New Phishing Campaign Targets U.S. Taxpayers by Dropping Amadey Botnet

The Cofense Phishing Defense CenterTM  has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails. Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality. Threat groups like TA505 have been known to leverage Amadey botnet as recently as July 2019 to deliver secondary malware like FlawedAmmy (RAT) and email stealers.

Here’s how a typical attack works:

Figure 1: Infection chain

Figure 2: Email Body

The email body reports to be from the Internal Revenue Service (IRS) and claims that the recipient is eligible for a tax refund. The recipient is presented with a “one time username and password” and urged to click the “Login Right Here” button. As seen above in figure 1, the login button is an embedded Hyperlink and redirects to hxxp://yosemitemanagement[.]com/fonts/page5/. Here the recipient is presented with an IRS login page to enter the one-time password.

Figure 3: Infection Page 

Once the recipient is logged into the fake IRS portal they are informed that they have “1 pending refund” and asked to download a document, print and sign, then either mail it back or upload a copy to the portal. When the recipient clicks to download the document, a zip file called “” is presented, which contains a Visual Basic script dropper.

Fig 4. Obfuscated vbs Script

The VBScript is highly obfuscated and encrypted. For more details on how this VBScript was decoded, please take a look at the Cofense™ Labs detailed write-up, which can be found here.

At a high level, once executed the script decrypts itself at run time and drops an executable file called “ZjOexiPr.exe” in C:\Users\Byte\AppData\Local\Temp\. Once dropped it then proceeds to install the executable kntd.exe in C:\ProgramData\0fa42aa593 and execute the process.

Figure 5: Persistence 

The Amadey process installs itself in C:\ProgramData\0fa42aa593 and to maintain persistence it uses Reg.exe, a command line tool for editing the registry. Next the script issues the command “REG ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” /f /v Startup /t REG_SZ /d C:\ProgramData\0fa42aa593”

Figure 6: C2 channels

Amadey instantly beacons out to its command and control (C2) channels sending system diagnostic information back to the C2 server and awaits further instructions. Amadey connects out via HTTP on port 80 to multiple C2 servers.

Figure 7: Network Traffic

If we take a closer look at the HTTP traffic we can see that Amadey sends system information back to its C2 server.

From the values given we can infer that:

ID – Unique identifier of the infected system

VS – Version of Amadey

OS – Operating system

AV – Antivirus

PC – System name

UN – Username

Additional Analysis:

Cofense Labs takes this analysis a bit deeper to deobfuscate the malware. To learn more, check out the Lab Notes on this analysis:

Indicators of Compromise (IOCs):

Malware Artifacts

File  MD5 Hash Value 7f9a3244d23baed3b67416e32eb949bd
a4-155QFYXY.vbs 79d24672fff4c771830b4c53a7079afe
kntd.exe a046030e2171ddf787f06a92941d37ca

 Network Connections

hxxp://yosemitemanagement[.]com/fonts/page5/ 160[.]153[.]138[.]163
hxxp://ledehaptal[.]ru/f5lkB/index[.]php 78[.]40[.]109[.]187
hxxp://nofawacat[.]com/f5lkB/index[.]php 179[.]43[.]139[.]222
hxxp://Ip[.]hoster[.]kz 192[.]4[.]58[.]78



Cofense Resources

Cofense PhishMeTM offers a phishing simulation, “Tax Refund Notice –Amadey Botnet,” to educate users on the attack described in today’s blog.

89% of phishing threats delivering malware payloads analysed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe.

Remove the blind spot with Cofense ReporterTM—give users a one-click tool to report suspicious messages, alerting security teams to potential threats.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand current threats, read the 2019 Phishing Threat & Malware Review.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Is It Time to Rethink Your Phishing Awareness Program?

Part 1 of 2

As seen in Cofense’sTM 2019 Phishing Threat & Malware Review, threat actors innovate relentlessly. Technologies like secure email gateways (SEGs) can’t keep up. In fact, the vast majority of phishing emails verified by the Cofense Phishing Defense CenterTM are found in environments using SEGs.

