This Employee Satisfaction Survey is Not so Satisfying… Except for the Credential Phishing Actors Behind It.

By Max Gannon, Dylan Duncan in Cofense Intelligence

Cofense Intelligence has tracked a complex credential phishing operation that evades Microsoft Office 365, Cisco Ironport and Mimecast Secure Email Gateways and has been active since at least December 2019—a very long time for an active credential phishing campaign. The use of a series of convincing tactics suggests that threat actors have taken great effort to create an air of authenticity for targeted recipients. Targeted users receive an email, supposedly from their HR departments, mandating that they complete a SurveyMonkey employee satisfaction survey. The convoluted attack chain uses trusted sources and eventually redirects to a real SurveyMonkey survey, allowing the threat actors to evade detection, and provides recipients with the end results that they expect – a real survey.

This credential phishing chain begins with an email (Figure 1) containing a link to a PDF hosted on the legitimate cloud service provider Hightail. The email itself contains multiple tactics, techniques, and procedures (TTPs) to deceive the end user. These TTPs consist of a seemingly legitimate Hightail spoofed email address ‘delivery @ spaces[.]hightailmail[.]com,’ fronting as a target’s HR department. The email creates a sense of urgency, indicating the survey is mandatory, requires action, only takes a few moments to complete, and will benefit the targeted employee.

Figure 1: Example of one original email sent to targeted recipients

After following the link to Hightail, a PDF is downloaded (Figure 2). Within the PDF, the from, subject, and message fields match the email line-for-line. The URLs for Hightail contain the recipient’s email address encoded in the URL path, and with the page hosted by the threat actor, these collected URLs could be decoded to gather the email address before they access the PDF. Hightail provides a preview of the PDF before downloading (Figure 3), which shows a faded survey and an icon that appears to lead into the survey.

Figure 2: The Hightail web page hosting a PDF that recipients are encouraged to download

Figure 3: A preview of the PDF hosted on Hightail, encouraging the user to participate in the “mandatory” survey

Once the PDF has been downloaded, a ‘Take Survey’ icon links to one of many credential phishing URLs used in this scheme. As displayed in Figure 4 below, the phishing URLs often change with each different PDF, but continue to remain consistent with the theme of an HR Department survey.

Examples include:

  • hxxps://hrsurveyportal[.]work/Start/
  • hxxps://my[.]hr-portalsurvey[.]work/

A complete list of identified URLs was used in different PDFs and is included at the end of this document in Table 2. This kind of differentiation allows the threat actors to maintain an appearance of legitimacy in their phishing URLs, while making it more difficult to defend against these attacks by shunning previously used or shared URLs.

Figure 4: PDF with an embedded link to a credential phishing website

This credential phishing campaign, and its variants, have been operating since at least December 5th, 2019. In most of these identified campaigns, the credential phishing pages were the same spoofed “Norton Secured” page, seen in Figure 5, regardless of the URL or the original target company. Older campaigns, primarily seen in December and January, mostly used appspot[.]com sub-domains rather than HR department themed domains and all led to pages like the one shown in Figure 6.

Figure 5: Spoofed login page where credentials are harvested

Figure 6: A less convincing example of a credential phishing page identified in this broader campaign.

When a recipient enters his or her information in any of the credential phishing websites, the data is sent via an HTTP POST to the URL shown in Figure 7. This is most commonly hxxps://nortonsymantecssl[.]000webhostapp[.]com/vlog/. Much like the hrsurvey[.]work URL variants designed to provide an additional sense of legitimacy, this URL also spoofs “Norton Secured”. Recipients are then immediately sent to the SurveyMonkey survey shown in Figure 8.

Figure 7: Credential phishing page source with the highlighted URL where credentials are posted and recipients are redirected.

Figure 8: The final SurveyMonkey survey

The SurveyMonkey survey shown in Figure 8 is of particular importance. First, this survey link is either legitimate and has been repurposed by threat actors, or threat actors themselves went to the effort to create it. Either way, the detail and effort involved in the survey indicates the possible intent of the threat actors to use the survey as a long-term resource across multiple short-lived credential phishing pages. Secondly, this survey leads targeted recipients to a credible conclusion—ending the attack chain in a way that would not leave recipients suspecting that anything suspicious had happened. Many credential phishing campaigns end by redirecting a user to a generic page or displaying a login error message, which can cause users to stop and consider potentially harmful activity that had occurred, leading them to warn others or report the original email. By avoiding such suspicious signposts, the threat actors can further protect their infrastructure and avoid detection.

This campaign presented a convincing impersonation of an HR department delivering a mandatory survey to its employees. The final destination of the chain was a survey hosted on SurveyMonkey—leading recipients to believe that nothing was wrong. The choice of the campaign endpoint—a survey hosted on a well-known legitimate site, rather than an obvious error message or redirect—indicates a level of attention above and beyond what is usually exhibited by credential phishing adversaries. Additionally, custom domains were used to host the credential phishing infrastructure rather than compromised domains, as is often the case with simple credential phishing. Cofense Intelligence assesses that this campaign was carefully designed with long term capability and minimal detection in mind. This has no doubt allowed for the repeated success of this campaign—also quite unusual when it comes to credential phishing.

Hightail Hosted PDF URLs
hxxp://spaces[.]hightail[.]com/receive/gmaTEP8hhh/
hxxp://spaces[.]hightail[.]com/receive/GvXjcQjRac/
hxxp://spaces[.]hightail[.]com/receive/gWGl9E9QrM/
hxxp://spaces[.]hightail[.]com/receive/hiasiM3Bc4/
hxxp://spaces[.]hightail[.]com/receive/Huh5Kd9ngs/
hxxp://spaces[.]hightail[.]com/receive/N2hZnCrDRr/
hxxp://spaces[.]hightail[.]com/receive/NewA1DfvtL/
hxxp://spaces[.]hightail[.]com/receive/pvHwWmHUxB/
hxxp://spaces[.]hightail[.]com/receive/rlTbN1a1sV/
hxxp://spaces[.]hightail[.]com/receive/wgmOI2E6VF/
hxxp://spaces[.]hightail[.]com/receive/yGDAtZ2Cld/
Credential Phishing Pages URLs
hxxps://hrsurvey[.]work/Home/
hxxps://hrsurvey[.]work/hr/
hxxps://hrsurveyportal[.]work/begin/
hxxps://hrsurveyportal[.]work/secure/
hxxps://hrsurveyportal[.]work/Start/
hxxps://my[.]hr-portalsurvey[.]work/
hxxps://my[.]hrsurveyportal[.]work/
hxxps://my[.]worksurvey[.]work/
hxxps://secure[.]hrsurveyportal[.]work/
hxxps://mwz1552alry[.]appspot[.]com/
Redirect URLs
hxxps://csosun[.]org/administrator/manifests/login[.]php
hxxps://nortonsymantecssl[.]000webhostapp[.]com/vlog/
Hosted Survey URL
hxxps://www[.]surveymonkey[.]com/r/2MHSTQ8
Downloaded PDF Files MD5 Hash
Employee Satisfaction Survey.pdf d61822e79a797356598b6296af360f3e
Employee Satisfaction Survey.pdf b760297ada010198d40f585206e2c769
Description Indicator
Cofense Intelligence ATR ID 36729
Cofense Triage Yara RULE PM_Intel_CredPhish_36729

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 36729.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Innovate to Exploit COVID-19, Delivering OpenOffice .ODP Attachments on a Shoestring Budget

By Tonia Dudley, Cofense Security Solutions

Have you ever paid an invoice delivered in PowerPoint file, similar to Figure 1 below? No? Me neither. An accounts reconciliation aging report? Don’t those typically get sent as a .PDF file so your auditor can ensure you haven’t “adjusted” the report?

Figure 1: Phishing email with fake invoice delivered via an .ODP file, appearing as a .PPT file

We recently uncovered a new, previously unseen tactic used by threat actors eager to capitalize on organizations’ concerns around COVID-19. The threat actors use an OpenOffice file format as an .ODP file, recognized by Microsoft as .PPT file, thus leading unsuspecting users to easily recognize the PowerPoint icon.

But let’s go back to the emails that included this file type. Would you receive an email to process an invoice that used a PowerPoint file for this transaction? It’s no wonder a well-trained user was able to spot this email as suspicious and reported the message to the Cofense Phishing Defense Center.

As we continue to monitor suspicious emails related to COVID-19, both seen in the wild and reported by our customers, we noticed a few interesting tactics used in the email (Figure 2 below) that leverages the OpenOffice format to trick unsuspecting employees into opening the document. The email message is fairly basic and contains some simple phishing indicators. The salutation is generic and an incomplete sentence – “Good morning.” Is this how you punctuate this salutation? Speaking of punctuation – they also used a period after “signing” their name “Donna.” at the end of the email.

