Telegram Utilized for Harvesting Credentials

By Jake Longden, Cofense Phishing Defense Center

Telegram is popular messaging app. Its encrypted messages, and potential message self-destruct options, can be attractive to legitimate users looking for more privacy and protection than standard/legacy messaging options. This, however, can also be appealing to threat actors for illegitimate purposes.  

In addition to the standard messaging application, Telegram also offers API options that allow users to create programs that use Telegram messages for an interfaceThe Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that posts the harvested credentials utilizing the Telegram API. 

Figure 1: Email Header 

To add authenticity to the email, the threat actors have spoofed the email address so that it appears to be from an internal address (support@internal.com). Howeverthe address is an external one (support@industrydrill.com). 

This, combined with the subject line and the heading of the email body, creates a sense of urgency and importance for the email to better attract the user’s interest

Figure 2: Email Body 

The user is presented with a notice advising that they have messages to review. The bold and large title attracts attention, and is followed by further information to clarify the purpose of the email. Then there’s a button for the user to click to “Release All” the blocked emails to their inbox.  

This follows a common style of emails sent by SEGs (secure email gateways) when they have blocked an email from reaching the users mailbox. It allows users to analyze the blocking policy, then decide if the policy was correct before opting to release the email to their inbox. Here, the threat actor has added the recipients email address to the body to provide a personal touch.  

In taking this approach, the threat actor has exploited methods used in multiple phishing campaigns designed to gain users trust (by spoofing an internal source), and then reducing critical analysis.

Upon examination of the URL, we see that the recipients email address has been coded so that the phishing page can prefill some data when it loads.  

Figure 3: Phishing Page 

Once the button is clicked, the user is redirected to a page that appears to be a Webmail login page. We can see that the page has pulled the email address from the initial URL then placed it at the top of the page and in the email address field for the login. The base domain from the user’s address has also been highlighted in bold above the login fields in the account webmail header.This construction makes the page look more legitimate and relevant to the user. However, the URL of the page gives indications that this is not entirely the case. In an attempt to further the appearance of legitimacy for the URL, the subdomain contains both account-web and office365,” two common names for login pages.  

Once the password has been entered, and the Continue button has been clicked, the credentials are posted to the Telegram API. The user is redirected with a message stating that their account has been updated successfullyFinally, the page pulls the domain from the email address, redirecting to that website. In this way, the threat actor further heads off user suspicion.  

Figure 4: Final Message 

It’s a simple matter to prevent users from posting credentials to unauthorized webpages. Once the malicious domain has been identified, it can be blocked. However, by utilizing the Telegram API, the threat actor is working to circumvent interference. They’re complicating methods for removing stored credentials that have been harvested, and can view and access these credentials at their convenience on a page they control. 

 

 

Network IOC   IP   
hXXps://www[.]epanorama[.]net/counter[.]php?url=hxxps://account-weboffice365config[.]firebaseapp[.]com/  104[.]27 [.]147 [.]211 

172 [.]67 [.]153 [.]86 

104 [.]27 [.]146.211 

hXXps://account-weboffice365config[.]firebaseapp[.]com/   

151 [.]101 [.]65 [.]195 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

 

Cofense PhishMe: Our FedRAMP Journey

By Andrew Ledford

What is FedRAMP 

FedRAMP is the Federal Risk and Authorization Management ProgramIt was developed following President Barack Obama’s policy, International Strategy for Cyberspace and Cloud First, which encourages the federal adoption and use of information systems operated by cloud service providersThe development of FedRAMP was achieved collaboratively with the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), the Department of Homeland Security (DHS), state and local government, and others.  

Consistent with the Cloud First policy, federal agencies were encouraged to utilize cloud-based information systems operated by cloud service providers. NIST, which maintains the NIST SP 800 series of computer security publications, publishes NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. This is the control catalog used for federal information systems and organizations; it contains the requirements for FedRAMP. 

