DARKSIDE Ransomware Operations Abuse Trusted Platforms

By Dylan Duncan

DARKSIDE Ransomware Operations

DARKSIDE Ransomware first emerged in August 2020 and is used as a Ransomware-as-a-Service. The ransomware has been confirmed by the FBI as responsible for the compromise of the Colonial Pipeline networks. Traditionally, the goal of ransomware is to infect an organization that can pay the ransom. This attack certainly shows the financial impact a successful ransomware infection can have in terms of operational and economic disruption.

Since the malware release, DARKSIDE ransomware operators, and affiliates that use the service, have been seen targeting a variety of major organizations across most sectors. A report from FireEye sheds light on the ransomware by diving into the infrastructure, and shows that the initial compromise vectors are password attacks on perimeter infrastructure, the CVE-2021-20016 vulnerability, and malicious email with embedded links.

One of the ways threat actors abuse cloud platforms is by using them to host malicious content. In a quarterly trend review for Q4 2020, Cofense Intelligence predicted an increase in ransomware campaigns, along with the abuse of trusted platforms and software. We noted an expectation that it would continue to grow into the first two quarters of 2021. The DARKSIDE ransomware campaigns using malicious emails with embedded links have been reported to use Google Drive URLs to deliver .NET backdoors like SMOKEDHAM. As seen in other ransomware campaigns like Ryuk, the use of a backdoor allows threat actors to drop the ransomware manually, often long after the initial infection. We see no data indicating a decline in this trend if trusted platforms continue to represent a straightforward way for threat actors to host their malicious content while avoiding detection.

Cofense Intelligence reports on and provides actionable intelligence on phishing emails with embedded links that abuse trusted platforms every day. As organizations continue to move business processes to these trusted platforms, threat actors have also migrated their tactics to these platforms to bypass the secure email gateway (SEG). As seen in Figure 1, this year approximately 27% of the phishing emails with embedded links used for malware delivery abused Google Drive. Emerging technologies continue to create new opportunities for similar abuse by threat actors. Cloud solution providers have to maintain balance between offering services to the public and policing the abuse of the same services. While organizations often gain great value from using cloud services, they must also address the accompanying risk.

Figure 1: Phishing Emails with embedded links compared to Google Drive links.


Campaigns like this remain a key example of how crucial phishing education can be for an organization. A phishing simulation program allows users to practice in the same environment where they will experience a real phish. Also critical to your phishing defense program is providing a method for the user to quickly report the suspicious message using a tool such as Cofense Reporter. Additional infosec program essentials include steps to prepare in case of a ransomware infection, along with regular backup and tabletop exercises to practice your incident response plan. Having secure file backups with regular backup procedures help if an infection occurs. Also key is software maintenance and performing regular updates to protect against vulnerabilities and exploits. Blocking trusted platforms often is not feasible for organizations, but a security operations team should understand the business goals and procedures relative to baseline usage. This will allow for hunting and alerting more effectively against anomalous activity. Although mitigation of a cloud source threat vector is difficult, it is possible with layered defenses, auditing and training.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

HTML Phishing Email Opens the Door for Threat Actors

By Nathaniel Sagibanda, Cofense Phishing Defence Center

The Cofense Phishing Defense Center (PDC) has observed a credential phishing trend whereby threat actors are sending out several emails to employees with nothing more than an HTML  attachment and subject lineOfficeDoc – Important Business/Work Guide. As organizations are planning for return-to-work procedures, threat actors are leveraging this theme to increase the likelihood of user interaction with the attachment. 

 Security protocols such as secure email gateways (SEGs) have a tough time stopping such malicious emails because the HTML attachment discreetly hides the malicious URL. The threat actor uses popular and trusted cloud-based SMTP relay – SendGrid – to release their campaign. 

Figure 1 – Email Body  

Once the attachment has been opened, it redirects the user to a Microsoft SharePoint webpage with a OneDrive banner, as shown below in Figure 2.

Figure 2 – Initial Redirect (Phishing landing page) 

The URL is not evident within the address bar of the web application. The webpage contains a convincing looking PDF file named New Era in Customer Engagement.pdf,” which has options to either view or download. Upon further inspection, we note that both options lead to the same outcome – pop-up sign-in page appears. The threat actor has even gone to the effort of including a secure message: Data Encryption Enabled in a bid to socially engineer the user into thinking they are being authenticated legitimately.  


