The Ryuk Threat: Why BazarBackdoor Matters Most

By The Cofense Intelligence Team

Ryuk Ransomware: From TrickBot to BazarBackdoor – What You Need to Know.

Listen in to the latest insights from the Cofense Intelligence experts on this threat and learn how you can defend your business

Watch On-Demand

Yesterday, the Cofense Intelligence team released the following guidance via a flash alert to Cofense Intelligence customers.

On October 28, media reports and U.S. government notifications emerged regarding an active “credible” Ryuk ransomware threat targeting the U.S. healthcare and public health sector, with plans of a coordinated attack October 29. This was reportedly based on chatter observed in an online forum that allegedly included members of the group behind Ryuk. Cofense Intelligence is conducting an ongoing investigation into this threat. While we can’t evaluate the government’s determination of this threat as credible, we are taking this very seriously and have observed increased activity against the healthcare sector. We assess with high confidence that BazarBackdoor is the primary delivery mechanism currently used for Ryuk operations. Moreover, we’ve identified that similar phishing campaigns used to establish a foothold for Ryuk infections have targeted other sectors, as well.

BazarBackdoor: Ryuk’s Inroad

Cofense Intelligence assesses that Ryuk operators typically wait until their preferred delivery mechanism is successfully deployed to an intended target prior to deploying Ryuk ransomware itself. Up until TrickBot’s disruption, Ryuk was most frequently delivered via TrickBot. However, our analysis indicates that the group behind Ryuk began leveraging BazarBackdoor to establish access to target systems in September. This aligns closely with announcements that U.S. Cyber Command had taken action to disrupt TrickBot operations. In recent weeks, we assess with high confidence that BazarBackdoor has been Ryuk’s most predominant loader. With lower confidence, we assess this wave of Ryuk activity may be, in part, in retaliation for September’s TrickBot disruptions.

BazarBackdoor is a stealthy malware downloader that we assess is used by the same group as TrickBot. Typically, emails designed to appear as internal business communications are sent to victims within an organization, often with relevant employee names or positions. These emails usually contain a link, most often to a Google Docs page, though other well-known file hosting platforms have also been used. The Google Docs page will then present a convincing image with another embedded link. This link is typically to a malicious executable hosted on a trusted platform such as Amazon AWS. This chain of legitimate services makes it difficult to detect and stop these campaigns.

Once in place on a victim’s computer, BazarBackdoor uses specialized network communications to avoid detection and to contact its command and control (C2) locations. Part of these communications involve DNS lookups for .bazar domains, which is the reason behind its Bazar name. These C2 locations also often serve as payload locations. After BazarBackdoor contacts its C2 center it will then collect additional information which the threat actors can use to deliver customized reconnaissance tools, such as Cobalt Strike payloads. The threat actors can also choose to deliver other payloads such as Ryuk ransomware. The deployment of Ryuk ransomware isn’t automated, and therefore won’t occur unless the threat actors decide the infected environment is a target.

All of us should pay special heed to any indications of BazarBackdoor compromise. Regardless of whether recent activity is in retaliation against TrickBot’s disruption, what is clear is that recent efforts by multiple parties to cripple TrickBot seem to have been effective in transitioning the Ryuk actors to leveraging BazarBackdoor. We must be mindful that there are past connections between TrickBot activity and Emotet. While there is no direct evidence of current Emotet involvement in these campaigns, we cannot rule out future delivery of Ryuk via Emotet, given historical relationships between TrickBot and Emotet. As the TrickBot infrastructure appears to be in the process of restructuring, we assess that it may find use again as a delivery mechanism. As a network defender, all three malware families should be prioritized when searching for possible compromises, with the highest priority placed on detections of BazarBackdoor in the near future.

Figure 1: Common Phishing Example Delivering BazarBackdoor

The Phish

Cofense Intelligence has directly identified several campaigns, targeting multiple sectors across our customer base, that share strong similarities to the phishing emails reportedly used as initial attack vectors in Ryuk campaigns, as outlined by FireEye. Two subject themes stand out across several industry verticals we’ve confirmed were targets of BazarBackdoor. These subjects relate A) to employment termination, almost always including the word “termination,” or B) to payroll, almost always including the word “debit,” as shown in Figure 1. While the subjects remain the same, we observed two separate download services: via Google Docs or Constant Contact. The following list highlights the different industries we have confirmed were targeted by such campaigns. However, we cannot assess whether Ryuk operators intended to further infect these targets with Ryuk ransomware. It appears very likely that Ryuk operators have cast a wide net for potential infection vectors, and choose which successful footholds to manually interact with and leverage.