With so many malicious emails making it past security controls, the human factor becomes decisive. This means your phishing awareness program needs to stay in fighting trim. In particular, it’s important to educate users on attacks that breach your perimeter, working with your SOC to focus on the most frequent threats.

If your program has been up and running for a few years, it may be time to rethink what you’re doing. Let’s start by looking at your threat profile and your program’s approach to communications.

Rethinking Your Threat Profile

If you conducted a risk profile in the past, consider revisiting your findings to see if they reflect both your internal environment and external threats. If your business has never done a risk profile, you should probably set a cadence to review your company’s risks.

Threat actors look at a lot of factors before targeting an attack, so your phishing awareness program should do the same. Privileged access users and high-risk business functions, geography, technical environment, adherence to compliance standards, and corporate communications and email style can all be used to launch a phishing attack.

One smart way to identify risks: review all Software as a Service (SaaS) applications. Because these applications use email to send, receive, and log communications, threat actors can easily leverage them to design attacks. Cofense CloudSeekerTM is a free tool that can help. It allows you to report on SaaS applications configured in your environment, including any provisioned without IT’s knowledge. CloudSeeker starts with a catalog of popular SaaS applications and checks each to see if a domain has been configured for use.

If your organization uses any well-known hosted services, remind your staff of the dangers of credential phishing and spoofed websites. Credential simulations are a good idea. You might also use newsletters or announcements to spread the good word. Speaking of which…

Rethinking Your Communications Approach

One of the keys to a successful phishing awareness program is a communications plan. You need to communicate regularly, including before and after each simulation.

Cofense PhishMeTM offers content to help you communicate better. You can use it to remind employees why they’re receiving email training in the first place, plus arm them with the information they need to be successful.

You can use a newsletter, for example, to educate employees on phishing emails that spoof brands like LinkedIn. For legal reasons, you shouldn’t spoof a brand in a simulation, but a newsletter post can warn users that some branded emails are fakes.

Also, embrace the power of “Thank you!” When users report an email and get an immediate response with a thanks, they’re more likely to report again. Users want to know what happens after they act. They also want to know what next steps, if any, they should take. Should they process that invoice? Can they post that purchase order or send it on for signature? Don’t keep them in the dark—communicate and pass out kudos.

In part 2 of this blog, we’ll look at rethinking your simulations. How can you make sure they’re helping to guard against real threats? Stay tuned.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Why Join Us at Cofense Submerge? Here’s What Attendees Say

Next month in Orlando we’ll be hosting CofenseTM Submerge 2019, our fourth annual user conference and phishing defense summit. As we wrap up each event, we ask attendees for feedback. What did they like best? Networking and hearing other customers’ experiences are always the top responses. As a former customer who now works at Cofense, I totally agree.   

Here are some of the answers we heard last year when we asked, “Why attend Submerge?” 

“Sharing ideas was tremendously helpful to me—having the opportunity to meet other people from a variety of industries doing the same thing that I do.” 

We’re all on this journey together, so the opportunity to meet industry peers is invaluable. If you’re new to getting your phishing defense program started, networking with peers can go a long way. If you’ve been running your program for a while and want to recharge it or find out about the latest in the phishing threat landscape, this is the place to get all that! You’ll be amazed how folks in different industries deal with the very same challenges. 

“I’ve taken tons of notes that will help me justify budget and take our program to the next level.” 

When you can take tidbits back to your boss, tips and tricks you can use immediately, that’s a good return on investment. Submerge 2019 offers nearly 30 sessions packed with practical information. Besides getting inspired about the future, you can apply what you learn right away. 

 “Substantive case studies provided by clients who had good program maturity.” 

Each year we hear from our attendees that they prefer sessions that are led by other customers. And when customers speak, we listen. This year, 80% of our sessions will be led by customers. The topics of our sessions this year range from phishing programs to technical incident response and threat intelligence. In most cases, the session leaders will be your peers, people that manage mature phishing defense programs. 

“Submerge is knowledge, security, and innovation.” 

This year’s sessions cover the gamut: trends in security awareness and incident response, a glimpse at our product road map, deep dives on topics like dealing with repeat clickers, and lots more. Not only do we have great sessions, but we have Kevin Mandia, FireEye CEO, providing insights into the incident response landscape.  