Figure 3 – Second Redirect (Phishing landing page) 

Furthermore, additional security phrases, such as Required for end-to-end encryption, display. Once the user has entered their password, a loading page appears that acts as though a secure connection has been establishing. This is shown in Figure 4. Should the user login with their actual credentials then, unfortunately, their data is exfiltrated to the threat actor.

Figure 4 – Loading Page  

Finally, the last stage of this campaign redirects the user to a random PDF document shown in Figure 5. common tactic used by threat actors to divert attention and suspicion from malicious activity is to provide the document referenced in an earlier stepThe content of the document doesn’t correspond to the attachment name, which is “Productivity Enhancing Guidance.” 

Figure 5 – Redirect   

This campaign showcases the fact that threat actors are constantly innovating and trying to improve on their techniques to trick users while bypassing existing security protocols to steal credentials. These attachment emails are hard to stop by security protocols such as SEGs, and they force the user to click on the attachment to learn more. A well-conditioned user alerted us to this campaign upon recognizing suspicious elements of the phishing email. They used Cofense Reporter to quickly send it to us for evaluation and remediation 

Indicators of Compromise    IP 
Hxxps[:]//winsoftsolutions[.]xyz/369065cp065cps036ess/  104[.]168[.]145[.]194 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

Pipeline Phishing: Colonial Pipeline Ransomware Attack

By Rohyt Belani, CEO

We keep saying it. It almost always starts with a phish.

The latest news of the Colonial Pipeline ransomware attack is not surprising, but it is alarming. The incident is one of the most disruptive digital ransom operations ever reported and has drawn attention to how vulnerable U.S. energy infrastructure is to hackers, according to Reuters. What’s disconcerting to me as a security professional who has spent two decades in this industry is that no one ever talks about the root cause of these major breaches.

Instead, media and pundits talk about the symptoms and how those can be managed. It reminds me of when my now 10-year-old was a toddler suffering from eczema. Every doctor we met prescribed steroids and harsh medication; not one of them took a step back to understand what was causing the condition. And though incident response is only in the beginning stages, chances are this attack began with an email. And thus, a phish as is the case 90% of the time and yet the average security department spends only 8% of their IT security budget on email security.

As we mentioned in the Cofense 2021 Annual State of Phishing Report, “we expect this trend of ransomware attackers leaking corporate data to force accelerated payment to continue, as it increases the pain for ransomware victims who may otherwise not pay. Organizations may be reputationally damaged by a data leak and, depending on laws and regulations, may be subject to fines and penalties.”

We weren’t wrong.

No matter how much automation drives a phishing campaign execution, behind every phishing attack is a threat actor. In this case: DarkSide. These adversaries understand what motivates and moves humans to action. They understand the power of social engineering, and how to outwit defense technologies and uneducated users. DarkSide, like many other attackers, finds or develops new malware and delivery tactics to stay ahead. Groups like this demand payment to decrypt the files and increasingly ask for additional money not to publish stolen content.

Phishing attacks are the single most common technique attackers use to compromise an organization. These attacks lead to ransomware, Business Email Compromise (BEC), credential theft and various other situations that increase risk to organizations. Reuters reported that in the Colonial attack, the hackers took more than 100 gigabytes of data.

Cofense believes there is a better approach. With a global network of 27 million people actively reporting suspicious emails, Cofense has the largest collection of phishing intelligence in the world. This intelligence is used to power our Computer Vision and Artificial Intelligence to stop phishing attacks fast. In fact, when configured to feed our auto quarantine capability, attacks seen in one Cofense customer environment, or for that matter anywhere by our Intelligence operations, can be searched for and removed in all other Cofense customer environments in close to real-time – a true network effect! Think Waze® for phishing detection.

At the end of the day, shifting left on the kill chain is what matters in ensuring that a cyber infection doesn’t turn into a full-blown data breach or disruption of service.

OneDrive’s Cloud Service Abused to Slip Malicious Links Past SEG

By Kian Mahdavi, Cofense Phishing Defense Center

The ever-increasing need to both access and store documents via the cloud has fueled the increased risk for Microsoft OneDrive credential-phishing attacks. Threat actors have subsequently used this to their advantage to socially engineer people to click on a link that results in harvested credentials. However, well-conditioned users quickly identify these suspicious emails and use Cofense Reporter to alert the security team.

The first stage of this attack utilized OneDrive’s legitimate cloud services and managed to slip past both Microsoft and Proofpoint secure email gateways (SEGs). Why? The current detection controls for both SEGs can’t detect the malicious site hosted in the second-stage URL redirects that had been wrapped into a hosted PDF document, as we’ll later learn.