Figure 2: Termination List Phishing Example Delivering BazarBackdoor

It is worth noting that these campaigns began in mid-September, which corresponds with the timing of coordinated offensive operations to disrupt TrickBot. The sectors we have directly observed targeted in these campaigns include:

  • Consumer Goods
  • Healthcare
  • Mining
  • Energy
  • Insurance
  • Professional Services
  • Financial Services
  • Manufacturing
  • Retail

Assessing the Threat

As of early this morning, on October 30, there are reports of some ransomware attacks against U.S. healthcare organizations yesterday. It is possible more reports will emerge in the coming days, though initial indications suggest a healthcare sector doomsday was avoided. In recent weeks, there was an abundance of ransomware activity against the healthcare sector, and we identified an increase in BazarBackdoor targeting. It’s not for us to say whether the stated time or scope of the threat was off base, if there have been active successful countermeasures, or that the flurry of reporting has deterred some ransomware activity for now. It is possible they did/do not want to face such a well-guarded and prepared target base. Still, we are confident that Ryuk operations have recently increased, and that other sectors have come into the crosshairs of potential future Ryuk operations. It’s our assessment that the threat should be taken seriously.

Cofense Intelligence customers have received relevant indicators of compromise (IOCs) and Active Threat Reports (ATRs) as these campaigns are identified and analyzed, and some of these ATRs were first sent in September. Customers can find these ATRs and IOCs in ThreatHQ and via our API, and can access the most up to date list of all relevant Cofense Intelligence IOCs and ATRs tied to BazarBackdoor, TrickBot and Emotet via our API and on ThreatHQ.

For all readers, below is a table of relevant IOCs and Yara Rules associated with BazarBackdoor that can help your organization identify related emails should you be targeted. Gain free access to our intel here.

Register now for our live 30 minute briefing on Ryuk Ransomware & What you need to know on Thursday, November 12 at 11:00 am EST.  Listen is as our Cofense Intelligence team provides the latest insights on this threat and learn how you can protect your organization.

Active Threat Reports: BazarBackdoor 


Embedded URLs 
BazarBackdoor File  MD5 Hash 
Document3-90.exe  3826f8176445cc4291287f8aad28bb53 
Report10-9.exe  240bf9b477fe3d977acbb2726f0f12b5 
1.exe  b9e7cdd63db7ff765efeaabd0a85ca59 
2.exe  d3965ca520a87fc3ad3a874bb0bf118c 
AnnualReport.exe  ff9976d675cc1679b0b6e15323010dbf 
AnnualReport.exe  49c3639ad3cd29473e0bd047bcef8a64 
Document_Print.exe  925d730ddb4304a4bde4dfaeabb5c7b9 
Document-Preview.exe  40b17d4ca83f079cf6b2b09d7a7fd839 
t99.exe  df249304643531adb536eba89691ec91 
PreviewDoc.exe  a41429f7dbecfb76e6b7534afbeb4f74 
Preview.exe  9f00d78f2e8e4523773a264f85be1c02 
Preview.exe  5f64cc672ea13388797599b40a62d9be 
putty.exe  006f8bd0cd7e820705dec7bb3a7a7cf5 
XColorPickerXPTest.exe  cd6b9af8db078afe074b12a4fd0a5869 
PDOKGLWEER.exe  135f68e708cc04e362703ad71be5f620 
v152.exe  d55ec134a3046f289d9ebfdba1e98775 
BazarBackdoor Command 

Yara Rules for Campaign Detection 

Rule 1: 

rule PM_Intel_Ryuk_Payload_1029201 {
  description = “EDR rule for detecting Ryuk ransomware main payload”
  $ = “.RYK” wide nocase
$ = “RyukReadMe.html” wide nocase
$ = “UNIQUE_ID_DO_NOT_REMOVE” wide nocase
$ = “\\users\\Public\\finish” wide nocase
$ = “\\users\\Public\\sys” wide nocase
$ = “\\Documents and Settings\\Default User\\finish” wide nocase
$ = “\\Documents and Settings\\Default User\\sys” wide nocase
  uint16(0) == 0x5a4d and uint32(uint32(0x3c)) == 0x00004550 and all of