So, don’t just take our word for it—ask around and you’ll hear many more reasons to attend Cofense Submerge. Join us in Orlando, September 23-24!  


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 

This Phishing Attacker Takes American Express—and Victims’ Credentials

Recently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.

Efficient Phishing Programs: 3 Common Problems and 1 Awesome Solution

By Kaustubh Jagtap

You hear it all the time. Teams tasked with improving phishing defense aren’t sure how many employees see, or even receive, the simulations they send.

It’s why CofenseTM has introduced the Cofense PhishMe Responsive Delivery™ capability in Cofense PhishMe™ Enterprise edition. This capability allows operators to send a phishing simulation only when targeted employees are actively using email. It also delivers the phishing simulation directly to the employee inbox, thereby bypassing any technical issues including gateway configuration changes and whitelisting complications. Additionally, having this capability adds another layer of automation to your phishing program, making it more effective and efficient to manage.

Following are 3 of the problems this new feature addresses. If you manage an anti-phishing program, these will surely sound familiar.

“Whitelisting really complicates delivery and reporting.”

Sometimes your email gateway is a blessing and a curse. Though it doesn’t catch every real phishing email, it’s configured to stop the majority—and in doing so occasionally also catches some of your simulations.

That’s a two-fold problem. Too often employees miss out on the chance to test their ability to catch a phish, which hurts your organization’s overall resiliency to phishing attacks.

Also, your anti-phishing program’s metrics get thrown off. Say you phish 500 employees. If 250 report the email and 250 fall susceptible, you wind up with a 1:1 ratio, which is pretty decent. But what if, thanks to whitelisting, 75 employees never got the email? Mathematically, your reporting is fine, but your employees’ true readiness will remain unclear.

 “We’re global, so scheduling is tough.”

We hear this one a lot. Eastern Time, Pacific Time, London, Tokyo, and Sydney times—when you want simulations to arrive when global employees are at work, scheduling can get complicated.

It’s one more thing to worry about, one more drain on your time. Running simulations across multiple time zones, cultures, and languages is daunting enough. Having to untangle time zones only adds to the headaches.

“If people aren’t on email when we send, we might miss them.”

Everyone is snowed under by emails these days. So when somebody isn’t on email for even a couple of hours, he or she may have 20 or 30 messages stacked up.

It’s easy for that person to miss the simulation you sent—the one you carefully crafted and scheduled, the one whose results you were eager to see. The teachable moment may have passed. If there’s no “evidence of life” on the email account, a simulation could be dead on arrival. Can you say “inefficient?”

The new Cofense PhishMe Responsive Delivery in Cofense PhishMe addresses these common delivery hassles. Give it a try! Don’t have it and interested? Learn more. 


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

When Sharing Isn’t Caring: Phishing Attacks Are Abusing File-Sharing Sites

Cofense™ has predicted continued growth in phishing attacks that abuse file-sharing services, for example, Google Docs or Sharepoint. In this post, I’ll examine why and how threat actors are doubling down on this tactic.

First, here’s the full prediction from Cofense threat analysts Nick Guarino and Lucas Ashbaugh:

“The majority of phish seen in the wild in 2019 will live in historically ‘trusted’ sharing services like Google Docs, Sharepoint, WeTransfer, Dropbox, Citrix ShareFile, and Egnyte. It’s difficult for these services to keep up with the constant barrage of varied phishing tactics (Whack-A-Phish, anyone?). In fact, the service providers can be really slow about staying on top of this stuff. Traditional security tools (firewalls, anti-virus) have no insight into the files housed on these services. As a result, it is incredibly difficult to protect users against these phish hiding in plain sight.”

Why is file-sharing a target? Because users trust these services.

In a recent post on credential phishing threats, we referenced the cloud as an attack surface. One of the emotional triggers that a threat attacker will pull is trust. When users get an email pointing them to, say,  Dropbox, there’s a greater likelihood they will engage with the message. These services have become trusted brands, so it’s only natural for a threat actor to leverage them.