When digging into the header information, it was, however, surprising that this email was flagged as “Received-SPF: Fail”. Organizations have spent a great deal of time setting up and configuring DMARC, DKIM and SPF, and the message is delivered to the inbox? We’ll give this organization the benefit of doubt and assume they’re still finetuning and configuring that control.

Yet the most interesting part of this phishing email is the attachment itself – we had never seen an .ODP file type in a phishing email before.

Figure 2: Phishing email delivering an .ODP file masquerading as a COVID-19 preparation guide

In an effort to ensure our customers can detect this new tactic, we wrote a YARA rule to look for any OpenOffice file type. This new search took us back to late January to find the use of the .ODP filetype. It also bubbled up another OpenOffice file type of .ODT, displaying the MS Word icon to the user. In each of these files, the use case for the threat actor was to merely deliver the link to direct to the malicious website.

HOW COFENSE CAN HELP

Yara Rule: PM_LABS_OpenOffice_ImpressFiles

For more information and resources about COVID-19 related phish and malware, visit our Infocenter: https://cofense.com/solutions/topic/coronavirus-infocenter/

Every day, the Cofense Phishing Defense Center analyzes phishing emails that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Going Phishing in the African Banking Sector

By Elmer Hernandez, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has uncovered a phishing campaign aimed at customers of African financial services group ABSA. Mimicking ABSA’s online banking portal, the adversaries attempt to steal users’ online banking credentials to gain access to their bank accounts.

The phishing email presents the end user with a couple of lines of text informing him/her of pending transfers from another bank that need authorization. The user must download and open the htm attachment “IBPAYDOC.htm” in order to connect to the online portal. The email does not present any indication of an attempt to imitate a legitimate ABSA communication, completely relying instead on the user’s misplaced curiosity.

Figure 1 (Email Body)

Phishing Portal

Upon opening the htm file, the user is directed to a fake ABSA online banking portal at hxxps://www[.]ahmadnawaz[.]org/ched/tnop[.]php, which is almost identical to the legitimate ABSA portal, as seen in Figures 2 and 3. The user is prompted to provide an “access account” number, PIN and user number that are then posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail1[.]php.

Figure 2 – Legitimate ABSA Portal

Figure 3 – Copycat ABSA Portal

Adversaries have hijacked the ahmadnawaz[.]org domain on which the fraudulent ABSA portal is hosted, belonging to Pakistani education activist Ahmed Nawaz, and created the “/ched” directory to store their php files and subdirectories as seen in Figure 4.

Figure 4 – Index of /ched

Next, the recipient is asked to provide a password in hxxps://www[.]ahmadnawaz[.]org/ched/pass[.]php. This request should tip off users for three reasons. First, ABSA never asks for entire passwords. Second, and in contradictory fashion, instructions for ABSA’s usual password requirements can be found on the right-hand side of the page. Although the password guidelines only require specific characters, the adversaries seem to have kept these in an attempt to make their fake portal look as genuine as possible. Finally, the user’s SurePhrase, part of ABSA’s SureCheck service, is missing. Upon entering their password, it is posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail2[.]php.

Figure 5 – Fake password login page

The user is then directed to hxxps://www[.]ahmadnawaz[.]org/ched/profile[.]php, where a 60- second timer is displayed. Once it reaches zero, the user is instructed to provide a phone number and a code from the ABSA app. Verification messages are normally sent to the ABSA banking app. In this case, however, no such code is sent because the user is not accessing ABSA’s legitimate portal. The threat actors likely rely on curious or frustrated users who decide, nonetheless, to proceed with the login process despite not receiving a verification request, allowing them to steal additional personal information from the end user. The phone number and app code are then posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail3[.]php.

Figure 6 – Timer in profile .php

Figure 7 – Verification Request

Finally, when and if the user provides the last two pieces of information – the phone number and app passcode – the next stop is hxxps://www[.]ahmadnawaz[.]org/ched/finish[.]php, where the aforementioned timer will run out and restart indefinitely. Figure 8 shows the complete HTTPS traffic.

Figure 8 – HTTPS Traffic Overview

IOCs:

Malicious URLs

hxxps://www[.]ahmadnawaz[.]org/ched/tnop[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail1[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/pass[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail2[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/profile[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail3[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/finish[.]php

 

Associated IPs:

74[.]63[.]242[.]34

 

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Utilizing YouTube Redirects to Deliver Malicious Content

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) recently observed an increase in phishing attempts that deliver phishing pages via YouTube redirects.

Threat actors often use social media websites as redirectors to malicious pages. Most organizations allow the use of platforms such as YouTube, LinkedIn, and Facebook and whitelist the domains, allowing for potentially malicious redirects to open without any fuss. In this case, anyone who clicks on the phish is taken to a phony login page designed to steal credentials.

Figure 1: Email Header

The phishing email originates from a newly registered fraud domain sharepointonline-po.com. This domain was registered on February 19, 2020 through Namecheap.

The threat actor in this scenario has posed as SharePoint, indicating that a new file has been uploaded to the company’s SharePoint site. Although the email may appear illegitimate to a trained eye, a curious or unsuspecting end user may click the button expecting to see a legitimate file.

The link embedded in the email is: hXXps://www[.]youtube[.]com/redirect?v=6l7J1i1OkKs&q=http%3A%2F%2FCompanyname[.]sharepointonline-ert[.]pw

Users are redirected to YouTube that then redirects to companyname[.]sharepointonline-ert[.]pw, which in turn goes to the final landing page of the phish located at:

hXXps://firebasestorage[.]googleapis[.]com/v0/b/sharepointonline-fc311.appspot[.]com/o/Sharepoint2019427c31ba-0238-4747-bfd3-13369aa06b4d427c31ba-0238-4747-bfd3-13369aa06b4d427c31bb%2Findex[.]html

So far, all phishing links from this campaign utilize some variation on sharepointonline-ert[.]pw, specifically sharepointonline-xxx followed by a variation of 3 letters with the top-level domain always being .pw. Each of these fraud domains are quickly registered with Namecheap and used for this campaign, which suggests the possibility of bot automation. The SharePoint redirection domains collected so far include:

sharepointonline-eer[.]pw
sharepointonline-sed[.]pw
sharepointonline-ert[.]pw
sharepointonline-eyt[.]pw

With this trend of 3 letter variations in mind, the use of redirects means there’s at least 17,576 possible combinations of this domain. However, with some clever use of regular expressions, domains following this pattern can be blocked as well as the attack that follows.

Following both the YouTube and fraudulent SharePoint redirects, users are then taken to a Google Cloud page that is configured with the final page of this phish. Because the page is hosted on a legitimate Google site, googleapis.com, its certificate is verified by what appears to be Google itself, thus furthering the illusion of a legitimate page. Use of this legitimate website allows the threat actor to sneak by any Secure Email Gateways (SEGs) or other security controls.

Figure 3: Phishing Page

Once end users click on the link, they are presented with a typical Microsoft branded login page. Nothing appears amiss–in fact, it is almost a perfect replica. The main differences are: the box surrounding the login is black instead of white; the small detail of the banner at the bottom has different information than Microsoft’s actual login; and the copyright year is showing as 2019.

The recipient email address is appended within the URL, thus automatically populating the login box with the account name. Once users provide their password, it is sent to the threat actor.

Network IOCs
hXXps://www[.]youtube[.]com/redirect?v=6l7J1i1OkKs&q=http%3A%2F%2FCompany[.]sharepointonline-ert[.]pw%23john.smith@company.Com&=company=company&redir_token=-N5bmOAEmF36DCYcYY25tfVENgB8MTU4MjIwMTEyOEAxNTgyMTE0NzI4
hXXps://firebasestorage[.]googleapis[.]com/v0/b/sharepointonline-fc311.appspot[.]com/o/Sharepoint2019427c31ba-0238-4747-bfd3-13369aa06b4d427c31ba-0238-4747-bfd3-13369aa06b4d427c31bb%2Findex[.]html

 

HOW COFENSE CAN HELP

Every day, the Cofense Phishing Defense Center (PDC) analyzes phishing emails that bypassed email gateways, 75% of which are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe. To remove the blind spot, get visibility of attacks with Cofense Reporter.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 36586.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actor Uses OneNote to Learn Credential Phishing and Evade Microsoft and FireEye Detection

By Max Gannon

Cofense Intelligence recently uncovered a long-term phishing campaign wherein a threat actor experimented with a OneNote notebook hosted on OneDrive to deliver both malware and credential phishing. Thanks to the ease of use and accessibility of OneNote, the threat actor was able to update a “phishing notebook” multiple times a day, experiment with various intrusion methods, and improve the odds to successfully evade email security controls. Numerous Agent Tesla Keylogger payloads as well as links to different credential phishing websites were included in the campaign. By using a public repository, the threat actor left an easily trackable trail, giving crucial insight into the process and planning involved in abusing trusted cloud hosting sources.