Rule 2:¹ 

rule crime_win64_backdoor_bazarbackdoor1 {
description = “Detects BazarBackdoor injected 64-bit malware”
author = “@VK_Intel
reference = “
tlp = “white”
date = “2020-04-24”
$str1 = “%id%”
$str2 = “%d”
$start = { 48 ?? ?? ?? ?? 57 48 83 ec 30 b9 01 00 00 00 e8 ?? ?? ?? ?? 84 c0 0f ?? ?? ?? ?? ?? 40 32 ff 40 ?? ?? ?? ?? e8 ?? ?? ?? ?? 8a d8 8b ?? ?? ?? ?? ?? 83 f9 01 0f ?? ?? ?? ?? ?? 85 c9 75 ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 74 ?? b8 ff 00 00 00 e9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? eb ?? 40 b7 01 40 ?? ?? ?? ?? 8a cb e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 8b d8 48 ?? ?? ?? 74 ??}
$server = {40 53 48 83 ec 20 48 8b d9 e8 ?? ?? ?? ?? 85 c0 75 ?? 0f ?? ?? ?? ?? ?? ?? 66 83 f8 50 74 ?? b9 bb 01 00 00 66 3b c1 74 ?? a8 01 74 ?? 48 8b cb e8 ?? ?? ?? ?? 84 c0 75 ?? 48 8b cb e8 ?? ?? ?? ?? b8 f6 ff ff ff eb ?? 33 c0 48 83 c4 20 5b c3}
( uint16(0) == 0x5a4d and ( 3 of them ) ) or ( all of them )

¹Sourced from and evaluated by Cofense Intelligence analysts. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

You’ve Been Served: UK Scammers Deliver ‘Predator the Thief’ Malware Via Subpoena

By Aaron Riley

Not even the halls of justice are immune from scammers. A new phishing campaign spoofing the UK Ministry of Justice has successfully targeted users with a subpoena-themed email delivering Predator the Thief, a publicly available information-stealing malware.

Cofense IntelligenceTM has observed employees in insurance and retail companies receiving these emails. The phishing email states that the recipient has been subpoenaed and is asked to click on a link to see more details about the case. The enclosed link uses trusted sources—namely Google Docs and Microsoft OneDrive—for the infection chain. The initial Google Docs link contains a redirect chain that eventually leads to a malicious macro-laden Microsoft Word file. The macro, upon execution, downloads the malware via PowerShell, which is a sample of the Predator the Thief information stealer.

The email body, shown in Figure 1 below, contains a warning that the recipient has 14 days to comply with the subpoena notice, a scare tactic designed to panic users into clicking. The link within the email leads to a Google Docs page and is benign, unlike the embedded URL within the Docs page that features a tailored redirection link pointing to a direct Microsoft OneDrive download. The Google Docs page is themed to fool a user into thinking the service is conducting security checks.

Figure 1: Sample Phishing Campaign Delivering Predator the Thief

Organizations defending against this multi-faceted threat have four options.

  • While a basic email security stack would likely misread the Google Docs URL as legitimate and allow the email to pass inspection—in fact, this campaign has passed through FireEye’s Secure Email Gateway (SEG) solution and may be overlooked by others—scanning the ensuing links at the network security level should reveal nefarious intent, at which point the security solutions should block further traversal.
  • Disabling Microsoft macros by default and monitoring PowerShell execution alongside educating users on the dangers of enabling macros is a safeguard against this threat.
  • Employing endpoint protection solutions that conduct memory analysis can spot the payload execution, thwarting an intrusion at the last step of the infection chain.
  • Having a highly tuned network security stack that monitors for exfiltrated data and suspicious HTTP POST packets can help spot an intrusion or block its exfiltration route.

Technical Findings

The email contains a link that leads to a trusted source, in which another link leads to yet another trusted source through a tailored redirecting URL in the middle. A macro-laden document is retrieved and used as a first stage downloader to execute a sample of Predator the Thief. The malware then infects the endpoint and attempts to exfiltrate sensitive data. At each step of this infection chain (outlined in Figure 2), correctly configured technology could have prevented successful execution, and a properly educated end user could have negated the entire scenario.

Figure 2: Infection Chain

Predator the Thief has all the basic capabilities of most information stealers. One of the unique things about this malware is its range of web browsers targeted, meaning a less popular web browser may still be affected. The authors disseminate their product via a Telegram channel that is also used as a customer support channel. Although Predator the Thief claims to have Anti-VM capabilities, older versions can be easily detected by automated AV scanning. A newer version can be quickly spotted in a sandbox once the binary has unpacked itself into memory. The execution of the binary on the endpoint is an additional focal point for defense within the endpoint protection program or product.

Predator the Thief targets cryptocurrency wallets, browser information, FTP, and email credentials. It can also take a screenshot of the infected machine. The information is stored in a file named “information.log” and sent to the Command and Control (C2) server via an HTTP POST to a network endpoint “gate.get” by default. The data in this file contains machine and user fingerprint data, stolen credentials, and network configurations. Once the information is gathered and the sample has successfully exfiltrated the data to the C2, the binary then cleans up parts of the infection and self-terminates. This infection clean-up process makes it much harder for endpoint forensic investigations that do not leverage verbose event logs and an endpoint detection system.

