On March 22nd, Cofense came across a rather unique malware sample that had a very low detection rate. At the time of analysis, the file was only detected by 5/61 AV engines. The detection rate did not reach 30% until at least a week later, as per VirusTotal: 38015eb1699b7596e8c95fed7f0bc32d1492b371bd4d7953019f69dcf40ff1fd.
New additions to the TrickBot malware’s capabilities, observed by the Phishing Defence Centre, indicate that this malware tool is undergoing active development. The designers of this malware are still working hard to introduce new functionality including a network worm functionality and a screen-lock module. The worm component utilises the leaked “EternalBlue” exploit for CVE-2017-0144 to propagate itself across networks that have yet to patch or discontinue the use of SMBv1. The deployment of the screen-lock module (which appears to be still in the early phases of development) gives the threat actors the ability to change the functionality of the malware from robust banking trojan to a rudimentary ransomware.
Many gamers are unaware that they are either potential targets for mining botnets or that they may already be mining cryptocurrencies for cybercriminals.
Why are gamers targets? Think about it. Mining requires a large graphics card (GPU), a dedicated Internet connection and an uninterrupted power source. Gamers use powerful and immersive, high-performing GPU’s to stay online and play networked games without interruption. It’s the perfect recipe for crypto mining.
Adding to a growing trend of phishing attacks wherein Windows and Office functionalities are abused to compromise victim systems, Cofense Intelligence™ has analyzed a recent campaign that uses the URL file type to deliver subsequent malware payloads. This file type is similar to a Windows LNK shortcut file (both file types share the same global object identifier within Windows) and can be used as a shortcut to online locations or network file shares. These files may abuse built-in functionality in Windows to enhance the ability of an attacker to deliver malware to endpoints.
By abusing these built-in functionalities, threat actors can complicate detection and mitigation in these scenarios, because the software is behaving exactly as it was designed to. The proliferation of abuse techniques indicates that threat actors may be increasingly prioritizing the use of such methodologies due to detection difficulties.
The emails analyzed by Cofense Intelligence include a nondescript phishing campaign that informs recipients of an attached bill, receipt, or invoice. The analysis performed for Threat ID 10993 focused on emails that deliver attached URL shortcut files with their target resource identified using the “file://” scheme. Windows environments use this scheme to denote a file resource that is on the hard drive or hosted on a network file share.
However, the target for these Uniform Resource Identifiers (URIs) can also be a remote resource. When a URL shortcut file is written to disk, Windows will attempt to validate the target denoted by the “file://” scheme. If validated, the remote resource can be downloaded to the local machine. The use of this file format and URI scheme may indicate that threat actors seek to abuse the resource resolution functionality associated with these shortcut files to deliver malware onto victims’ machines at the time the URL file is extracted from a Zip archive.
Figure 1 – URL shortcut files can reference remote file shares to deliver malware
Figure 2 – Downloading a payload over SMB is a less-common method for malware delivery
This technique showcases yet another method in which commonplace Windows features are abused by threat actors, adding to the expanding set of delivery applications crafted to distribute malware.
The nature of these files reveals the risk involved with applications that obtain files simply by issuing connection requests without user interaction. Incident responders and network defenders must devise a response plan to address this scenario, especially if enterprises and organizations operate on a Windows environment. This campaign also demonstrates that as threat actors develop new attack methodologies, more emails are likely to reach user inboxes. Therefore, it is crucial that those users can identify and report such campaigns, because they are the final line of defense at that point.
Sign up for free threat alerts. Get phishing and malware trends delivered to your inbox: https://cofense.com/threat-alerts/
Cofense Intelligence™ uncovered a resurgent Sigma ransomware campaign on March 13, 2018 following a noted three-month hiatus of the malware. Although many aspects of this campaign—including its anti-analysis techniques—are consistent with previously analyzed Sigma samples, its return is in and of itself atypical.
Rohyt Belani, CEO & Co-founder, Cofense
So far, it’s been a very exciting 2018 here at Cofense, with our recent acquisition and announcement of our new name and brand. We continued performing well as a company and launching numerous new features across our products.
After introducing Cofense PhishMeTM and Cofense ReporterTM, a financial services company had reduced susceptibility to 10% or lower across its 10,000+ employees. At the same time, reporting had climbed to almost 50% for data-entry simulated phishes and just under 25% for click-only.
In other words, employees had learned to identify basic phishing attacks.
Sometimes you need to “turn up the heat.”
The company’s CISO realized it was time to use more complex scenarios to further harden resiliency. The CISO pointed out that attackers don’t ask permission to launch sophisticated attacks, so the company had to be ready for anything.
To make scenarios tougher, the company added its branding to simulated phishes, plus mirrored complex phishing attacks it had seen in the wild. By upping the difficulty, the company figured susceptibility would increase, at least temporarily.
That’s exactly what happened. A phishing email pretending to be about manager evaluations, a scenario common to most organizations, fooled nearly 37% of recipients. But a month later, another office-communication phish, relating to time-off requests, elicited a click rate of just 12%—evidence the company did a good job of educating employees, especially those who had clicked the month before.
Not only that, reporting levels held steady during the same period, remaining higher than rates of user susceptibility. In fact, in a recent simulation the first email was reported before anyone mistakenly clicked. In a real phishing attack, the reported email would have been actionable information incident responders could use.
Smart next steps.
The company anticipates that employees will keep getting better at spotting advanced phishes. As susceptibility rates level out, employees should expect to see even tougher scenarios.
Again, these will likely include emails based on active threats, in particular emails purporting to come from internal sources. According to Cofense’s 2017 Phishing Defense and Resiliency Report, these kinds of “business process” scenarios are among the most effective.
One great source of complex scenarios: Cofense IntelligenceTM, our phishing-specific threat intelligence which helps organizations stay in front of attacks. You can use this service’s insights to keep your scenarios relevant.
Important note: it’s wise to mix in complex scenarios vs. abandoning basic phishing scenarios altogether. Users need to prepare for both, since attacks come in all degrees of complexity. Also, you don’t want users to be afraid to open legitimate emails from HR or other teams. If you’re not sure about the right mix, Cofense’s Professional Service Team can help.
When it comes to battling phishing, you can never say “mission accomplished.” But refining your defenses like this client did is an accomplishment in itself.
Learn more about phishing defense in Cofense’s 2017 Phishing Resiliency and Defense Report.
Over the past couple of days, the Cofense™ Phishing Defence Centre has observed multiple campaigns that prompt the user to download what appears to be a life insurance invoice. The “invoice” gets delivered in the form of a zip file that contains a LNK file with content crafted to create an effective malware downloader tool. The malware it delivers: Ursnif.