We investigated the experiments housed in this OneNote notebook and found multiple sites and templates the threat actor tested. Figure 1 shows an example email delivered by this threat actor, which was found in an environment protected by Microsoft EOP and FireEye enterprise gateways.

Figure 1: Original email with link to OneNote, leading to a tiny[.]cc link

Cybercriminals can leverage a wide array of trusted cloud hosting sources for credential phishing. Most commonly, a convincing page contains a link to a malicious external website that houses the actual forms used to harvest information. This kind of page can be an image or document hosted on Microsoft Sway, Microsoft SharePoint, Google Docs, or even Zoho Docs. An example from the OneNote was hosted on Zoho Docs, as shown in Figure 2. Note that when looking to download the invoice, the threat actor used the SmartURL link shortening service to circumvent security scanners and trick end users.

Figure 2: Document hosted on Zoho Leads to credential phishing website

The OneNote also housed an example demonstrating how threat actors take direct advantage of a trusted service. In Figure 3, Office 365 credentials are phished through Google Forms, which threat actors can access in their Google accounts. Having a readily accessible service that requires no maintenance and effectively acts as a free database significantly lowers the upkeep needed for the credential phish. A downside is that these services have evolved to look for nefarious activity, and Google displays a warning at the bottom of the form that warns the user to “never submit passwords through Google Forms.” Other services such as Microsoft Forms and survey sites can also enable this type of attack.

Figure 3: Google forms credential phish

Another less common, yet noteworthy, technique is to host a document on a file-sharing site and entice end users to download and open the file. Files housed on DropBox, OneDrive, Google Drive, Box, and other popular services lure email recipients into clicking a link or entering credentials into a form that exfiltrates back to the threat actor. Ultimately, users face some spoof or bait that exploits innate trust for nefarious purposes.

On one end, legitimate cloud hosting services continue to improve their defenses against some of these attacks. Even if only used as an intermediary, takedown requests and scanning solutions aim to remove malicious content as quickly as possible. This response is usually in the case of malware or well-defined phishing portals, which do account for the bulk of the abuse. However, multiple exceptions exist, such as the use of Microsoft OneNote. Given that an operator can update OneNote notebooks at any time, takedowns become more difficult as the threat is harder to track. In this particular case we investigated, OneNote was updated ten or more times a day, consisting not only of changes to the links leading to external credential phishing pages but also to the makeup and “template” of the page itself. OneNote has a version history tool that enables some limited forensics for investigators, but it is relatively easy for a threat actor to remove prior versions. In this instance, the actor did not remove the version history until later in the experimentation process.

Cofense Intelligence tracked content updates by this threat actor over the span of two weeks. Examining the “version history” of these pages over time revealed numerous progressions in the layout, malware, and credential phishing pages. The threat actor went through four templates that delivered a credential phishing portal and unique malware samples. Figure 4 highlights the evolution cycle, as each template underwent several revisions and variations.

  1. In the first template, the operator chose to send two URLs: one with an Office 365 credential phishing site, and another that downloaded malware. Both links were later changed to download malware samples instead of the lure portal.
  2. The second template offered a single link, directly straight to the same Office 365 credential phishing site but on a different URL path.
  3. No credential phishing link was found in the third template, offering a link to different malware versions that the threat actor updated several times.
  4. The fourth template features a phish-only link yet again that alternated between providing one of several different Office 365 credential harvesting portals.

Figure 4: OneNote template progression

In all cases where malware was delivered, the malware was a “first stage” downloader, attempting to download an encrypted binary that then decrypted and ran in memory. This binary proved to be the Agent Tesla Keylogger, tasked with collecting and exfiltrating stored logins and keystrokes. Initially, the two “first stage” malware downloaders had their encrypted payloads stored on Google Drive. Newer loaders attempted to fetch payloads from a compromised host, the same host that provided the malware downloaders. The newer loaders did, however, fail to accomplish their tasks due to improper customization by the threat actor. Such error is indicative of a less-capable operator who leverages premade kits but falls short on modifying them.

Like many other phishing sites hosted on OneNote, this threat actor’s primary objective was to steal credentials. A short experiment of delivering Agent Tesla Keylogger proved lackluster, leading the operator to shun malware use in the long-term. This particular threat actor likely decided against using Agent Tesla due to a lack of experience, indicated by the several improperly configured versions of the malware. However, if threat actors continue to use a source typically exploited for credential phishing to deliver malware, this could quickly become problematic. Based on the inherent risk posed by trusted sources, traditional protections trained against OneNote and similar services may prove ineffective. If not properly addressed, this could pave the way to a prolific infection vector for malware.

Table 1: Indicators of Compromise

Description Indicator
Cofense Intelligence™ ATR ID 35838
Cofense Triage™ YARA Rule PM_Intel_AgentTesla_35838
URLs Embedded in Email hxxp://tiny[.]cc/5n9wiz
hxxp://tiny[.]cc/fo9wiz
Destination URL Hosting OneNote Notebook hxxps://1drv[.]ms/o/s!Ap0JWbG5JDSSgQhsghgIsxdnVKZi
Phishing URLs hxxps://correlimmigration[.]com/wp-content/plugins/office_support
hxxps://relife-neiro[.]org/wp-content/Office_Mail/
hxxps://theloghomeshows[.]com/wp-content/Office_Support
hxxps://www[.]hbyygb[.]cn/wp-content/plugins/hello-dolly/Office/
Malware Download URLs hxxps://www[.]farcastbio[.]com/wp-content/invoice%20file[.]pif
hxxps://www[.]hbyygb[.]cn/wp-content/file[.]ace
hxxps://www[.]hbyygb[.]cn/wp-content/File[.]iso
hxxps://www[.]hbyygb[.]cn/wp-content/invoice[.]ace
Malware Payload URLs (From Malware Downloader) hxxps://www[.]hbyygb[.]cn/wp-content/plugins/hello-dolly/file1_encrypted_9099BFF[.]bin
hxxps://www[.]hbyygb[.]cn/wp-content/plugins/hello-dolly/file1_encrypted_B73A83F[.]bin
hxxps://drive[.]google[.]com/uc?export=download&id=1esad4jMAIdWBj8XwsKCpjULr_9WHLURU
hxxps://drive[.]google[.]com/uc?export=download&id=1FwNTU5RN6QOQzvolLFC5ipjsf1a88457
Malware C2 (From Agent Tesla Keylogger) mail[@]winwinmax[.]xyz

HOW COFENSE CAN HELP

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and the “Order Invoice-Agent Tesla Keylogger” template based on this threat, and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

Update March 5, 2020: FireEye provided the following statement after reviewing our blog post: “As a member of the research community, FireEye extensively tracks campaigns targeting SaaS providers and end users in order to keep up with new adversary techniques. The company first saw this OneNote campaign on January 20th, 2020 and quickly deployed temporary protections. By February 7th, FireEye had added a new OneNote detection capability to FireEye Email Security, a service that is capable of preventing the attacks referenced in this blog post, in addition to new OneNote-based campaigns.”

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Organization of Post-Soviet States Spoofed in Phishing Email

By Julie Hall and Dylan Duncan,

Cofense IntelligenceTM has detected a Russian language credential phishing campaign, spoofing a well-known financial organization, that delivers a malicious PDF to end users. The phishing campaign spoofs the Commonwealth of Independent States (CIS), a legitimate post-Soviet nations organization portal, and claims to offer ruble compensation. The is delivered with a blank phishing email containing a PDF file that includes a redirect link to a Russian language phishing site. Cofense has observed the phish making its way through Microsoft’s EOP Secure Email Gateway and it may have bypassed others.

Notably, all domains that Cofense Intelligence has recorded in this campaign contain valid certificates and were recently registered between November 19th and December 1st, 2019. Figure 1 presents the phishing email that contains no context, just a PDF attachment.

Figure 1: Phishing Email

Using a simplistic and blank email generally results in only curious, unsuspecting recipients being automatically directed to the phishing portal. However, in this phishing scenario, once the PDF is opened, the recipient is presented with an image and a link, as shown in Figure 2.

Figure 2: PDF File

Clicking the hyperlink, which requests the end user to review a document, redirects to a phishing site, as shown in Figure 3. The phishing attack consists of multiple steps. The spoofed financial service claims to offer eligible citizens monetary compensation; however, they are only given a limited time frame to register their claim. To claim the compensation, visitors must submit a bank card number and a Voila (cryptocurrency token). After providing the information, users are prompted to pay a randomly generated fee before receiving the compensation.