The key goals of FedRAMP are to accelerate the government’s adoption of secure cloud solutions and reuse assessments and authorizations across agencies. These are accomplished through cloud service providers creating a single Authority to Operate (ATO) package, a single security assessment by an independent third-party assessment organization (3PAO), and a single set of Plan of Actions and Milestones (POA&Ms) which each agency can then access, review, and issue an ATO for on OMB Max. U.S. government agencies can request access to the Cofense FedRAMP ATO package using this form (Package ID #FR2013059515). 

 For additional information on FedRAMP refer to https://fedramp.gov/about 

FedRAMP vs. FISMA 

Both FedRAMP and FISMA are based on the NIST SP 800-53 control catalog. This catalog includes hundreds of controls and control enhancements. The applicability of these controls is determined by the types of data the system is being used to store and process, as well as the criticality of that information system to accomplish the organization’s mission. FISMA applies to agency managed systems including on-premises systems, whereas FedRAMP applies to cloud systems managed by external cloud providers. The main differences between FedRAMP and FISMA requirements are detailed in the table below.  

Baseline  NIST SP 800-53 Controls¹ Other Requirements 
FISMA Low  124  N/A 
FISMA Moderate  261  N/A 
FISMA High  343  N/A 
FedRAMP Low Impact SaaS (Li-SaaS)  36² Independent Assessor³ required to perform control assessment 
FedRAMP Low  125  -Independent Assessor³ required to perform control assessment 

-Independent Assessor³ required to perform infrastructure, database, and web application vulnerability scans 

FedRAMP Moderate  325  -Independent Assessor³ required to perform control assessment 

-Independent Assessor³ required to perform infrastructure, database, and web application vulnerability scans 

-Independent Assessor³ required to perform penetration testing 

FedRAMP High  421  -Independent Assessor³ required to perform control assessment 

-Independent Assessor³ required to perform infrastructure, database, and web application vulnerability scans 

-Independent Assessor³ required to perform penetration testing 

FedRAMP requires independent assessments to ensure the integrity and consistency of the security assessments.  

Why did Cofense decide to pursue FedRAMP 

The federal government is experiencing an increase in phishing attacks which has been exacerbated by COVID-19 and teleworking. Agencies are looking for intelligent ways to defend against these attacks. In September 2020, NIST announced the development of Phish Scale  to “help organizations better train their employees to avoid a particularly dangerous form of cyberattack known as phishing.” Cofense provides phishing defense solutions created to address that particular attack threat. 

Cofense’s government agency customers using PhishMe were performing their own security assessments and ATOs. These assessments, and sometimes thousands of pages of ATO documentation based on agency requirements, increase the time and complexity of using Cofense PhishMe. Agencies were left without a key phishing detection capability. Our customers sought a way to implement our phishing defense solution quickly and securely. 

Based on our customers’ use cases for the Cofense PhishMe product, we determined that our system would be handling personally identifiable information (PII). It would serve as an essential protection to agencies; this resulted in Cofense PhishMe being categorized as a FedRAMP Moderate system based on Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, and the accompanying NIST SP 800-60 Volume II, Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories. See Cofense’s blog on Why ‘Moderate’ Matters for details. 

How did Cofense approach FedRAMP 

Cofense evaluated our customers and the FedRAMP requirements, and determined that building out a dedicated FedRAMP environment for federal agencies would best meet these requirementsThe Cofense PhishMe FedRAMP environment is deployed on AWS GovCloud, operated with U.S. citizens on U.S. soil.  

Cofense’s FedRAMP environment is a government-community cloud with appropriate logical separations, authentication mechanisms meeting the NIST 800-63-3 Digital Identity Guidelines for FedRAMP Moderate systems, vulnerability management, continuous monitoring and more. 

When asked how Cofense went about the FedRAMP journey, Keith Ibarguan, Cofense Chief Product Officer, said, “On the surface, it might seem that you just take your code, run it through the gauntlet and, voila, out the other side, you have an ATO. That’s definitely not the case. We worked really hard to put the software in a position where we can manage and maintain the code in the most efficient manner. We refactored everything. We uplifted the software libraries and approaches to even deploying the code end to end, across the board.”

