In the last month, Microsoft Office documents laden with malicious macros account have remained the malware loader-du-jour. Cofense IntelligenceTM has found they account for 45% of all delivery mechanisms analyzed.
Let’s take a look back at this summer’s malware trends as observed by Cofense IntelligenceTM. Summer 2018 has been marked by extremely inconsistent delivery of TrickBot and Geodo, though volumes of lower-impact malware families like Pony and Loki Bot remained consistently high. What’s more, improvements to the delivery and behavior of Geodo and TrickBot accompanied the resurgence of two updated malware families—Hermes ransomware and AZORult stealer—in reaffirming a preference by threat actors to update previous tools instead of developing new malware. Because threat actors will continue to improve their software to ensure a successful infection, it’s important to understand these potentially harmful attacks.
Part 3 of 3
As we mentioned in our previous overview of Geodo, the documents used to deliver Geodo are all quite similar. Each document comes weaponised with a hostile macro. The macros are always heavily obfuscated, with junk functions and string substitutions prevalent throughout the code. The obfuscation uses three languages or dialects as part of the obfuscation process: Visual Basic, PowerShell, and Batch.
Part 2 of 3
As discussed in our prior blog post, URL-based campaigns – that is, campaigns that deliver messages which contain URLs to download weaponised Office documents – are by far the most prevalent payload mechanism employed by Geodo. Indeed, analysis of ~612K messages shows just 7300 have attachments; a trifling 1.2% of the total. The structure of the URLs falls into two distinct classes. Cofense Intelligence™ analysed a corpus of 90,000 URLs and identified 165 unique URL paths. There are two distinct classes of URLs employed by Geodo. A detailed breakdown of these URL structures follows.
Last week, Cofense™ research uncovered and broke the news that the Necurs botnet began a highly-targeted campaign aggressively attacking more than 3,000+ banks worldwide with a malicious PUB file that drops the FlawedAmmyy malware. You can read the full analysis in last week’s research blog.
By Jason Meurer and Darrel Rendell
Cofense™ Research reports that the Necurs botnet began a new campaign at approximately 7:30 EST on Aug 15, one appearing to be highly targeted at the banking industry. So far, Cofense has seen over 3,701 bank domains targeted as recipients.
The Cofense IntelligenceTM team has wrapped up our analysis of mid-summer malware. To get this summary started, let’s look at a couple of charts.
Chart 1: Top 5 malware delivery methods, by campaign, identified in July
Chart 2: Top 5 malware families, by campaign, identified in July
In our Strategic Analysis released on Thursday, 26th July, it was noted that Geodo and TrickBot had been unusually active in recent weeks, following a lull in June and into early July. Charts 3 and 4 expand upon this observation via side-by-side comparisons and year-to-date trends.
Prior to July, both TrickBot and Geodo tended to have peaks of activity, followed by periods of inactivity, after which the malware underwent a code update. Although still true of TrickBot, Geodo has been incessant throughout July. Chart 2 shows that TrickBot is the 5th most prevalent malware family, and Geodo does not appear at all. This phenomenon occurs due to the way different actors distribute their malware. Geodo and TrickBot, for example, are distributed in campaigns comprising hundreds of thousands or even millions of messages. These campaigns tend to be long, and go through several permutations during the distribution, but are certainly all the same campaign. In comparison, other campaigns that use off-the-shelf type malware, such as Loki, Pony, and jRAT, are distributed in much, much lower volumes, but with significantly higher variance in the message structure and IoCs. Such variance defines the campaigns.
Chart 3: A side-by-side comparison of Geodo (black) and TrickBot (green) over 2018 YTD
Chart 4: July’s Geodo (black) and TrickBot (green) campaigns
Moving into August, Geodo is still extremely active, with persistent, daily campaigns, whereas TrickBot has been comparatively silent since the 31st of July. As noted above, this behavior is likely part of TrickBot’s normal cycle, and will certainly reappear extremely soon, possibly with a new update. Cofense Intelligence, being tapped directly into the Geodo botnet, has been able to compile a database of the most frequently used terms in Geodo campaign subjects. Table 1 details the top 10 subject lines across 7 days’ worth of campaigns, spanning hundreds of thousands of messages. Although appearing to end somewhat abruptly, the subject lines have been cleansed of any potential PII, because the actors behind these campaigns typically incorporate the [purported] name of the recipient into the subject line.
Table 1: Top 10 Geodo subject lines for August. The Occurrences column reflects a representative sample of the whole collection
Typically, Geodo has been seen using mainly payment notification narratives. But in July, there was a vastly more diverse range of finance-driven subject lines, as detailed in the word cloud in Figure 1.
Figure 1: A word cloud detailing the most frequently used Geodo campaign subject lines from July 1st to August 7th, 2018
Despite being an established, modular banker with a herculean pedigree, Geodo is finding its feet as a loader and distributor of other malware. Sporting several distinct iterations of the family, Geodo is mature code backed by sophisticated threat actors, themselves supported by a robust delivery infrastructure. It is prolific and, potentially, the greatest current threat offered by any mainstream malware family. Despite the volume-to-campaign ratio, as mentioned above, being heavily skewed towards volume, their sheer magnitude, and the virulence of the malware, leave no doubt it is a force with which to be reckoned.
Keep an eye on this blog for an in-depth examination of Geodo and its infrastructure. For a look back and a look ahead at major malware trends, see the 2018 Cofense™ Malware Review.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.
Over the past couple of weeks, the Cofense™ Phishing Defence Center (PDC) has observed a rise in PowerShell-based malware. PowerShell is a very powerful scripting language that is legitimately used in many organisations. PowerShell is packed with almost endless capabilities, most of which are particularly interesting to threat actors who wish to abuse PowerShell for malicious purposes.
Last year, Cofense Intelligence™ observed an increase in abuse of features built into platforms that are all but ubiquitous throughout the corporate world. An overview of these developments in 2017 was covered in our 2017 Malware Review, which highlighted the abuse of Microsoft features such as Object Linking and Embedding (OLE) and Dynamic Data Exchange (DDE) to deliver malware. Since last year, this trend has continued as threat actors are exploiting a greater variety of features as well as combining multiple techniques into one campaign.
For the first time ever, Cofense Intelligence™ recently observed a phishing campaign distributing the infamous Hermes ransomware. The low-volume campaign delivered .doc files, weaponized with heavily obfuscated macros. These macros reached out to an attacker-controlled server to download and execute a copy of Hermes.