Indicators of Compromise

IOC Appendix Description
PM_Intel_PredatorThief_31571 Cofense Intelligence YARA Rule
hxxp://comrade696[.]xyz/api/gate[.]get C2 Network Endpoint
hxxp://bit[.]do/fcMEx “Legitimate” URL Shortener Service For Payload
hxxp://193[.]0[.]178[.]46/m2Dj5W Tailored Redirector
31[.]184[.]196[.]176 Macro Payload Host
comrade696[.]xyz C2 Address
hxxp://comrade696[.]xyz/api/check[.]get C2 Network Endpoint
hxxp://31[.]184[.]196[.]176/file8[.]exe Predator the Thief Payload
193[.]0[.]178[.]46 Tailored Redirector
hxxps://de5qqw[.]sn[.]files[.]1drv[.]com/details[.]doc Microsoft OneDrive Direct Word Document Download
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vR2ShicgBwEhJsMeJF-ho3xmeGvs4h3lpp33DGuVYXa0J7nDHSayHNnUqAuy8RgE1V6DN3rgEamM_l6/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vTJwmMgl4cycKB1H3DLqE6hO7hBtIZV_R8vetvNk2hoHNvQrOQu6guqESe4ongHOe2qeuZl_hcwtpFi/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vSC7TE8Jw2rj5mFmdo7SNhhVhYI5_chETx0Um8phyExpH2ok1_BYqbFBCmvu5SNE8USRHFQxAAdSUbe/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vRHdNziiJLKswksr50gCvUFKGZPoB7aJ2X_u09dUvpXauv5zqPi6BRxmNlhpdQ3VoJnyDd-7UWe0eq4/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vTDBKHYpJMHsTmAPu8Q3q41G3Sfq0398Mwe1bUth_4gbi9Q9X1uvjJ8Qpt1jfiDjkOvlrV3EGbn4pIH/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vQYPpaggmpXxbXvzYbcuCFnVbVGFiprq8WT3U0cackWI9z6ECOKGQ75Zxi38IIAcR6U2mWRN-I91RJs/pub Google Docs Lure
hxxps://www[.]google[.]com/url?q=hxxp://193[.]0[.]178[.]46/m2Dj5W&sa=D&ust=1572032929507000 Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vSpWb2Y8awd5BhJGCiiscMOhddh3Pf53q_E76aMV-H4L1Sy50O8V7wXJG8lLILi_woj35v22P2o0GZo/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vSw-6rt5QaRo630a6nWVkraLUHH1HLP23pfkdYYxe3NS73ITrhzme_r_K0h67RQjrUjYgrVPDDNt9Yn/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vTMEq8o1xfYAGRQqTnV_YP4IpoYFLRV0x3yagV4J8TC2vPAevx5y6UobCv9Oa9d1W-KzWbintL_fj2w/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vRJh78bDJcfBuwt_yV7nhNRuboEHUyfET1yhta2B-_toyEPBl7OwADQHm9t28gfVQymkltq69smXgYw/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vRZG0aGBmvWRzXhT-a68tBJcy1PSPA4blZ51daX_-OqtXwj-GeuEp-0RBbhazOBKi_Z2bE1AO8ejfTP/pub Google Docs Lure



The Cofense Phishing Defense CenterTM finds that 89% of phishing threats that deliver malware have bypassed email gateways. Condition users to be resilient to phishing with Cofense PhishMeTM and remove the blind spot with Cofense Reporter TM. Cofense PhishMe offers a simulation template, “UK Ministry of Justice Subpoena – Office Macro”,” to educate users on the campaign described in today’s blog.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Agent Tesla Keylogger Is Now a Top Phishing Threat

By Aaron Riley, Cofense IntelligenceTM

The Agent Tesla keylogger is an increasingly widespread piece of malware in the phishing threat landscape, targeting multiple industries and using multiple stages within its infection chain. Currently, threat actors prefer archived files or weaponized Microsoft Office productivity documents to deliver this malicious software to the endpoint. Agent Tesla is sold as a commercial subscription license and offers a 24/7 support team. With an easy to use and abundant feature set—like a document exploit builder embedded into the malware management web panel—this keylogger lends itself to all levels of threat actors.

A typical theme for these campaigns revolves around finances, orders, and shipments. The most common way for this keylogger to make it to the endpoint is by archiving the executable and attaching it to a phishing email. This delivery vector can be successful if the email security stack does not have a standard in place for allowed archival types, does not conduct archive file analysis, or determines the file to be an unknown archive type.

For the infection chain, there are numerous methods a threat actor can choose. Most notably, Agent Tesla leverages a document exploiting an equation editor vulnerability documented in CVE-2017-11882 as the first stage loader. Exploiting this vulnerability allows for the attached document to download and execute a binary on the victim’s endpoint once opened. Although a patch has been out for this vulnerability, threat actors continue to utilize it for exploits.