Cofense engaged the leading FedRAMP 3PAO to conduct the assessment of Cofense PhishMe, which included an independent evaluation of the following: 

  • Cofense’s implementation of the 325 FedRAMP Moderate NIST SP 800-53 Controls 
  • Cofense’s vulnerability management practices by conducting independent vulnerability scans 
  • Cofense’s web application security practices by performing independent penetration testing 

Conclusion 

Cofense PhishMe is now FedRAMP Moderate AuthorizedWe’re excited to offer our managed PhishMe FedRAMP product to support federal defense against phishing attacksAgencies can request access to the Cofense FedRAMP ATO package using this form (Package ID #FR2013059515) or contact Cofense directly. 

_____________________________________________________

¹ 36 testable controls. Other controls are required to be attested to. 

² JAB P-ATO require that a 3PAO be used. Agencies are encouraged to use a Third-Party Assessment Organization. 

³ 3PAO as the Independent Assessor to form the CSP’s assessment.

https://www.fedscoop.com/teleworking-zero-trust-in-dod-phishing-attacks-increase/https://us-cert.cisa.gov/ncas/alerts/aa20-099ahttps://www.pcmag.com/news/phishing-attacks-increase-350-percent-amid-covid-19-quarantine 

Phish Found in SEG-Protected Environments Week ending February 19, 2021

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.  

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.   

Are phishing emails evading your Proofpoint or other secure email gateways? The following are examples of phishing emails recently seen by the PDC in environments protected by SEGs. 

TYPE: Dridex 

DESCRIPTION: Notification-themed email found in environments protected by Proofpoint and O365-ATP deliver a password protected Office macro laden spreadsheet via an embedded link. The Office macro downloads Dridex. 

TYPE: Credential Phish 

DESCRIPTION: Notification-themed email found in environments protected by Proofpoint and O365-ATP deliver credential phishing embedded in an attached HTML file. 

TYPE: TrickBot 

DESCRIPTION: Finance-themed email found in environments protected by TrendMicro and O365-ATP deliver TrickBot via Office macro laden spreadsheets. TrickBot then downloads and runs a Reconnaissance Tool. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week. 

 Recommendations  

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways. 

Interested in seeing more? Search our Real Phishing Threats Database. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in SEG-Protected Environments Week ending February 12, 2021

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.  

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.  

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint. 

TYPE: Remcos RAT 

DESCRIPTION:  Finance-themed emails found in environments protected by Proofpoint and Microsoft Defender O365 deliver an attached malware downloader that downloads Amadey and runs Remcos RAT. 

 

TYPE: BazarBackdoor 

DESCRIPTION: Invoice-themed emails found in environments protected by Proofpoint, Microsoft Defender O365 and Symantec deliver BazarBackdoor via PDF attachments. The attached PDF redirects to a site that collects invoice order numbers. Once the order number is entered, it redirects to a payload URL that downloads an Office macro. The Office macro downloads and runs BazarBackdoor. 

TYPE: Ava_Maria_Stealer 

DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver Ave_Maria stealer via embedded links. The embedded links download an Office macro that downloads an Ave_Maria executable. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week. 

Recommendations 

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways. 

Interested in seeing more? Search our Real Phishing Threats Database. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments Week ending February 5, 2021

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.  

Are phishing emails evading your Proofpoint and other secure email gateways? The following are examples of phishing emails recently seen by the PDC in environments protected by SEGs. 

TYPE: Trojan 

DESCRIPTION:  Notification-themed email found in environments protected by Proofpoint deliver Quasar RAT via Microsoft Office Macros downloaded from embedded URLs. 

TYPE: Keylogger 

DESCRIPTION: DHL-spoofing email found in environments protected by Proofpoint and Microsoft ATP deliver the Agent Tesla keylogger via embedded links. The embedded links download a 7Z archive that contains an Agent Tesla executable. 

TYPE: Trojan  

DESCRIPTION: Finance-themed email found in environments protected by Proofpoint deliver the NanoCore RAT via embedded URLs. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach and ransomware attack. The same patterns and techniques are used week after week.  

Recommendations 

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade secure email gateways.  