Figure 3: Landing Page of Phishing Attack

As a false sense of authenticity, every 30 to 60 seconds the site generates one of 10 pop-ups claiming that a user has received compensation (see Figure 4). Also, the site accepts all inputs and does not conduct any validation; therefore, all visitors are at risk of navigating their way through all of the steps. This combination of techniques—the limited time frame, spoofing of a legitimate organization, a large compensation offer, and the registered domains with valid certifications—create a sense of legitimacy and builds excitement and urgency for recipients. These Tactics, Techniques, and Procedures (TTPs) cloud judgment and lower the victim’s guard.

Figure 4: Received Compensation Pop-Up

The domains contain an open directory with an accessible phishing kit, FKG.zip. The kit contains multiple HTML, JavaScript, and JavaScript Object Notation files. The .html files link to the web pages of the phishing attack while the JS and JSON files control the functionality of the phish.

In the file upssels.js, the domain clickpay24[.]tv is used as an API to accept the direct payments from the users. After completing each step of the phish, recipients are redirected to a payment site generated by clickpay24. The generated URLs follow the path az-payout.com[.]com/buy/<16 Integers> with random integers.

Preventing certain email-borne intrusions involves security awareness as the first line of defense. Alongside automated anti-phishing tools, educating company personnel on new phishing trends is the best way of countering a campaign such as this.

Table 1: Domains associated with the campaign

Domain Registration Date
h-formpay-a[.]top November 19, 2019
x-a[.]top December 1, 2019
Luckyclick[.]best November 24, 2019
m-f1[.]top December 1, 2019
c3p-cl[.]club November 29, 2019
o-k-f.aadfk[.]top November 28, 2019
m-go[.]top November 11, 2019

 

Every day, the Cofense Phishing Defense Center analyzes phishing emails that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 34008.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Emotet Modifies Command & Control URI Structure and Brings Back Link-based Emails

By Noah Mizell, Cofense Phishing Defense Center

Emotet has been busy wrapping up the year with some minor tweaks to their client code and the reintroduction of some tactics that have worked well for them in the past. The botnet that began its life as a banking trojan in 2014 has proven to be a formidable threat to organizations around the world and shows no signs of stopping. Before we look at their recent changes, let’s begin with a quick review of some of the notable updates we have observed this year:

  • January 13, 2019 – The Emotet botnet reemerges from vacation to begin its first campaign of the year.
  • January 28, 2019 – Experimentation with Qakbot as a payload.
  • March 14, 2019 – The client code is changed to utilize a wordlist to generate random paths when checking into the Command & Control (C2) and now uses the POST method instead of GET. The use of JavaScript attachments is noted as well.
  • April 9, 2019 – The botnet operators begin using the emails that were stolen starting in the last part of their 2018 campaign. The use of stolen content provides the ability to create spear-phishing like emails on a scale never seen before.
  • May 31, 2019 – Emotet goes on summer vacation shutting down a large part of its infrastructure.
  • Sep 3, 2019 – C2 begins to come back online.
  • Sep 16, 2019 – Spamming operations resume. Link and PDF attachment based emails are very limited. The vast majority of their campaigns are macro document-based. Heavy use of the reply-chain (stolen email) tactic is observed.
  • Large deployments of TrickBot and Dreambot are used as secondary infections throughout the year.
  • The term “Triple Threat” is created to note the high incidence of Emotet -> TrickBot -> Ryuk infections seen in the wild, leading to massive ransomware payments and a great deal of lost time and money for many government and private organizations.

Starting on November 27th, we noticed a change in the way the Emotet client code was checking into the C2 servers. Gone are the random paths utilizing the word list (figure 1) that was seen in the past.

Figure 1: URI structure introduced in early 2019

Figure 2: The new URI structure seen as of Nov. 27

The clients are now adding a path that, at first glance, appears to be a random string with a minimum length of four characters.  A slightly deeper investigation into this traffic shows the path is actually the key from the key/value pair in the posted form data.  This change is odd, as it does not actually alter the check-in data in any meaningful way and appears instead to be more cosmetic in nature. This leads us to believe that it may have been a rudimentary attempt at identifying researchers who are running emulation code alone, as their check-in structure would not have dynamically changed when the code base was updated.

Figure 3: Example Emotet delivery email

Another noted change was the reintroduction of link-based email templates. We have seen Emotet emails use links with great success in the past. For unknown reasons, the threat actors did not seem to use them when coming back from summer vacation. In all likelihood, they are using them now to maximize their victim count before breaking again for the winter holidays.

We have included a listing of some of the URLs seen on the first day back further below.  Heavy distribution of TrickBot has also been seen in recent campaigns as a secondary infection and may be a money grab to fund their holidays.

Figure 4: Example Emotet delivery email

As with past campaigns, we have also seen an uptick in the use of shipping company themed emails to coincide with the holiday season, a recurring theme for the actors around this time of year. One change to the email templates that appears to be a new lure is an “Open Enrollment 2020” theme to entice users who have not yet decided on their insurance program for the upcoming calendar year.

The Emotet actors are masters at creating email templates that exploit a user’s emotional response, and this is a prime example.

Cofense’s research teams – Cofense Labs, Cofense Intelligence and the Cofense Phishing Defense Center – actively monitor the Emotet botnet to identify phishing threats that may impact customers and to provide security operations with the latest campaign data.

 

HOW COFENSE CAN HELP

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense Center are reported by end users and bypassed technical controls that were in place to protect them.

Cofense PhishMe offers a simulation template, “Order Confirmation – Emotet/Geodo,” to educate users on the phishing tactic described in this blog. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 34580.

Quickly turn user reported emails into actionable intelligence with Cofense Triage and reduce exposure time by rapidly quarantining threats with Cofense Vision.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

hXXp://3mbapparel[.]com/ce8p4mw/Scan/23sr2r3h-227136449-4100-o7f3aukln-5ek9w7yx/

hXXp://abbasghanbari[.]com/cgi-bin/m2gx-j9l-2674/

hXXp://abis[.]abis-dom[.]ru/wp-content/multifunctional-zone/external-portal/XKnI9c95VXtO-2koeL1odjG8e45/

hXXp://adrianoogushi[.]com[.]br/blogs/available-resource/test-forum/CO37HIcUG-4KiqqruHlj9/

hXXp://agramarket[.]com/wp-admin/554841538461/9igxpru22w-3404-624501945-dtenc-cvona7/

hXXp://agramarket[.]com/wp-admin/images/Document/

hXXp://aijiuli[.]com/wp-content/common-3644746801311-F61eGi6VrRfSERpV/guarded-722116w-9jx99j5uyog/2b51q65tivz3f97-3vw70xy142675/

hXXp://alfaem[.]by/wp-includes/wcevu12a6j/ui13miem-1842496-647941-b1maguvyl7-0wm1/

hXXp://allgamers[.]ir/wp-content/6270900376591-TrHEgUBtm-sector/verified-portal/3rw-x42z0/

hXXp://aminulnakla[.]com/test/5mpub-u9jdh-1356/

hXXp://amoutleather[.]com/a/multifunctional_9313571_Y9mwVe/additional_forum/EAvHHxYA2_z07m8sM36w72/

hXXp://anantasquare[.]com/wp-content/Documentation/1yzenuu55v/zdx0oqd5mp-79785-92241-lqk84aode-i65yma2m1/

hXXp://andishkademedia[.]com/wp-includes/8vcppv-4l1-885316/

hXXp://anhjenda[.]net/wp-content/vmpyh5c3pi/

hXXp://anjumpackages[.]com/nrri/private_44709616882_WQZDa1KAyj/corporate_V6tkmPmj_jRcx2PfQ/on3_1v7649ys6t1/

hXXp://aquimero[.]net/wp-includes/8gdm6-y4kj-461/

hXXp://archinnovatedesigns[.]com/wp-includes/464728-V0rjOQkXZi4SSiW-disk/580333-3VP9JZcfWI6-cloud/028eeth-vu553tyw/

hXXp://arielcarter[.]com/j7foqo2/DOC/iqrh6hczo0cw/

hXXp://arttoliveby[.]com/yyrye/private_86192_eZoBMjbfcDvuPq/test_cloud/ws3uh67ha1tup_5128t108/

hXXp://auliskicamp[.]in/wp-admin/common_resource/verified_vZUVdO8ppY_CWfMSl2yMCEH/bgJEju1jvH_3iNK6o4Ii4G/

hXXp://awooddashacabka[.]com/yt46/open-box/individual-area/yNmy5HQif-8o8tG738h2/

hXXp://babdigital[.]com[.]br/wp-content/esp/6v5nej75l/

hXXp://bakeacake[.]com/wp-admin/available-disk/security-warehouse/z1XGaZ-NemjMNrc3a/

