization to prepare and empower the email users within their organization. These users can then engage critically with those messages and, when a suspicious email is detected, report it to the security and incident responders defending the enterprise. These internal reports can then be compared to and combined with external sources to help network defenders overcome threats at a tactical level and apply those tactics as part of a greater strategy to overcome any phishing threat.
Learn about emerging trends and evolving threats in phishing malware with PhishMe’s Q1 Malware report, click here to download.
Beginning today, we’re offering a complimentary, computer-based training module covering the European Union’s recent General Data Protection Regulation (GDPR) as part of our PhishMe CBFree™ package to help support companies throughout the UK and Europe that are required to comply.
One important task for threat actors is the pursuit of new and innovative techniques for infiltrating their victims’ networks. A major aspect of this pursuit is the selection of a malware that can accomplish the mission at hand. For example, a ransomware threat actor may seek out the ransomware tool that guarantees the highest rate of ransom payment. However, threat actors with different missions might seek out tools using different success criteria. Threat actors can experiment and transition between these tools because, in many ways, these malware varieties represent interchangeable parts in an attack life cycle.
The WannaCry ransomware incident has galvanized global media coverage and dominated discussion among information security professionals since Friday, May 12. The speed with which this malware was able to spread within enterprise networks and how rapidly so many large organizations were impacted is unsettling. Yet, as the dust begins to settle, it is clear that this episode has left a number of lessons in its wake–lessons to be harnessed by defenders and their adversaries.
While this attack is an expansive topic that will continue to evolve as more discoveries are made about the impact, origin, and spread of the WannaCry ransomware, it is also important to keep in mind that WannaCry is one of three major incidents to arise in the past month. Lessons provided by WannaCry are only deepened by the additional context of the fake Google Docs malicious cloud application incident of May 4, 2017 and the introduction of the Jaff encryption ransomware on May 11, 2017. First and most obvious, both Jaff and WannaCry show that the ransomware business model is far from obsolete. There is still a great deal of value to threat actors in holding data for ransom. Second, the novel attack vectors for WannaCry and the fake Google Docs cloud application show that innovation in leveraging new attack surfaces is happening among threat actors. The challenge for defenders is to internalize these revelations and develop an agile security posture that incorporates defense against existing risks and emergent attack vectors.
The explosive growth of ransomware in 2016 marked a dramatic shift in how many threat actors monetize phishing attacks. While certain ransomware tools were delivered using other mechanisms, tools like Locky and Cerber set the tone for the ransomware business model. These ransomware tools were delivered by massive numbers of phishing email to reach the largest number of victims. This business model has been once again put into action by the Jaff encryption ransomware following its debut just one week ago on May 11, 2017. However, the worm functionality demonstrated by WannaCry puts a unique spin on that model by reducing the infrastructure and resource expenditure necessary for the threat actor to maximize their ability to infect new hosts. The goal for both Jaff and WannaCry threat actors is still to reach as many victims as possible to maximize the number of potential ransom payments, lending credence to the notion that ransomware is far from obsolete as an avenue for online crime.
While the propagation mechanisms of the fake “Google Docs” application that made headlines on May 4, 2017 and the WannaCry ransomware worm differ dramatically, both show that virulence is an important aspect of their overall strategy. Furthermore, each of these incidents shows a significant level of innovation by harnessing relatively new attack vectors. The fake “Google Docs” incident took advantage of users’ reliance on cloud services to propagate while WannaCry leveraged a vulnerability only recently disclosed and made public. However effective these attacks were in their own right, the long-term impact will be the future attacks inspired by these innovations. Whether the payload is a ransomware or some other category of malware, threat actors are watching and learning from these attacks. Furthermore, neither innovation is exclusive of the use phishing email as a means for making a “first contact” with a victim as was the case with the fake “Google Docs” application. By combining these promising innovations with a tried-and-trusted attack vector, threat actors will continue to gain access to enterprise data and hold it for ransom.
The high profile events of the past month have provided some indication that threat actors are quickening the pace of innovation and looking to combine these innovations with existing attack models. Both phishing and the ransomware tools delivered via phishing emails have proven very successful for threat actors and continued use of both can be expected. However, as threat actors learn from events like those from the past month it can be expected that they will attempt to implement their own versions using creative re-combinations of these techniques to launch attacks of their own.
To anticipate and mitigate these new attack vectors, those tasked with defending enterprises must adapt their security posture to changing paradigms. It is important to ensure there are agile defense and response processes that incorporate protections for multiple attack surfaces and at various stages of the attack life cycle. This effort begins with the basics of regular patching and network hygiene. It also requires the anticipatory education and empowerment of email users to engage with messages critically and act on suspicions, reporting potentially-malicious emails to the enterprise’s defenders. These internal reports can then be compared to external observations and intelligence reporting to identify the most immediate risks to an organization. The threat landscape is evolving, but in the face of robust, holistic, and human-centered defense strategies, attackers can be overcome.
Learn why more than half of the Fortune 100 trusts PhishMe® for end-to-end phishing mitigation. Request a free demo today, no obligations, no software to install.
Over the past several days, the Phishing Defense Center identified and responded to several messages related to an ongoing phishing email campaign spoofing DocuSign to carry out an attack. These messages appear to be official DocuSign emails including links to review the document. Upon clicking the link, various malicious files are downloaded to the victim’s computer including the DELoader financial crimes malware.