The URL in Figure 1 had been shortened so, if the user were to hover over “bekijken,” (which translates to “view”), they would not be able to see the entire content. This might spark the user’s curiosity.

Figure 1 – Email body

Figure 1 showcases text that had been kept short, sweet and to the point. Once translated from Dutch, the email body read: “[redacted] shared a file via OneDrive”, followed by “Kind Regards.”

When users click the hyperlinked part of the text, they’re taken to the initial-stage phishing landing page. As previously mentioned, the PDF document was hosted within OneDrive’s cloud services.

Figure 2 – First-stage phishing landing page

Once the user clicks “Access Document” as noted in Figure 2, the user is automatically redirected to a phishing page showcasing various login options. This is a common tactic used by threat actors to harvest as many credentials as possible.

Figure 3 – Second-stage phishing landing page

There’s a diverse set of mentioned services for user authentication. We clicked on “Office365” and “Outlook” and the following login webpages appeared.

Figure 4 – Phishing landing page

Figure 5 – Phishing landing page

Both URLs within Figures 4 and 5 were hosted using the identical domain, apart from a slight change in the subdirectory domain toward the end. We noted from Figure 5 that the user was displayed with a “Box” login page as opposed to an “Outlook” webpage. We assume that this may have been a mistake by the threat actor.

Figure 6 – Research article

If credentials had been supplied and entered, the users would immediately be taken to a well-known business’s research article to allay suspicions regarding the transaction’s legitimacy. If users entered their true credentials, their data would unfortunately be in the hands of the threat actor.

This credential-phishing scheme illustrates once again that threat actors will always find ways to gain a user’s trust and then use that trust to malicious ends. With Cofense, enterprises benefit from our complete view of real phish. We help businesses cut through the noise to catch and contain phish. Contact us today to find out how. We’re here to help.

Indicators of Compromise

Network IOC IP
hxxps[:]//1drv[.]ms/b/s!AqiKtGK7_q5BhnXo7zkxqgHVPLWk 13[.]107[.]42[.]12
hxxps[:]//onedrive[.]live[.]com/?authkey=%21AOjvOTGqAdU8taQ&cid=41AEFEBB62B48AA8&id=41AEFEBB62B48AA8%21885&parId=41AEFEBB62B48AA8%21107 13[.]107[.]42[.]13
hxxps[:]//f000[.]backblazeb2[.]com/file/cpu-softmodem-9b005b11/ 104[.]153[.]233[.]177
hxxps[:]//jupitersmt[.]com/email-list/onedrive25/finish[.]php 104[.]21[.]3[.]132
hxxps[:]//valvadi101[.]com/email-list/finish-unv2[.]php 172[.]67[.]130[.]186
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.     
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishing Victims’ Initiative Exploited by BazarBackdoor Campaigns in Attempts to Avoid Detection

By Dylan Duncan

Threat actors using BazarBackdoor have brought an unusual set of lures, techniques and infrastructure to enterprise users, exemplified in two recent campaigns. In these campaigns, threat actors exploit the victims’ own initiative in order to evade security controls and achieve a compromise. These tactics may also be an attempt to counter phishing awareness training.

In this case, we analyzed two campaigns that added a twist to the first stage of the infection chain: one with order- confirmation-themed emails that require a specific invoice number to be entered to reach the payload, and another with subscription-themed emails that mandate a phone call to receive the payload. Emails for the first campaign were disseminated in February and emails from the second in March, which may indicate that threat actors evolved their tactics from one campaign to the other. Alternatively, these actors may be experimenting with several pre-determined sets of tactics to determine which is the most successful.

The lack of embedded clickable links or malicious attachments makes it difficult for secure email gateways (SEGs) and sandbox rules to detect and block the emails. More and more, corporate network users are being conditioned to recognize malicious links and attachments. The absence of apparently malicious links and attachments may lull potential recipients into complacency: “If threat actors wanted to compromise me, wouldn’t they provide me with a means to engage with their malware, or send them my personal information?” Failure to recognize the roundabout engagement tactics at play here could result in a compromise going unnoticed. As seen in Ryuk ransomware campaigns during October 2020, BazarBackdoor remained undetected on infected machines, which allowed threat actors to deliver payloads remotely at a later date.

Sample Campaign 1: Order Confirmation

Figure 1: Order-themed email that delivers BazarBackdoor through shop domains.