Interested in seeing more? Search our Real Phishing Threats Database. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

BazarBackdoor’s Stealthy Infiltration Evades Multiple SEGs

By Zachary Bailey, Cofense Phishing Defense Center

The Cofense PDC has been tracking a stealthy malware campaign that has recently become more active compromising enterprise endpoints. The campaign, first observed in mid-Decembercarries pharmaceutical-themed invoices that contain references to a series of websites hosted on the “shop” domain but that were down at the time of initial analysis. They were classified by the PDC as malicious because of the phone numbers used on the invoices. These numbers were identical across invoices being sent in from different brands and senders, which meant these are likely coordinated. The main lures of the emails also revolved around contacting the phone number instead of visiting the site.  

Figure 1: Email Body 

New waves of the phishing emails are now being sent overnight with new brands ranging from office supplies, rose delivery and lingerie. After monitoring certain internet sources, PDC analysts were able to pull up the referenced sites while they were still live. Following an involved process of interacting with the site to request a cancellation form, a malicious Excel document was finally retrieved. This infection was the first stage of the BazarBackdoor malware. 

The invoice ruse bypassed various customer SEGs because the email had no malicious payload and could be seen as a simple phishing scam. Only a handful of recipients would think to browse to the invoice site and search for a way to cancel their order without calling the number provided.

Figure 2Invoice Attachment 

While the invoices use a basic template, they look just professional enough that an inquisitive recipient might check the site to see if its legitimate. Invoices for the older campaigns would be named after the order number, but recent campaigns are utilizing a “invoice_*.pdf” format, where the star (*) wildcard is the order number. 

It has been observed that the next stage in this social engineering attack alternates between being located on the contact, FAQ and refund pages of the website. 

Figure 3Contact Form 

If the order number is entered, the recipient will be transferred to a new website with a “.us” domain version of the prior website. There are several variations of the site, for instance using hyphens to break up the words or using only the first and third words of the fictitious brand. Examples of this would be compact-ssd[.]us and compactstorage[.]us 

Figure 4: Download Page 

Once the site is loaded, a series of images walks the user through downloading a form to cancel their order. There is a link to the request form, and a link to an email where the form is to be sent. This furthers the ruse’s legitimacy. The downloaded form is an Excel document that appears to be encrypted by DocuSign.  

Figure 5: Excel Template 

This Excel template is themed similarly to a Trickbot template reported on Twitter by @ffforward, who has been tracking the campaign closely. This connection makes sense considering the agreement in many quarters that there is a connection between Trickbot operators and the group behind BazarBackdoor.

When the form is activated, an .EXE payload is immediately launched. This executable is also a new variant of BazarBackdoor. It will reload itself into memory several times before the command-and-controls (C2s) can finally be extracted. Next, the executable queries the geographical location and IP address of the infected machine. This is a common tactic that usually ensures that the threat actor does not infect machines in their country of operation. 

Figure 6: Bazar in Memory Strings 

After the .EXE finishes loading, we see BazarBackdoor domains in the memory strings. 

Figure 7: C2s for Bazarbackdoor 

We also can find this campaign’s C2 for dropping the next stage by searching for IP addresses in the strings. There is often a common word in the C2s, such as “cleaner” or “book” or “snow” that differentiates between campaigns. In the observed campaign for this article, that word is “round_table”. 

Figure 8: DNS traffic 

An analysis of the machine’s network traffic reveals that DNS requests are being sent by BazarBackdoor. This is a common technique the malware employs to mask the servers behind the “bazar” domains. The TCP connections to the three “round_table” servers will drop a data file that is likely part of the next stage. 

Recent invoice templates have shifted from using the “.shop” domain to “.net” domains. This campaign was also referred to as “BazarCall” by @ffforward. It is widely believed that this campaign, like prior BazarBackdoor campaigns, will distribute Ryuk ransomware across the network. An analysis by The DFIR Report found Cobalt strike beacons in their environment, and PowerShell scripts that are seen in conjunction with Ryuk. However, no Ryuk was deployed during the analysis. 

The Cofense PDC is still looking into the connection between Kontakt Kegtap and the Bazarloader/Bazarbackdoor campaigns being delivered from Google Docs and GetResponse.