hXXp://bassigarments[.]com/wp-content/personal-592742204-WBrGGz/4469690-7SOBhN7gbB7s-area/b90h417-wtxsw/

hXXp://batdongsanhathanh[.]net/wp-admin/open-resource/568A8V-ILYyxINK-profile/jdux7bsdp-twyu179678t1/

hXXp://beiramarsushi[.]com[.]br/1g3ld9f/closed_n941_aUn1fAfrvX8Bhu/test_warehouse/6N1JhlV_M8oi1aM9Gyw/

hXXp://best-fences[.]ru/css/4ey-6v7y0-5856/

hXXp://betaoptimexfreze[.]com/bebkat/Reporting/9zooeodt/x827ofzp-289202990-87262-q99cri9-xr06/

hXXp://bgctexas[.]com/quietnightcompany/xb1k2g9/personal_zone/test_WlYEqat2Ie_OgiyQ9W40qCyP/bw54a4lhlrx_9636w4uu0xsxt1/

hXXp://bilgigazetesi[.]net/a6lwm1m/open_sector/special_forum/Ej4oMEQf3AN_Gudt5tx97J/

hXXp://bimattien[.]com/wp-admin/eTrac/ld6u234c3/ga438o-5744266-474284-eejhd-5ctewz/

hXXp://blicher[.]info/wp-includes/KPrV/

hXXp://blog[.]inkentikaburlu[.]com/70jjm53klo/sites/2yd7bvuh-505209-64670737-fr4vs-t7zp3cjl0/

hXXp://blog[.]sawanadruki[.]pl/wp-content/uilb8dz6_hwpeyvx_sector/security_warehouse/0gKrzfjYpvFO_3yLM891Meliz/

hXXp://blogkolorsillas[.]kolorsillas[.]com/wordpress/xnq1k-rkkl-803/

hXXp://bluemedgroup[.]com/wp-admin/mnfd8_nbij_436575782_UQEO1IVCs4LqadTV/security_profile/XODmvThQGR7_H7vrzccMec5/

hXXp://bmrvengineering[.]com/wp-admin/FILE/

hXXp://bookitcarrental[.]com/wordpress/INC/iddp2ggtm/eccvup8c-3843-818470-69yg4b28wh-w1kxriyo/

hXXp://bupaari[.]com[.]pk/RoyalAdventureClub[.]com/eTrac/ncevpoamvlp0/

hXXp://buyrealdocumentonline[.]com/wp/Documentation/d7mz-688402499-7314933257-fkwggnu-t4ybrvaf7/

hXXp://cabosanlorenzo[.]com/wp-load/protected-resource/verifiable-tk2c-3kfk3g9iz/ebub24rmzo8-9u88717yx935/

hXXp://cacimbanoronha[.]com[.]br/wp-content/Scan/

hXXp://caotruongthanh[.]com/wp-admin/qeku-4ys4-83891/

hXXp://carolscloud[.]com/media/public/

hXXp://carolzerbini[.]com[.]br/6ttp7t0/Overview/qoawf12j0jbp/

hXXp://carvalhopagnoncelli[.]com[.]br/lvqhz/Overview/0rrnguk8z/lg4qyh7-338411-43458560-pp7dts1ba-3msz/

hXXp://cas[.]biscast[.]edu[.]ph/updates/personal_sector/verifiable_warehouse/D3buvGg_1yyMJGrM6gp/

hXXp://casaquintaletcetal[.]com[.]br/e6viur/04383245_xZw1ZKxX_41063_29gQlRhcVl5eGs/additional_area/4004h_s035tt6461/

hXXp://casinovegas[.]in/cgi-bin/protected_module/additional_warehouse/NzQU7EbxmY_mLobpJqHn8Lh8/

hXXp://catchraccoons[.]com/wp-admin/open_9135304_x3VG052S9vjEZN/external_warehouse/AgnasV_o0M4JIrNt67j/

hXXp://caughtonthestreet[.]com/sh5bne/available_sector/test_mhc3xk01u_if5a3isqhztj4/fwpqcd9admvnur_yuu17s15/

hXXp://cetpro[.]harvar[.]edu[.]pe/dup-installer/2i5i_r76gl3x5v6vge_disk/individual_profile/NrWPp5_3Hj0zszymw/

hXXp://championretrievers[.]com/wp-admin/paclm/mdjx-81327-4043-zujiz-uoi7hp59w4/

hXXp://charger-battery[.]co[.]uk/chargerimages/Reporting/

hXXp://chatnwax[.]com/dir/RRETX2MC9ZE7/syc01o4x/

hXXp://cheappigeontraps[.]com/wp-admin/personal-resource/guarded-gueidxaiga-544/a4hko1sshe-6530yx62/

hXXp://cheapraccoontraps[.]com/wp-admin/parts_service/zn6iszxroew/0vqf-97169-6342681145-z9iyge-xws5/

hXXp://cherrypointanimalhospital[.]com/new/parts_service/po53iyxo22m/

hXXp://chintamuktwelfare[.]com/wuvke31kdk/open-array/open-space/j2hg7S-Mseglc5d/

hXXp://chongthamhoanglinh[.]com/cgi-bin/Reporting/

hXXp://chooseyourtable[.]sapian[.]co[.]in/wp-includes/x3qc-azmz9-340871/

hXXp://clurit[.]com/matematika/images/content/open-array/additional-portal/open-array/additional-portal/3qZqx-tb7HH2KcNhHi82/

hXXp://collegebolo[.]in/wp-content/OCT/i91smxgw72t/iayid-933690-003423-pxhqzu7z4-e9fxqjnvn/

hXXp://collegiatevideoscout[.]com/piq88y/multifunctional-zone/verifiable-portal/vzwsusvfoq2kbmt-y496uwt7xz68uy/

hXXp://compworldinc[.]com/browse/4ni6zf2fq/

hXXp://contestshub[.]xyz/wp-content/evfch-p40-368725/

hXXp://cosmeticsurgeoninkolkata[.]in/wp-content/multifunctional-zone/security-space/oG7v7CkLAl-jz0rugqbjvi73/

hXXp://cosmicconsultancy[.]in/custom-icons/Reporting/

hXXp://cp[.]3rdeyehosting[.]com/wp-includes/esp/

hXXp://crazyroger[.]com/cgi-bin/1710496674006_01bd6Zeef0mCJ_disk/external_forum/4dwy_zxz36x4/

hXXp://creatitif[.]com/wp-admin/Reporting/

hXXp://croptool[.]com/theblackjackmob/Documentation/

hXXp://crownedbynature[.]com/jtaa6jtb/LLC/

hXXp://csa[.]cries[.]ro/ckjca7/11206-JdwhXBh41Cj8irAC-resource/individual-warehouse/ay7fc9ll3dnke7e-4yw99s2t6w/

hXXp://csrngo[.]in/alfacgiapi/15vu8s-c85u1-9139/

hXXp://daisybucketdesigns[.]com/pocketframes/images/aci32rk/eTrac/5w4kiwqito3r/

hXXp://dalao5188[.]top/wp-content/open-sector/test-forum/f0pqn-5328/

hXXp://dastsaz[.]shop/wordpress/private_array/verifiable_forum/BpajlMaeH_297iwG6jj7pGc/

hXXp://datrienterprise[.]com/wp-content/eTrac/7qzoqzrkjyuc/

hXXp://demo[.]bragma[.]com/site/pt48-pk3089b-682065491-ZkL2pS9yz/open-warehouse/LXWiJKrI-62Hui1o9a/

hXXp://demo[.]podamibenepal[.]com/superior/t2c-jpip6-22/

hXXp://demo[.]tanralili[.]com/apehhpf/INC/

hXXp://designers-platform[.]com/binzbc/FILE/a69zlr8/

hXXp://dev[.]consolidationexpress[.]co[.]uk/wp-admin/closed_sector/924553_1wSxAW2z_portal/2EI6ej9js5j_15M1p7xI9Gov/

hXXp://diamondbreeze[.]com/wp-content/docs/ig220w-64348062-050708-0o2ix-nk0skuh0/

hXXp://diecinuevebn[.]com/cgi-bin/protected-disk/verified-forum/ah7hwmjvvuuy84mx-t467s/

hXXp://diegojmachado[.]com/cgi-bin/open_sector/CLp2Etz_eUR1Q6uDDBgHkI_area/bDuOHXDda_cgI6sNcjl1gK/