An Office macro-laden document is the second most popular ‘stage one’ loader for this keylogger. This is somewhat surprising, given the fact that the macro builder is embedded into the Agent Tesla web panel as a feature, thus making it easier than the CVE-2017-11882 exploit to capitalize on. As such, this keylogger demonstrates features that fit closer in line with a Remote Access Trojan (RAT), including the capability to take screenshots or control the webcam. Agent Tesla adds to its robustness with the ‘File Binder’ option which links a selected file on the endpoint to the Agent Tesla executable and executes the keylogger at the same time as the selected file. This is done to keep the keylogger up and running without interaction needed from the victim.

Unlike most RAT suites, Agent Tesla’s preferred exfiltration method for the stolen data is the use of email. The web panel allows for a threat actor to set an email address as the recipient or the sender and has the ability for the email traffic to be SSL encrypted. This exfiltration technique can be avoided by blocking all traffic using SMTP that does not match organizational or enterprise standards. Agent Tesla, however, can also exfiltrate the stolen information via FTP or an HTTP POST. Each of these exfiltration methods can be defended against with proper firewall, content filtering, and alerting rules in place.

Figure 1: An example phishing email with Agent Tesla keylogger attached.

Agent Tesla’s recent rise to the top of the phishing threat landscape shouldn’t be a surprise, given the ease of use, options, and technical support from the creators. Network safeguards can help stop the exfiltration of data from a successful infection. Patching and updating user endpoints can combat at least one of the delivery mechanisms used within these phishing campaigns. Educating users on company standards for file extensions and Office macro use can combat the other two delivery mechanisms.


89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Re: The Zombie Phish

By: Lucas Ashbaugh, Nick Guarino, Max Gannon

Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message.

This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish.

Not Your Average Phish
The Cofense™ Phishing Defense Center (PDC) has recently been defending against an extensive Zombie Phishing campaign against multiple clients. Fraudsters hijack a compromised email account, and using that account’s inbox, reply to long dead conversations with a phishing link or malicious attachment. Due to the subject of the email being directly relevant to the victim, a curious click is highly likely to occur.

These Zombie Phish appear to use automatically generated infection URLs to evade detection. No two links are the same. These links are hidden behind unassuming “error” messages in the body of the email, providing an appealing scheme for users to fall victim to. Thus far, the PDC has observed two common Zombie Phishing templates that lead to malicious links. These email campaigns can be seen in Figures 1 and 2.

Figure 1

Figure 2

Another common hallmark of this campaign is the use of the .icu top-level domain (TLD), however this could change in the future. Example domains identified during this campaign, which abuse the .icu TLD, can be seen in Figure 3.

Figure 3 shows .icu domains associated with these campaigns.

Already, many of these domains have been shut down by their domain registrar after receiving reports of domain abuse. Figure 4 shows a domain associated with this campaign and the data that is collected and displayed by the registrar.

Figure 4, Courtesy of

Additionally, the PDC has observed these phish using official organizational logos to add legitimacy to fake login pages – an example of such can be seen in figure 5. The pages are designed to impersonate an online portal of the target, including the company’s logo, and even its favicon. The end goal is credential theft of the victim.

Figure 5

Finally, any victim that visits the malicious website is “fingerprinted” using the host’s IP address as an identifier and upon entering credentials is immediately redirected to the same spam website seen by other victims. This is often via links obfuscated using URL shorteners (such as hxxps://href[.]li/). If the same host attempts to visit the phishing link again the spoofed login page is skipped and instead you are forwarded directly to the spam page. This finger-printing and the URL shortener obfuscation helps the attackers keep a low profile and continue their campaign unabated.

Conversation Hijacking
The tactic of “conversation hijacking” itself is by no means new, fraudsters have been hijacking compromised email accounts to dish out malware and phish as replies to prior conversations for years now. This technique is still popular because it makes victims much more likely to click on links and download or open files because their guard is down when these are within conversations already in their inbox. An ongoing and currently in the wild example of this is the Geodo botnet which has a history of inserting itself into existing email threads to deliver malicious documents that in turn download a sample of Geodo or other malware like Ursnif. However, the effectiveness of this tactic can depend greatly on the content of the conversations, a response to an automated advertising email is less likely to result in an infection than a response to a help desk support thread such as the one seen in Figure 6. Cofense IntelligenceTM has seen several Geodo campaigns consisting of responses to automated advertising emails indicating that, in some cases, the campaigns consist of indiscriminate responses to all emails in an inbox. Given that the volume of these “conversation hijacking” campaigns is still comparatively low, the smaller scope of these emails is likely limited by the number of ongoing conversations. Certain types of accounts therefore are more likely to draw threat actors direct attention and to induce them to invest additional effort and time into developing unique phishing campaigns for those accounts.