Indicators of Compromise 

 

Domain  IP   
hxxp://flowersny[.]net/ 

 

104[.]21[.]7[.]245 
hxxp://flowersny[.]us/ 

 

104[.]21[.]23[.]158 
hxxp://ttoffice[.]net/ 

 

104[.]21[.]84[.]40 
hxxp://ttoffice[.]us 

 

162[.]255[.]119[.]138 
hxxp://toptipsoffice[.]us 

 

194[.]147[.]115[.]9 
hxxp://ajourlingerie[.]net 

 

104[.]21[.]8[.]207 
hxxp://ajourlingerie[.]us/ 

 

104[.]21[.]4[.]188 

 

 

Command and Control URLs  IP   
hxxps://18[.]188[.]232[.]155:443/leading/crisis26/snow11 

 

18[.]188[.]232[.]155 
hxxps://18[.]191[.]220[.]165/leading/crisis26/snow11 

 

18[.]191[.]220[.]165 
hxxps://54[.]190[.]50[.]234/organization/round_table 

 

4[.]190[.]50[.]234 
hxxps://54[.]215[.]217[.]171/ 

 

54[.]215[.]217[.]171 
hxxps://34[.]209[.]41[.]233/foreground/suspect/context59  34[.]209[.]41[.]233 
hxxps://34[.]220[.]167[.]220/organization/round_table 

 

34[.]220[.]167[.]220 
hxxps://34[.]221[.]125[.]90/foreground/suspect/context59  34[.]221[.]125[.]90 
hxxps://japort[.]com/suret/victory[.]php  50[.]87[.]232[.]245 

 