hXXp://dishekimieroluzun[.]com/wp-content/DOC/

hXXp://dreammotokolkata[.]com/cqye/iaft92-6lplx-826/

hXXp://drsudhirhebbar[.]com/minds/private-sector/open-portal/rb2vj1kuwjbb-swuys/

hXXp://dubit[.]pl/site2/pxre-ns-297/

hXXp://dumann[.]com[.]br/z3gy5lb/sites/7bg1i8n2/jvsjhn3j-868085891-343651-sgosfko-20u4kmz2cb/

hXXp://elitexpressdiplomats[.]com/cgi-bin/available-array/guarded-5UJi7-pIM1v1g3Q6k6/whf6zxh-txsts2/

hXXp://empowerlearning[.]online/wp-admin/ruh006-rgkj-590/

hXXp://especialistassm[.]com[.]mx/inoxl28kgldf/docs/l5rbj6g/iibea-032709148-341719111-6r6auusna-6j9m/

hXXp://euonymus[.]info/twxppk/Document/7uo0t4osm95p/

hXXp://evokativit[.]com/TEST777/YHErlTl/

hXXp://evolvedself[.]com/dir/azpdj41_sugzd3yhwwsy_3709679_Rvta29FrYib/special_QDPYSSWZ1L_PJAv0ICNK1P/2Edulb_98mGeuzy3ty2Lz/

hXXp://extend[.]stijlgenoten-interactief[.]nl/test/Pages/w6014u-84395-6469-hthslxcbne-8vj2et4/

hXXp://finndonfinance[.]com/wp-content/Document/wjswrn1s/qgltg-85747767-49820504-2gz892-ydp6o4o4e/

hXXp://fooladshahr[.]simamanzar[.]ir/dup-installer/closed_box/interior_portal/0f6j5b5bga_06zs0/

hXXp://fozet[.]in/wp-content/eTrac/hb6yb86ei36/yrqsf32-172576671-4195092231-c97ty6f-5cu2q8hj8/

hXXp://freestyle[.]hk/picture_library/eTrac/s9shv2eo/

hXXp://frezydermusa[.]com/wp-content/parts_service/fisq814goap0/fhyl68-5565-326796-rr55j9spg-ug9mfyg/

hXXp://galeriariera[.]cat/assets/lm/g9zkvryjwq-0524005005-0333576-k58dqx5-326yx/

hXXp://gameonline11[.]com/wordpress/pqOAPS/

hXXp://gargchaat[.]com/phpmailo/lm/538skcfoe/7vps0iy-66657310-44075-q2gbc4-2vhp2c/

hXXp://gayweddingsarasota[.]com/cgi-bin/esp/68f6yd4ehwdr/

hXXp://gayweddingtampabay[.]com/cgi-bin/private-2828581710383-rNH3ETP8sT2ggXrt/additional-forum/DEsne0OE5vz-KmmglLMf/

hXXp://geekmonks[.]com/cgi-bin/common_sector/special_forum/9cfuf_ts9y4twzx0709/

hXXp://germxit[.]mu/calendar/4rxl-2932-78/

hXXp://gestto[.]com[.]br/wp-lindge/Scan/

hXXp://getabat[.]in/wp-content/closed_module/test_88i6oai_sjwnuscqjjl/abgyQKwZhv6i_inKjGl8hG98/

hXXp://globalstudymaterial[.]com/pdf/available-zone/individual-warehouse/vWOq8gdCRu0-ra1nf24iHayat/

hXXp://goldinnaija[.]com/wp-admin/sites/xaz6-030261-0911995608-sm9u-99rd1/

hXXp://gomaui[.]co/wp-includes/personal-resource/test-area/a9kj-wsuyvw59t/

hXXp://grace2hk[.]com/b6vg89hb/common_sector/security_forum/4tx_uu501xxxs/

hXXp://grahaksatria[.]com/towed/private_box/additional_forum/x1T0kdo_q89uLjatbqJ8/

hXXp://greatercanaan[.]org/wp-admin/Document/kqfz63hy/

hXXp://grocery2door[.]com/nkpk/97_dwi59_03276182_sJsjrqR/corporate_warehouse/13wrnaGqqET_lIy0l5eJsNdIc/

hXXp://groovy-server[.]com/masjid/backend/web/assets/rhhl/

hXXp://group8[.]metropolitanculture[.]net/wp-admin/multifunctional-sector/verifiable-cloud/l0q-4vww/

hXXp://haoyun33[.]com/wordpress/browse/9kmt2hi/

hXXp://hasung[.]vn/wp-includes/1bvxk7fvre5_lnci6bcnim_resource/special_forum/5BZ0CZ_p4052N871e/

hXXp://hfn-inc[.]com/mail/available-box/security-PgUqz6ktI-GY00tgjAgbFSr5/zy5escaf56fzw5y-y78s2tzu60v7z4/

hXXp://homecarehvac[.]com/wp-includes/open_resource/guarded_profile/eshftvv0ht_61x297v2/

hXXp://indusautotec[.]com/n8l7suy/open-xNFfQ20VO-FjqtokyzbQ6HGF/security-jdEM-dDzAJO2Ccnx/G3P8qq-MmI2GLf3JdK/

hXXp://jgx[.]xhk[.]mybluehost[.]me/scarcelli/multifunctional_098152347732_CYNEZ9DFQ/guarded_space/2qq1r_29xuz/

hXXp://jurness2shop[.]com/cgi-bin/private_disk/individual_ufyGUNB_QRlHjxmYMMbuaY/30lpuw22llwzm_vx60vx4s/

hXXp://kallinsgate[.]com/cw6vmaj/common-2561851-hLdPAOsBNVrNeE/open-space/5irmsa8-8x82zv7t2zw2x/

hXXp://kanntours[.]com/wp-security/Overview/yprr0k8-808004671-920995225-dc1d7q7-trbbwtd/

hXXp://kayzer[.]yenfikir[.]com/quadra[.]goldeyestheme[.]com/lm/

hXXp://kelurahanraya[.]ulvitravel[.]com/tmp/eTrac/wpag9c-3294986-0565941971-rbtkv0yr0p-rs604o/

hXXp://kpu[.]dinkeskabminsel[.]com/wp-admin/available_229278636_TO7LG1kXBWax3/847166_Zm9B3oXaP_portal/ZcAtrKAnB_nJGzswNc/

hXXp://kyrmedia[.]com/whnh/closed_zone/test_warehouse/o1yvycunyw222_tz6z71svs35/

hXXp://lalletera[.]cat/bootstrap/closed-array/test-warehouse/9y3rm68-7251/

hXXp://lastminuteminicab[.]com/l56mcv/Scan/qrg67fldazss/cd38ot-8952552-5429276851-63g720il-z2uwrr/

hXXp://lindamarstontherapy[.]com/psqlud/common_1810413_gc4qCpSFYbBM/additional_forum/4kmyjjijspz85_tt20x6w/

hXXp://liveleshow[.]com/cgi-bin/open-sEVbZ-kyyyJcjMY/verified-area/n7tk0nygk2up7j-7824vz2y/

hXXp://lsperennial[.]com/tnnfxu/545533028378/ofzt2ll4a-4754801-8569215-64d2t-rbtsi5ylgq/

hXXp://masspaths[.]org/transcyclist/open-array/69537295-LwrlRuR-portal/riy-u5984475/

hXXp://mistyvillage[.]com/inoxl28kgldf/open-sector/individual-forum/TC1AThq8D-H4iKcw9erMc8a7/

hXXp://monoclepetes[.]com/disneyworldclassroom/browse/

hXXp://mosaiclabel[.]com/4f9xnykaf/common-box/corporate-a30njr6-34dhllfehbjex6/14rm3hr6k358-x32zy5/

hXXp://myclarkcounty[.]com/wp-includes/open-resource/open-forum/o6a3exwvzfo-4wwxx8uts7/

hXXp://myfamilyresearch[.]org/dir/paclm/

hXXp://nisanurkayseri[.]com/fhiq04sgna7/a683w-an3x-4946/

hXXp://norikkon[.]com/administrator/16542-fBTLcdbEyJr-sector/VFCLsV-bAwgBBBeBqaJ-forum/fft2z7gdyzqee-8z80w6z68vs/

hXXp://nunes[.]ca/s59nlj/DOC/

hXXp://pascalterjanian[.]com/logs/multifunctional-2519534-Fs87CEgtQY82H6/verifiable-forum/2iFKNGyl-Ksmyn3gyI/

hXXp://plaestudio[.]com/wp-admin/multifunctional-zone/verified-space/zftkjoaw-xzuwtu1228/

hXXp://pmnmusic[.]com/backup-1540795171-wp-includes/Document/

hXXp://productorad10[.]cl/cdn-cgi/lm/6bwolkvw/

hXXp://radigio[.]com/qcloid/Pages/aveebb8ri/

hXXp://rememberingcelia[.]com/cgi-bin/private-box/additional-cloud/WoMAYyGYPic-ejGtLw5zKk9132/