Preventing Your Personal Zombie Apocalypse
The PDC has compiled these quick tips to avoid losing your credentials (or your brains) to a Zombie Phish:

  • Be alert for email subjects that may appear relevant but are from old conversations.
  • Watch out for the hallmark green “error” button (pictured above in figure 1).
  • Don’t trust attached documents simply because they are replying to a conversation.
  • Mouse over buttons or links in suspicious messages to check them for the “.icu” top-level domain.

Cofense’s Phishing Defense CenterTM has observed that these campaigns have become increasingly clever, to combat this, training employees to be able to spot these types of emails is key. You can put down your nail-bats and pitchforks – a properly trained workforce is what is needed to defend your organization against the Zombie Phish hordes.

Cofense offers comprehensive phishing training to arm your employees with the weapons they need to protect your organization. And if you need reinforcements to help against the hordes, the Cofense Phishing Defense Center is happy to do battle with you.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Indicators of Compromise:

Observed Domains
































Observed IPs



“Brazilian Election” Themed Phish Target Users with South American-Targeted Malware, Astaroth Trojan

Threat actors attempted to leverage the current Brazilian presidential election to distribute the Astaroth WMIC Trojan to Brazilian victims. The emails had a subject line related to an alleged scandal involving Brazilian then-presidential candidate Jair Bolsonaro. Some campaigns impersonated a well-known Brazilian research and statistics company. Multiple delivery methods and geolocation techniques were used to target Brazilian users, who were encouraged to interact with the attached and downloaded archives containing .lnk files. These files downloaded the first stage of the Astaroth WMIC Trojan, previously spotted this year by the Cofense Phishing Defense Center and known to target South American users.

H-Worm and jRAT Malware: Two RATs are Better than One

When threat actors bundle two or more malware families in one campaign, they gain broader capabilities. Cofense Intelligence™ recently analyzed a phishing campaign delivering both jRAT and H-Worm remote access trojans. jRAT, aka the Java Remote Access Trojan, has the primary role of remotely controlling a victim’s machine. H-Worm, also known as Houdini Worm, operates as a remote access trojan but has worm-like capabilities, such as propagating itself on removable devices like a USB.

Using a generic phishing lure pertaining to an invoice, the email below contains two attached .zip archives: one with a VBScript application and the other a .jar Java application.

Figure 1: Phishing lure delivering jRAT and H-Worm

While the .jar file is a sample of jRAT, it also drops a copy of H-Worm on the infected machine. The VBScript file is tasked with downloading a Java Runtime Environment (JRE), if it is not already on the machine, which allows the .jar file to run. This VBScript file is a sample of H-Worm. The delivery is unusual compared to older analyses of H-Worm with jRAT, which typically consists of a single payload used to facilitate the infection of both H-Worm and jRAT (and sometimes H-Worm with other malware families).

Two RATs, One Infection

Disseminating two similarly functioning malware families in a single infection is not a new tactic. Threat actors do this to exfiltrate more valuable information and to carry out additional tasks that support further infection or monetization. Some of the functions and capabilities of H-Worm and jRAT are shown below.

Figure 2: Distinct functions and similarities of H-Worm and jRAT

Each remote access trojan serves a specific purpose, such as keylogging, monitoring audio or video, or modifying the registry. At the end of the day, the specific malware or number of malware families used in a single infection cycle does not matter to the threat actor as long as there is a better chance for a successful infection. In the end, all that matters to the threat actors is if they were able to exfiltrate the information they seek.

However, for many attackers, the outcome of a successful infection also relies upon the successful delivery of a phishing email. Threat actors will continue to develop new tactics, techniques, and procedures (TTPs) to lure their intended targets. The first step to avoid an infection like the one above is to recognize and report suspicious messages. Educating computer users to identify suspicious emails can help your organization stop an attack on your infrastructure.

Learn how Cofense PhishMeTM conditions users to recognize active phishing threats.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.


America’s First: US Leads in Global Malware C2 Distribution

By Mollie MacDougall and Darrel Rendell

Cofense Intelligence™ has found that 27% of network Indicators of Compromise (IoC) from phishing-borne malware analysed during 2018 used C2 infrastructure located in, or proxied through, the United States—making the US the leader in global malware C2 distribution.

Map 1 details these observations. This does not indicate that US-based users are getting hit disproportionately, as threat actors are incentivised to host C2 infrastructure outside of their own country or countries with extradition agreements with their host nations to avoid arrest and/or extradition. However, C2 infrastructure is enormously biased toward compromised hosts, indicating a high prevalence of host compromises within the United States.

Map 1: All IPs, both resolved from domain and names and direct-connects, observed during 2018

Chart 1 reflects the top 5 data points observed in Map 1, calculated relative to one another.

Chart 1: Top 5 C2 location points across the globe, year-to-date 2018.

Maps 2 and 3 detail the juxtaposition in C2 locations between TrickBot and Geodo Tier 1 proxy nodes.