DNS IOCs   IP  
51[.]254[.]25[.]115:53   51[.]254[.]25[.]115  
193[.]183[.]98[.]66:53   193[.]183[.]98[.]66  
91[.]217[.]137[.]37:53   91[.]217[.]137[.]37  
87[.]98[.]175[.]85:53   87[.]98[.]175[.]85  
185[.]121[.]177[.]177:53   185[.]121[.]177[.]177  
169[.]239[.]202[.]202:53   169[.]239[.]202[.]202  
198[.]251[.]90[.]143:53   198[.]251[.]90[.]143  
5[.]132[.]191[.]104:53   5[.]132[.]191[.]104  
111[.]67[.]20[.]8:53   111[.]67[.]20[.]8  
163[.]53[.]248[.]170:53   163[.]53[.]248[.]170  
142[.]4[.]204[.]111:53   142[.]4[.]204[.]111  
142[.]4[.]205[.]47:53   142[.]4[.]205[.]47  
158[.]69[.]239[.]167:53   158[.]69[.]239[.]167  
104[.]37[.]195[.]178:53   104[.]37[.]195[.]178  
192[.]99[.]85[.]244:53   192[.]99[.]85[.]244  
158[.]69[.]160[.]164:53   158[.]69[.]160[.]164  
46[.]28[.]207[.]199:53   46[.]28[.]207[.]199  
31[.]171[.]251[.]118:53   31[.]171[.]251[.]118  
81[.]2[.]241[.]148:53   81[.]2[.]241[.]148  
82[.]141[.]39[.]32:53   82[.]141[.]39[.]32  
50[.]3[.]82[.]215:53   50[.]3[.]82[.]215  
46[.]101[.]70[.]183:53   46[.]101[.]70[.]183  
5[.]45[.]97[.]127:53   5[.]45[.]97[.]127  
130[.]255[.]78[.]223:53   130[.]255[.]78[.]223  
144[.]76[.]133[.]38:53   144[.]76[.]133[.]38  
139[.]59[.]208[.]246:53   139[.]59[.]208[.]246  
172[.]104[.]136[.]243:53   172[.]104[.]136[.]243  
45[.]71[.]112[.]70:53   45[.]71[.]112[.]70  
163[.]172[.]185[.]51:53   163[.]172[.]185[.]51  
5[.]135[.]183[.]146:53   5[.]135[.]183[.]146  
51[.]255[.]48[.]78:53   51[.]255[.]48[.]78  
188[.]165[.]200[.]156:53   188[.]165[.]200[.]156  
147[.]135[.]185[.]78:53   147[.]135[.]185[.]78  
92[.]222[.]97[.]145:53   92[.]222[.]97[.]145  
51[.]255[.]211[.]146:53   51[.]255[.]211[.]146  
159[.]89[.]249[.]249:53   159[.]89[.]249[.]249  
104[.]238[.]186[.]189:53   104[.]238[.]186[.]189  
139[.]59[.]23[.]241:53   139[.]59[.]23[.]241  
94[.]177[.]171[.]127:53   94[.]177[.]171[.]127  
45[.]63[.]124[.]65:53   45[.]63[.]124[.]65  
212[.]24[.]98[.]54:53   212[.]24[.]98[.]54  
178[.]17[.]170[.]179:53   178[.]17[.]170[.]179  
185[.]208[.]208[.]141:53   185[.]208[.]208[.]141  
82[.]196[.]9[.]45:53   82[.]196[.]9[.]45  
146[.]185[.]176[.]36:53   146[.]185[.]176[.]36  
89[.]35[.]39[.]64:53   89[.]35[.]39[.]64  
89[.]18[.]27[.]167:53   89[.]18[.]27[.]167  
77[.]73[.]68[.]161:53   77[.]73[.]68[.]161  
185[.]117[.]154[.]144:53   185[.]117[.]154[.]144  
176[.]126[.]70[.]119:53   176[.]126[.]70[.]119  
139[.]99[.]96[.]146:53   139[.]99[.]96[.]146  
217[.]12[.]210[.]54:53   217[.]12[.]210[.]54  
185[.]164[.]136[.]225:53   185[.]164[.]136[.]225  
192[.]52[.]166[.]110:53   192[.]52[.]166[.]110  
63[.]231[.]92[.]27:53   63[.]231[.]92[.]27  
66[.]70[.]211[.]246:53   66[.]70[.]211[.]246  
96[.]47[.]228[.]108:53   96[.]47[.]228[.]108  
45[.]32[.]160[.]206:53   45[.]32[.]160[.]206  
128[.]52[.]130[.]209:53   128[.]52[.]130[.]209  
35[.]196[.]105[.]24:53   35[.]196[.]105[.]24  
172[.]98[.]193[.]42:53   172[.]98[.]193[.]42  
162[.]248[.]241[.]94:53   162[.]248[.]241[.]94  
107[.]172[.]42[.]186:53   107[.]172[.]42[.]186  
167[.]99[.]153[.]82:53   167[.]99[.]153[.]82  
138[.]197[.]25[.]214:53   138[.]197[.]25[.]214  
69[.]164[.]196[.]21:53   69[.]164[.]196[.]21  
192[.]71[.]245[.]208:53   192[.]71[.]245[.]208  
185[.]120[.]22[.]15:53   185[.]120[.]22[.]15  
45[.]71[.]185[.]100:53   45[.]71[.]185[.]100 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

Emotet Disrupted but Likely to Return

By Brad Haas, Cofense Threat Intelligence 

Background 

Originally a banking Trojan, Emotet evolved to become more of a gateway for other malware families such as Ryuk, TrickBot, and QakBot. For the last few years, it has been among the top producers of malicious emails, using innovative and regularly updated techniques. For example, recently it harvested email reply chains from victims, and used those to create effective lures to send to the victims’ contacts. It also uses several tactics to avoid detection, such as delivery via password-protected zip file attachments and hosting itself on a large collection of legitimate but compromised websites. Emotet’s authors have shown remarkable patience and willingness to experiment and innovate: the botnet regularly ceases spam activity for weeks or months, during which time the authors issued updates to existing installations. 

Operation LadyBird 

On January 27authorities from eight countries conducted a disruption operation against Emotet. According to the Europol press release, the action—named Operation LadyBird—targeted several hundred servers worldwide. Authorities took over Emotet’s primary servers, which give updates to infected computers. They issued an update that replaces the list of Emotet command-and-control (C2) servers with a list of C2 servers under law enforcement control. Ukrainian police also identified two Emotet operators, from whom they seized cash, computers and other associated equipment. Finally, Dutch authorities recovered a trove of data stolen from Emotet victims, including email addresses, user names and passwords. They published a website allowing users to check whether their email address was in the compromised data. 