hXXp://richardciccarone[.]com/watixl/Pages/iwq2bcuhtc/fpl5dh7-1085-7485017905-7upoox-mmwh5rr/

hXXp://rkpd[.]ulvitravel[.]com/cgi-bin/s0pgy-yg3-606/

hXXp://rozziebikes[.]com/tshirts/7XOEME6DSPI/l6bpob8m-8104-0278018-y6o222jln-fsxji7gy9l/

hXXp://safiryapi[.]net/mainto/private-zone/9977527-TGAtxV-space/noliIDq-ffuwzjN5H8zj/

hXXp://sakuralabs[.]com/4gubn/personal-zone/interior-forum/rye8idbdwx6uiw9-vtw0y35413/

hXXp://scottproink[.]com/wp-includes/LLC/3nm06yz1og/

hXXp://sigepromo[.]com/fonts/multifunctional-sector/security-kojbhnhsfxht47-4qgj/xznv8-35sz95t0t7/

hXXp://sofiarebecca[.]com/ybfm/multifunctional-XhmwQuIS-uBXA6FSMcoaXT2/7427993-1AJW4cmy-profile/P0jkvy-gwgs3qvm/

hXXp://southeasternamateurchampionships[.]com/0ng1en8p/common-57GaJ-JU2y57Cw9wWp/test-area/1CP3gWMySaac-iixIpxfJ216/

hXXp://southernlights[.]org/wp-includes/attachments/13iqe8n/

hXXp://stlaurentpro[.]com/25bd/Overview/qnrlmvj/

hXXp://stluketupelo[.]net/sermon/Document/

hXXp://technosolarenergy[.]com/wpk0/esp/xcggf7f/l41sd6-372903-111521309-pe7nqblm-rnbcyph7/

hXXp://thebeaversinstitute[.]org/m6zxne/open_sector/verifiable_grIwVfcE_JNkyS1ABG7O/JOr8Y2_c0N5pfizn8tqv/

hXXp://thecityglobal[.]com/creative/DOC/tmi48tldo/8fcpm52kxc-1823-224157721-0k5g3-2ntwz3u/

hXXp://theconsciouslivingguide[.]com/w63gh/NQOOE7ZE6E/

hXXp://theordeal[.]org/2hqr15/71028031_i0jDg_array/verified_profile/M17xNfJi_afcjbJ9y2/

hXXp://tinystudiocollective[.]com/tvtepc/parts_service/c5hlpnbm/04yte-92982998-989677-xuln504d-wj8wr99a0r/

hXXp://trinituscollective[.]com/wp-admin/DOC/3k2yxczqa-017872-15130767-6fcy299dtf-5p8y1zk/

hXXp://turbinetoyz[.]com/inc/available_sector/open_cloud/7gDaxLdZntQO_f54w1mdqt/

hXXp://vektra-grude[.]com/components/sites/xyj3oy2f/

hXXp://wolvesinstitute[.]org/wp-admin/INC/muosryq6917p/uozxo9-82202-738575-fbm4hisdv-0q5dy3ciz/

hXXp://www[.]africanswoo[.]com/wp-includes/IOG/

hXXp://www[.]bonfireholidays[.]in/efqog/Documentation/

hXXp://www[.]demarplus[.]com/19sn7/Overview/

hXXp://www[.]southwayhomes[.]co[.]uk/wp-admin/lm/5x8c1xywx2h/

hXXp://xhd[.]qhv[.]mybluehost[.]me/Maidentiffany/a4wnq/INC/be5oryde748n/877iw8k2-5677720-10188-kjqm-al3ax20hth/

hXXp://xn--3jsp48bswaq48h[.]com/binzbc/protected_disk/WsgEuoVh6_GLg1uIsNZxocly_tdagf_sb0hy87m9gi/jWdMxTd9_a73ophNx/

hXXp://yourdirectory[.]website/Mccracken/eTrac/rpiglgay-1418052884-1524951880-uuys-0fxj/

hXXps://bipinvideolab[.]com/wp-admin/51917864823222027/b0n0hcp4sl83/

hXXps://crossworldltd[.]com/wp-includes/48p5-o3ih-71/

hXXps://flexwebsolution[.]com/assets/multifunctional_disk/external_forum/7aa8z9os32iqygd_3gp4h/

hXXps://gurukool[.]tech/assets/t85vawx7s2xbi3q-1mvazihmr-module/interior-forum/gEwMX8-s0pLx8jJMLhGN/

hXXps://keshavalur[.]com/css/WRssOm/

hXXps://makmursuksesmandiri[.]com/wp-content/e3tpt3cph1wncut-ika4etq8sml6-sector/interior-htMCj-UR5CVYGd/bnb5oaopu0ptx-0wyytzw7u5/

hXXps://misterglobe[.]org/generall/Overview/i9y202-334800485-67760472-jj04w2e19-xppp1/

hXXps://mountainstory[.]pk/qoaij52hfs1d/common_FOQqDSi_Q50ORC3MzecY/guarded_9ode8j8xa3q9fa_3a14tqqj/x1e_418t92/

hXXps://murraysautoworks[.]com/contact/6VE37Q01O/50v2q5af8tv/y27daizl9-678276-439755027-2i7xojwpjd-ryyu/

hXXps://nhakhoachoban[.]vn/wp-includes/paclm/

hXXps://power-charger[.]co[.]uk/faq/Reporting/g30g4b8wvh/0w5c-2857976-135390-1dg1e-bjus2/

hXXps://risefoundations[.]in/rise/8448397_cee81q_jftx3_eseQqSx/corporate_pfmWWf_7uk8kfJTJvUrTR/OvdwZPUQy_ntycKI1ipM2/

hXXps://sharefoundation[.]in/wp-admin/multifunctional_module/test_cloud/oJuKHM3ik_Mee0ttbGc/

hXXps://summit2018[.]techsauce[.]co/startup/sYHAteT/

hXXps://timestampindia[.]com/citech/Document/

hXXps://twincitiesfrugalmom[.]com/wp-admin/eTrac/9porgmi/ul99a0-5568735694-75056-vt6wk395a-yymz6f/

hXXps://www[.]jadegardenmm[.]com/engl/docs/h85me2-45331562-6525577-0c62dwu3hl-mk47l/

hXXps://www[.]u4web[.]com/bnkddo/open_disk/guarded_kzfciuyy_v4gqdp/1dOq8z5_ILk0gJmw/

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Raccoon Stealer Found Rummaging Past Symantec and Microsoft Gateways

By Max Gannon and Alan Rainer, Cofense IntelligenceTM

Threat actors continue to exploit legitimate services to trick users, as seen in the latest campaign using Raccoon Stealer malware, aimed at a financial organization and delivered by a Dropbox-hosted .IMG file. A rather unsophisticated malware, Raccoon Stealer came to light around April 2019, bypassing Symantec Email Security and Microsoft EOP gateways. The malware is sold on underground forums in both Russian and English, features an easy-to-use interface, around-the-clock customer support, and highly active development. Users of the malware can distribute it in any way they deem fit. In this campaign, the actors chose to host the malicious .IMG file on a Dropbox share, which upon execution, drops Raccoon Stealer onto the victim machine.

The email used in this campaign was delivered to the inbox of an employee of a financial institution. Figure 1 shows the email signature and originator address which probably belong to a compromised user. Using the familiar theme of a wire transfer—closely akin to those often seen in Business Email Compromise (BEC) scams—the threat actors look to trick users into opening the Dropbox URL and downloading the malicious file.

Educating users on spotting these types of scams and carefully scrutinizing emails that originate outside the organization are great ways to thwart this threat. Cofense IntelligenceTM Indicators of Compromise (IOCs) provided via our feed and noted in the appendix below can be used to fortify network defense and endpoint protection solutions.

Technical Findings

In the past, CofenseTM has seen Raccoon Stealer delivered by direct attachments and via RTF documents leveraging CVE-2017-8570 that targeted sectors such as utilities. In this most recent campaign, a potentially compromised email account was used to send the email shown in Figure 1, which managed to make its way past Symantec Email Security and Microsoft EOP gateways without the URL being removed or tampered with to the extent that it would prevent victims from clicking on it and downloading the payload.

Figure 1: Email delivering Dropbox URL

Raccoon Stealer is a relatively new malware that first appeared on the market around April 2019. Due to Raccoon Stealer’s ease of use and range of capabilities that allow for quick monetization of infected users, it is becoming increasingly popular. Although not particularly advanced or subtle with its network activity and processes, the malware can quickly gather and exfiltrate data as well as download additional payloads.