It’s difficult for email gateway controls to block messages that link to these cloud-based services. Because the file is hosted outside the organization’s perimeter, traditional security solutions such as firewalls or anti-virus don’t have visibility. Threat actors are well aware of this fact, which is why they’ve been so successful with these types of campaigns.

User interaction is related to the business process.

We often see threat actors use generic messages as shown in the example below. In it, you won’t find any brands that would make the user more likely to interact with the message. The likelihood of user interaction is related to the business process presented—easily shared files.

This particular organization has URL defense protections enabled. It has also added tags to the message to alert the user that it is potentially harmful, since it originated outside the organization. These additional defenses can be helpful, but they make it difficult for the user to assess if the URL is legitimate.

One thing you can do: focus your phishing defense program on current threats, like attacks that abuse file-sharing. Teach users to identify phishing emails that link to file-sharing sites and condition them to ask questions before replying, for example:

  • “Am I expecting to receive an invoice from the sender?”
  • “Does my job normally require me to process invoices from unknown sources?”
  • If yes, “Does our business process require the finance teams to validate that an invoice or purchase order is expected or legitimate?” This might be possible in a smaller organization where teams interact with each other more frequently, however, it’s most likely not the case in larger, more diverse organizations.

To repeat, as long as these types of attacks are successful, we will continue to see them near the top of the phishing charts.

View all 6 Cofense phishing predictions for 2019.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Here’s Proof that Corporate Board Members Want Stronger Phishing Defense

By Susan Mo

More and more, boards of directors are security decision-makers. One example: Cofense just published a case study on a company whose board lit a fire for a stronger phishing defense—and it’s paying dividends. 

This board took the lead in launching phishing simulations. 

A leading aviation company in my part of the world, Australia, has a highly public presence. Translation: any security issues would likely make headlines. So the board mandated an anti-phishing program. Using Cofense PhishMeTM, the company now runs phishing simulations to condition its employees to recognize and report phishing emails. 

The program is still in the early stages, but already the results are encouraging. User susceptibility to phishing emails has dropped by 10%. Moreover, the rate of users clicking on embedded links in emails has dropped by 9%. Further proof the program is not just effective but necessary: even members of the company’s security teams have fallen for simulations. 

And the best proof of all: “Our security teams are stopping attacks reported by employees,” said the General Manager of Technology and Innovation. Real users are helping to stop real phishing threats. 

For further details, view the full case study.

Cofense board reports show results and ROI. 

To make sure that boards and other leadership teams see results, Cofense provides free board reports to our customers. Cofense PhishMe customers can request a report from their dashboards or in Cofense Community. They’ll get an easy-to-read two-page summary of their program’s progress.

At a glance, each report shows susceptibility rates, rates of users reporting phishing, and the resiliency rate—that is, the ratio of users reporting emails to those that take the bait. A ratio of 1 reporter to 1 susceptible user is a good start. A rate of 5:1, for instance, would be very good. 

The reports also benchmark progress within a customer’s industry. If you’re in financial services, you can see how your anti-phishing compares to other Cofense financial customers. You can even zoom out to see a comparison covering over 20 major industries. 

One customer said their report gave them “the high-level ROI analysis our leadership needed.” It’s the kind of information security-minded boards require—and that security and awareness teams can use to justify budget. 

For a broader view of the role boards play in cyber-security, view this article in Forbes. 


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  


Expect Credential Phishing to Continue Surging in 2019

“Hackers don’t need to break in, they only need to log in.” This was a quote mentioned at a conference I attended last December and which I repeated in an e-book Cofense™ recently published, 6 Phishing Predictions for 2019. My prediction was that hackers will continue to go full bore with credential phishing, emails that specifically ask for username and password.  

October may be over – but phishing attacks never stop. Here’s how to make security awareness successful all year round.

Part 4 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 3 here.

As October comes to a close, so too does National Cybersecurity Awareness month. But not so fast – Security Awareness isn’t just about October. It’s all year long and it never stops, it’s ever evolving.