Map 2: TrickBot C2 distribution year-to-date 2018

Map 3: Geodo C2 distribution year-to-date 2018

At first glance, the contrast between Geodo and TrickBot may seem odd; Geodo overwhelmingly favors US hosts whereas TrickBot has a propensity toward Russian devices. However, Geodo uses networks of compromised web servers, running Nginx to serve as Tier 1 proxy nodes. More specifically, Geodo uses legitimate web servers as a reverse proxy, tunnelling traffic through these legitimate web servers to hosts on the true hidden C2 infrastructure. TrickBot, on the other hand, almost exclusively uses for-purpose Virtual Private Servers (VPSs) to host its nefarious infrastructure.

TrickBot’s C2 distribution trends significantly more eastward—with a greater number of C2 locations in Eastern Europe and Russia. TrickBot campaigns almost always target Western victims. In June, Cofense Intelligence released a report detailing sustained, pernicious attacks against UK targets. TrickBot’s targeting of Western victims from Eastern-hosted C2 could be due to the lack of extradition agreements amongst those countries (Figure 1). Still, TrickBot does rely on some C2 locations in North America and Western Europe. This could alternatively be a strategic move wherein TrickBot uses regionally diverse C2 locations to make it more difficult to profile its infrastructure, to introduce uncertainty and help keep the hosts viable for the longest possible time. Chart 2 is a companion of Map 2, detailing TrickBot’s favored demographics.

Figure 1: Countries with which the US has extradition agreements.1

Chart 2: A breakdown of TrickBot’s C2 locations. Note: In the ‘Other’ category, 64% are Eastern (including Eastern European).

Looking Ahead

The scattering of C2 locations for Geodo and TrickBot demonstrates the vast infrastructure of two of the most pernicious malware currently distributed via phishing. This suggests that these malware families will almost certainly remain on the scene in the months to come. An avid network defender should take note that using geolocation to help differentiate legitimate traffic from potentially malicious traffic may not be as effective as it seems. In light of the case study above, it would be prudent to actively monitor the threat landscape from a reliable source and stay vigilant.

To learn more about 2018 Geodo and TrickBot activity, view the Cofense™ analysis.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.



A Staggering Amount of Stolen Data is Heading to Zoho Domains

After last month’s brief domain suspension of Zoho—which resulted from an insufficient response to reported phishing abuse— Cofense Intelligence™ has uncovered Zoho’s connection to an extremely high number of keylogger phishing campaigns designed to harvest data from infected machines. Of all Keyloggers analysed by Cofense, 40% used a or email address to exfiltrate data from victim machines.

Staying King Krab: GandCrab Malware Keeps a Step Ahead of Network Defenses

GandCrab ransomware is being rapidly developed to evade the cyber security community’s defense efforts, aid proliferation, and secure revenue for those driving the malware. Cofense Intelligence TM has identified a new campaign that is delivering GandCrab version 4.4, the newest iteration of this prolific ransomware. The developers of GandCrab are aware of the research analysis done on its past versions, and release new versions rapidly to negate the solutions. These malicious developers also release versions in direct correlation to specific security companies’ findings. In the last two months, the authors of GandCrab have released version 4, and subsequent 4.x releases to improve the ransomware’s capabilities.

The email-borne campaign bearing GandCrab v4.4 (analyzed by Cofense Intelligence) did not follow the usual trends of being delivered via Microsoft Office Macro attachment. The lures employed during these previous campaigns were typically enticing recipients to download an infected resume or subpoena. The emails were written in German and had an attached .zip archive that contained an executable sample of GandCrab v4.4. The email body follows previous campaign narratives and is depicted in Figures 1 & 2.

Figure 1: The email body written in German.

Figure 2: The email body translated to English.

Once executed, the GandCrab sample will then collect information about the machine and determine if it is a viable candidate for encryption. If the machine has been deemed acceptable, files that meet specific criteria are then encrypted. After encryption, GandCrab then drops the ransom note in each directory via a .txt file. Figure 3 is a ransom note example.

Figure 3: A GandCrab ransom note example.

The fourth version of GandCrab was released in July, only six months after the first sighting of GandCrab in the wild. This latest version is a drastic change from its predecessors. Focusing on speed of encryption, this version switches from using RSA-2048 to the Salsa20 encryption algorithm. Prior to the fourth version of GandCrab the sample would need to successfully check in with its Command and Control (C2) structure before beginning the encryption process. Figure 4 documents strings found in GandCrab. referencing the developer of the Salsa20 algorithm.

Figure 4: The creator of Salsa20 algorithm is shown in the memory strings.