Initial contact with the command and control center (C2) is made when the malware does an HTTP POST that includes the “bot ID” and “configuration ID”. The C2 location responds with a JSON object explicitly including C2 data and payload locations for libraries and additional files, as shown in Figure 2.

Figure 2: Configuration Data From C2

The payload URLs currently deliver a set of DLLs, as specified by the “attachment url” and “libraries” parameters, but future development could easily allow threat actors to use Racoon Stealer as a loader for other malware to generate additional income.

The use of several distinct delivery methods in a relatively short time, including via the Fallout Exploit Kit, may indicate increased usage by numerous threat actors as predicted in prior Cofense research. Given the variety of delivery options, Racoon Stealer could be a problem for organizations that focus too much on one infection vector.

Table 1: Indicators of Compromise

Description

Indicator

Dropbox URL

hXXp://www[.]dropbox[.]com/s/g6pz8dm4051rs0o/SCAN%20DOC[.]IMG?dl=1

Raccoon Stealer C2 Locations

34[.]89[.]185[.]248

hXXp://34[.]89[.]185[.]248/file_handler/file[.]php hXXp://34[.]89[.]185[.]248/gate/libs[.]zip hXXp://34[.]89[.]185[.]248/gate/log[.]php hXXp://34[.]89[.]185[.]248/gate/sqlite3[.]dll

Raccoon Stealer Hashes

SCAN DOC.exe             f7bcb18e5814db9fd51d0ab05f2d7ee9

SCAN DOC.IMG            0c8158e2a4267eea51e12b6890e68da8

HOW COFENSE CAN HELP

Cofense PhishMeTM Offers a simulation template, “Dropbox Wire Transfer – Raccoon Stealer,” to educate users on the phishing tactic described in today’s blog.

Cofense IntelligenceTM: ATR IDs 32407, 31881, 31977

Cofense TriageTM: PM_Intel_Raccoon_31881, PM_Intel_Raccoon_31977

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense CenterTM were reported by end users. 0% were stopped by technology. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence TM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Are URL Scanning Services Accurate for Phishing Analysis?

By Chris Hall, Professional Services

There are plenty of websites offering URL scanning for malicious links. Their tools are a quick and easy way to analyze a URL without visiting the site in a sandboxed environment. Widely used, these tools are accurate to a point.

But in today’s phishing landscape, where attacks are increasingly sophisticated, such tools are becoming less and less reliable. We in the Cofense Phishing Defense CenterTM (PDC) believe they are ineffective against more advanced phishing websites.

Phishing Sites Are Using Redirect Methods to Avoid Detection

Let start with this example:

An attacker can easily set up a new domain and host a phishing site with a legit SSL certificate from most established certificate authorities for free. The attacker then can configure the server or webpage to redirect all connections that are not from the organization’s IP to an external safe site such as google.com.

If a security analyst then submits the URL to a third-party lookup tool, for example VirusTotal, the tool will only detect the site google.com and not the actual phishing site. At this point, the analyst can submit the URL to another URL scanning tool, but the results will all come back the same.

In the Cofense PDC, we are seeing an increase of phishing sites that are using redirect methods to avoid detection from URL scanners and unaware security analysts.

Here is another example with browser detection phishing websites:

This phishing link below redirected users depending on which browser they used.  If users use Firefox as their default browser, they will get the actual payload, while a Chrome default browser will get a redirect to MSN.

Figure 1: Original Phishing Email

When recipients click the ‘Open Notification’ link in the email message above, they are directed to the website below.

URL: hxxp://web-mobile-mail.inboxinboxqjua[.]host/midspaces/pseudo-canadian.html?minor=nailer-[recipient’s Email Address]

When someone clicks the URL, the experience can vary depending on the default browser, Firefox vs. Chrome.

The real phish site using Firefox:

Figure 2: Actual Phishing Site

Using Chrome:

Figure 3: Redirected Site

Regardless of the user’s geolocation, the URL redirect will go to the UK page. URL: https://www.msn.com/en-gb/news/uknews

Now let’s put the same URL in a popular URL scanner and see the results:

Figure 4: Virus Total Results of the Reported URL

The search results show that one of the vendors has detected the phishing site as malware. However, this is not the case.  Let’s look at the Details tab.

Figure 5: VirusTotal Details of the Reported URL

In the results it states that the final URL is to msn.com. We still do not know what the actual phishing site looks like, what the site is doing, or even if the phishing site is active at all.

There’s a Better Way to Check for Malicious Links

Organizations must ask if these URL scanners are providing enough information to analysts so they can complete their investigations.  Is the scanner testing the suspicious link with multiple user agents or querying the site with different source IP addresses?  While the URL scanning services are useful, they lack the basic dynamic analysis that most analysts will perform on a malicious website.

What if I told you that it is quick, easy, and more accurate by far to analyze URL based phishing attacks manually, using various tools such as User-agent switcher or with a VPN and proxy servers while in a dedicated virtual machine? Remember that if a phishing email bypassed those same scanners to reach your users’ inboxes, it’s an undiscovered phishing attack and will require human analysis.

To better equip your analysts, we came up with a list that your security team can use to detect these types of attacks.

  1. Create an isolated proxy server that can reach out to the phishing site without restrictions.

– If your company has locations in different countries, use additional proxy servers in those countries or use proxy services like Tor or a third-party VPN service.

– Acquiring a VPN service with multiple locations is another option.

– Create a “dirty” network to browse malicious sites that can also be used to analyze malware samples.

 

  1. Create a VM for URL analysis.

– This VM should be isolated from the organization’s network.

– VMs such as Remnux will have tools built-in to assist in URL and file analysis.

 

  1. Use Firefox for visiting the site

– Based on the vast amounts of customization, Firefox may be the best browser suited to URL analysis

– Add-ons such as User-agent switcher, FoxyProxy, and HTTP Header Live are essential.

– You can also use the browser’s developer tools to track requests, detect redirects, and alter elements on the page.

URL scanning services are useful to a point. These tools will alert you to some suspicious URLs, but often lack the details need for escalations and blocking the threat. More often than not, the tools will be a point of failure for your organization’s security due to the high amount of risk they introduce. So take a couple of minutes to look at that suspicious URL in a safe environment and see what it really does. It may save you lots of money and time cleaning up an incident.

 

HOW COFENSE SOLUTIONS CAN HELP

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM

90% of phishing threats observed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Phishing Sextortion Campaign Using Alternative Crypto Currencies to Evade Detection

By Hunter Johnson, Cofense Professional Services 

Cofense has observed threat actors employing a modified version of a sextortion scam using alternative crypto currencies to bitcoin.

Typical sextortion scams claim to have installed malware on recipients’ systems and recorded their browsing history of adult websites and webcam footage. Ransom is demanded in bitcoin, upon threat of releasing damaging information to family, friends, and co-workers. Because threat actors often get recipients’ emails from password breach lists, they sometimes include passwords to lend authenticity.

Early sextortion scams started with a plain text extortion email threating the recipient and asking for payment. As enterprises began writing detection rules to block those emails, threat actors modified the text by replacing it with an image, which prevented key words from being identified by Secure Email Gateways (SEGs). The bitcoin address was left as a plain text string in the email, so it could be easily copied. As enterprises began checking for bitcoin addresses, threat actors removed text and images and switched to attaching PDF documents containing the threats. Most recently, threat actors began encrypting PDF attachments and including the password in the email body to foil any further SEG detection rules.

This latest sextortion version is using a Litecoin wallet address instead of bitcoin to evade detection. Previous iterations showed a gradual shift away from identifiable patterns and to alternative crypto currencies, in an attempt to foil SEG bitcoin-detection rules. The current emails appear to be crafted to contain very few searchable word patterns. While we could publish the contents of those emails, let’s just say the emails contained adult language admonishing the recipient to be more careful about their browsing and webcam habits.

As this latest twist shows, threat actors can switch to the next crypto currency and attempt to iterate through all the scam’s previous versions. While there are thousands of crypto currencies, only a dozen or so are easily attainable from large exchanges. For the scam to work, the recipient needs an easy way to acquire the requested payment method.

Avoiding this scam is simple. Your users can safely ignore the emails—if threat actors actually had such access and data, they would include stronger proof. Also educate users about sites such as haveibeenpwned.com, so they can know if their email address is likely to become a target.

Cofense will also be publishing a rule to detect attacks we’ve seen so far using this new method.

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a phishing simulation template, “Fear Driven Phishing Scams Involving Embarrassing Situations,” to educate users on sextortion and similar scams.

Cofense Labs has published a database of 300 million compromised email accounts for use in sextortion campaigns. Find out if your organization’s accounts are at risk.

Reports of sextortion and other ransom scams to the Cofense Phishing Defense CenterTM are increasing. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains – do YOUR research with Cofense CloudSeeker TM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.