Figure 1: An Emotet emailwith an attached malicious Miscrosoft Office document, found in an environment protected by Microsoft Office 365 Advanced Threat Protection. 

What Happens Next 

Although Operation LadyBird had an immediate and substantial impact on Emotet operations, we assess that the botnet will likely return within the year. Despite the arrests in Europe, the threat actors ultimately in charge of Emotet remain at large. It is possible that they will simply retire, but even in that case the remnants of the botnet and the business relationships with other malware operators would likely be passed on to others. Emotet has been so effective that abandoning it entirely would very likely represent a lost opportunity for considerable profit. 

TrickBot survived a similar takedown in October 2020—it was built with a backup C2 configuration that allowed it to return to operation within a few weeks. Emotet has no such backup, but its operators can likely leverage its operators’ close relationship with the operators of TrickBot and other families to regain a broad base of installations on infected computers. Emotet’s operators also very likely have copies of the compromised data seized by the authorities, and there may be other data sets that were not seized. As we discussed above, they were already in the habit of taking long breaks in order to make improvements. We assess that they will likely withdraw again for at least a few months and improve their infrastructure to be more resilient against future law enforcement action, and then begin rebuilding their botnet. 

Note to Cofense Intelligence customers: You can refer to our July 2020 Flash Alert and our December 2020 Flash Alert for more details on previous Emotet lulls. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.   
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.   

Signature Deadline: The Creation of Panic by Phish

By Adam Martin, Cofense Phishing Defense Center

As threat actors phish for credentials, they continue to send emails in alignment with organizational business processes, such as demands for signatures or approvals for “sensitive” documents. A trend recently found by the Cofense Phishing Defense Center (PDC) team is a pre-set deadline for access to the given sensitive information. This represents a two-pronged approach to phishing. Element one is trust. Suspicions would be lowered because one would assume a threat actor would want the material accessible for as long as possibleElement two is urgency, given the deadline for viewing. Both aspects are illustrated in Figure 1.  

Figure 1 

Once the provided URL is accessed, the following page is displayed. The first stage to this credential phish is a sham SharePoint page. As can be seen from the address barthe webpage is hosted by another vendor 

Figure 2 

Further down on the same landing page, an image of an envelope labeled “proposal” is seen. Another confidence-inspiring message is also found; it bears some semblance of legal legitimacy.

Figure 3 

Upon accessing the link to the seemingly legallyprotected document, a common tactic is employed whereby the threat actor allows the recipient to choose their email providerThis is complemented by blurred content possibly to up the temptation to access the obscured information. The base URL changes to one that has little to do with the sending company or any legitimate email provider.  

Figure 4 

Once the login credentials are entered, they are exfiltrated to an external server.  

Figure 5 

Indicators of Compromise 

hXXps://spark[.]adobe[.]com/page/6n0AwhsWKa3fw/  13[.]32 [.] 204 [.] 55 

13 [.] 32 [.] 204 [.] 80 

13 [.] 32 [.] 204 [.] 53 

13 [.] 32 [.] 204 [.] 46 

hXXps://stickymoosestickers[.]com/austt/index.php  199 [.] 250 [.] 201 [.] 182 
All third-party trademarks referenced byCofensewhether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship betweenCofenseand the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or differentconfigurations may be effective at stopping these or similar threats. 
   
TheCofense® and PhishMe® names and logos, as well as any otherCofenseproduct or service names or logos displayed on this blog are registered trademarks or trademarks ofCofenseInc. 

Phish Found in Proofpoint-Protected Environments Week ending January 29, 2021

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.  

Are phishing emails evading your secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint and other SEGs. 

TYPE: ZLoader 

DESCRIPTION:  Finance-themed emails found in environments protected by Proofpoint deliver ZLoader via malicious Microsoft Office macros. 

TYPE: Credntial Phish 

DESCRIPTION: IRS-spoofed emails found in environments protected by Proofpoint and Microsoft ATP to deliver credential phishing via an embedded URL. 

TYPE: Credential Phish 

DESCRIPTION: LAN Associates-spoofing emails found in environments protected by O365-ATP deliver credential phishing via an embedded URL. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade secure email gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.