I developed this four-part blog series during National Cybersecurity Awareness Month to provide key industry insights and proven methodologies for building and enhancing your security awareness program. We started in week 1 with building a program strategy, followed up by discussing program content in week 2. Last week with focused on the alignment of the security awareness function with the organization. This week we’ll wrap up the series with some key findings published in the ISC2 Workforce Study. According to the report, lack of focus on security awareness is the top challenge for ensuring long-term security awareness program success.1

Figure 1, left and 2, right – Image source:

5 Ways to Bring Focus to Security Awareness Programs

As noted in the charts above, there are several reasons, all with fairly equal representation, as to why security awareness programs lack focus. I’m going to break down each of these reasons and explain how you can overcome that hurdle to bring more focus to your awareness programs.

  • Low security awareness among end users. This is a no-brainer. It’s important that security awareness programs are rolled out to everyone in the organization, not just select groups. While some programs start with training a few key groups to benchmark results, it’s important to get buy in to enroll the entirety of the organization to build resilience to attacks across all teams with on-going training.
  • Not enough skilled cybersecurity professionals available. This report cited end users – people – can lead to more security vulnerabilities*, so it’s no surprise to see that the security awareness function sits at the top of the chart as a much-needed area of expertise. Many organizations still assign this as a part time job function along with other security hats to wear, preventing focus. Instead, have a dedicated security awareness lead running the programs while working alongside other internal security professionals to ensure the programs remain well-rounded and effective.
  • Inadequate funding. Security awareness is a necessary and essential component to larger threat defense strategy and needs to be a budget priority in order to begin reducing your organization’s cybersecurity risk and building resiliency to today’s top threats. At some point, perimeter technologies will fail to stop a phishing attempt and it’s up to resilient, trained humans to recognize and report suspicious emails – thinking of this as a last line of defense is an area worth investing in.
  • Too much data to analyze. As more and more humans are enrolled and participating in security awareness program, that also means more data points to digest and analyze on the state of threat susceptibility, resilience, program participation and success. Identify and prioritize the key data sets needed to demonstrate the security posture of the organization and collaborate with security teams to report and analyze program trends to reflect changes in that security posture. This may include your organization’s phishing resilience and reporting rates, for example, compared with inflated metrics such as click rates or susceptibility rates.
  • Lack of management support/awareness. This is often one of the biggest hurdles in preventing a security awareness program from reaching its full potential and scope. Having management understand the necessity of security awareness as a foundational component of a strong threat defense strategy is key. An idea is to run a phishing simulation trial with key management members to understand how susceptible the organization is from the top down. Once management realizes how easy it is for a phishing email to replicate a real one, there might be more awareness and inclination to engage in security awareness practices than before.

You’ve Launched a Successful Security Awareness Program – How Do You Keep it Successful?

Every day is a new beginning when it comes to cybersecurity. Threats and vulnerabilities are always changing – so your security awareness program needs to be able to nimble and fluid to mitigate those evolving threat vectors. Behavior improvements are ongoing and so should your security awareness programs. Organizations are constantly under attack as the threat actors continue to find ways to get past technical defenses of an organization, such as perimeter technologies and email gateways.

How do you keep your program aligned with the current threats? Reach out to your cyber threat intelligence or incident response teams. These teams are constantly researching the current threat landscape and identifying if and what impact it has on the organization. Download the latest white paper on cybersecurity or threat landscape. Read technical blogs from trusted cybersecurity solution providers to stay abreast of current news and threat trends. Another great resource is setting up Google Alerts for key words: phish email, data breach, malware, cyberattack, cybersecurity, Cofense™, awareness training, threat intelligence.

Jumpstart Your Efforts Today with Free Security Awareness Resources

Remember that building a program takes time to evolve and mature. Recognize small wins for the organization and continue to move forward to mature the program. Just as the threats are never ending, so too is the security awareness function.

As you set your priorities for the program, don’t forget that Cofense provides a wealth of training modules for free, which includes specific topics and compliance modules to meet your regulation requirements. If you’re just getting started on building your security awareness program, there are plenty of free security awareness resources available to you when you’re on a shoestring budget, including a turn-key security awareness program kit, posters, presentations and other resources to get you started.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.


1Source: “Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens,” (ISC)² Cybersecurity Workforce Study, 2018

*Source: “Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens,” (ISC)² Cybersecurity Workforce Study, 2018