Versions 4 and 4.1 saw the introduction of a mechanism designed to prevent GandCrab running on undesirable machines. These specific versions would create a hex string .lock file based on specific information being present on the machine and place it in the C:\ProgramData directory. The .lock file would be queried and, if it found the binary, would terminate itself without encrypting the endpoint. Another GandCrab kill-switch is triggered when the sample looks at the language packs installed on the machine. If GandCrab finds a Russian language pack or former Soviet Union language packs, it will terminate itself without encrypting the endpoint.

Another upgrade that came with versions 4 and 4.1 was the ability to encrypt file shares and attached devices. This is done through interaction with the System Volume Manager to detect these resources. This is a big update in weaponry because it gives this ransomware the ability to engulf a network with encrypted files. This version’s ability to encrypt file shares puts a greater emphasis on the mitigation and response techniques needed within a network. The encrypted files also get a new extension and are then appended with .KRAB, as well as the ransom notes being renamed to KRAB-DECRYPT.txt. Figure 5 shows the encrypted file system, as well as the ransom note placed on the Desktop.

Figure 5: The GandCrab ransom note placement and the .KRAB extensions.

GandCrab v4.1 had also shown new network traffic not previously seen with the older versions. This version will use a custom Domain Generation Algorithm (DGA) to create URLs and POST the information collected from the machine to the DGA created URL. These POSTs are not to a GandCrab C2 infrastructure, rather they are legitimate domains. However, some researchers have theorized that these POSTs might be the Proof-of-Concept (PoC) for a future feature yet to be fully utilized. Other researchers believe that these POSTs are meant to fill the network with false positive C2s. Figure 6 shows the multiple POSTs to DGA created URLs.

Figure 6: The network POSTs to the DGA created URLs.

Version 4.1.2 was created out of necessity because of the work done by AhnLab, Inc. and their vaccine software. AhnLab found that the .lock file could be impersonated and placed on the machine beforehand. By doing this, the GandCrab sample would find the .lock file and terminate itself, thus preventing it from successfully encrypting the machine. The vaccine provided by AhnLab was negated within four days by the ransomware developers by utilizing the Salsa20 encryption algorithm to create the .lock file. Less than one day later, AhnLab provided v2.0 of the vaccine. Two days later, a new variant of GandCrab was spotted which checked for a mutex instead. GandCrab v4.1.2 also added anti-sandbox techniques, such as checking the allocated memory and registry for indicators of a virtual environment.

The updated version 4.1.2 became the basis for v4.2+ and brought about a PoC weapon aimed at AhnLab. This PoC is source code that claims it can cause a Denial of Service (DoS) attack on the AhnLab anti-virus solution used on endpoints. The PoC claims that this can cause a Blue Screen of Death (BSOD) on the targeted system. GandCrab’s anti-sandbox techniques, as discussed above, were also removed in v4.2.1. Figure 7 shows the link to the PoC within the running memory.

Figure 7: The BSOD PoC link in the memory strings.

Version 4.3 was simply a re-compile and re-organization of the code as well as adding anti-disassembly techniques. Version 4.4, the latest version, was built upon previous versions with a few new features of its own. The latest version comes with a stealth mode which, when enabled, queries the information gathered. It then determines if any processes on the endpoint need to be terminated before GandCrab starts its infection. Most of the processes targeted for termination are anti-virus products and those which may hold handles to important files (such as database files) which GandCrab intends to encrypt. This allows for the sample to have a non-disruptive and stealth-like file encryption process. The latest version also comes with a self-kill switch. This version can create the .lock file and place it in the %ProgramData% directory before infection as a nod to AhnLab’s vaccine. If the .lock file is found, the sample then sleeps in the background indefinitely. Figure 8 shows the stealth mode strings in memory.

Figure 8: Stealth mode in the memory strings.

What You Can Do

As with any ransomware, especially GandCrab v4.4, you need to have the proper mitigation in place in case an endpoint on the network becomes encrypted. Proper mitigation involves having up-to-date software from the manufacturer; network segmentation from resources that are considered critical; re-occurring and tested backups of all business-critical data; an email security stack that can sanitize emails as they arrive to the end user; and a response plan that has been practiced and refined. Having these things in place can help you withstand a ransomware incident.

GandCrab blasted onto the scene in early 2018, and since then has made great strides in staying relevant in the shifting landscape. The latest rendition employs tactics, like offline encryption, that had not yet been seen by prior iterations. GandCrab v4 has been able to change and adapt to the mitigation tactics of the cyber security community within the span of two months. The developers of GandCrab have been able to quickly evolve their malware based on anti-virus research analysis, which allows for more effective and lasting infections for the ransomware operators. This rapid development cycle of ransomware is a new trend that could likely lead to more malware developers taking research analysis as constructive criticism, then making their samples more robust in the future.

To stay abreast of developments in malware and phishing attacks, sign up for free Cofense Threat Alerts.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.