Process of Compromise

The first of two BazarBackdoor campaign examples (observed and reported by Cofense Intelligence in early February), used order-confirmation-themed lures. The lures, however, contained no malicious payload. Instead, the threat actors intended for users to be compromised through the following process:

  1. The order-confirmation-themed campaign disseminates phishing emails similar to Figure 1. The order confirmations are from fake companies—mostly pharmaceutical, office supply, flower delivery and lingerie companies. This sample from the campaign uses the fabricated company “Fierce Pharma.”
  2. The email contains an order number, a phone number that is unavailable, and an attached fake invoice in PDF format (as shown in Figure 2). Neither the email nor the invoice contains malware or a link directly to malware, which complicates detection. Threat actors count on additional effort from potential victims who must, unbidden, open a browser and manually enter a domain displayed in the invoice.
  3. Threat actors intend that victims perceive the domain as a legitimate website for Fierce Pharma. Users must navigate around the site to find a “Cancel Order” page, where they are prompted to enter the order number from the campaign.
  4. After entering the number (which likely serves as a victim ID used by the threat actors), intended victims are redirected to a different site with a similar domain scheme. The new site displays instructions on how to enable macro content and delivers a Microsoft Excel spreadsheet that contains malicious Office macros. These then download and run BazarBackdoor.

Figure 2: Invoice from Fierce Pharma attached to order confirmation phishing email.

Campaign Infrastructure

In this case, BazarBackdoor threat actors registered hundreds or more domains such as fiercepharma[.]net (shown in the invoice in Figure 2). Some interesting aspects of these domain registrations include the following:

  • Most domains used in the campaign were registered anonymously, using privacy protection services.
  • Anonymous registration, however, is not allowed for .us domains. Instead, threat actors used bogus contact details, but they used the same email address to register the .us domains. This allowed researchers to connect at least 245 .us domains registered to this campaign.
  • Many of the domains are registered in groups of two or three, using the same domain name with three separate TLDs (for example, .net, .us. and .shop). Thus, for every .us domain, there are likely two other connected domains.

We suspect that the threat actors’ reason for duplicating and/or triplicating infrastructure is to evade early detection, as well as to conserve resources and effort. Minimal effort is spent on payload delivery sites with a shorter shelf life, while the more developed landing pages have a lower likelihood of removal because they appear benign. Other factors of note include the following:

  • One of each domain pair (or triad) mentioned above is used as the first stage of the campaign. It is made to appear as legitimate as possible, serving as the landing page for target users. It does not host any malware; rather it serves only to redirect users to the second-stage site when they enter an order number and complete the compromise. Cloaking the more directly malicious domains from email security controls by an extra step may allow the threat actors to avoid detection.
  • The use of separate domains is also likely intended to conserve resources. The first-stage domain, most commonly hosted on .net or .com, is more developed and does not directly serve a malicious payload, meaning it should have a longer shelf life for threat actors. The second-stage domains (often .us or .shop), are likely to be taken down faster because they deliver the malicious payload. The second-stage site is just a single-page PHP form where users again enter their order number and receive the malicious Office document.

The detail and effort put into this campaign goes beyond those of most phishing threat activity, and these unusual tactics were swiftly changed, as the subscription-themed campaign was delivered just over a month later.

Sample Campaign 2: Subscription

Figure 3: Free trial-themed email that delivers BazarBackdoor via phone number.

Process of Compromise

The second BazarBackdoor campaign was originally observed and reported by Cofense Intelligence in March; it used subscription-themed lures. Like the first campaign, the email contains no malicious content. Instead, the threat actors intended for users to be compromised through the following process:

  1. The second campaign was changed to be subscription-themed; the disseminated phishing emails were similar to Figure 3.
  2. Each email contained some content regarding a free trial ending, a subscription cancellation, or some subscription fee to be charged. Like the first campaign, no traditional IOCs are associated, since no embedded links or attachments were included in the email. Instead, a phone number was included. Threat actors intend for users to call the number to cancel or make changes to the subscription.
  3. Once calling the phone number, users are met with a fake representative of the fabricated company or subscription service. The first step of the phone conversation is to provide the user ID found in the email subject and body. This allows the threat actor to acquire the email address and information of the recipient.
  4. At this point, threat actors will walk users through steps almost identical to the first campaign via the phone conversation. By providing what is usually a .us domain, users will be directed to a website and told to find the unsubscribe button.
  5. Once the unsubscribe button is used, the website requests the user ID from the email address. This could be a way for the threat actor to track the infected individual. Once the ID has been entered, users are prompted to download a Microsoft Excel spreadsheet that contains malicious macros.
  6. Threat actors then proceed to talk the user through enabling the macros which download and run BazarBackdoor. A video demonstrating a full walkthrough of a phone conversation with the threat actors can be found here.


The addition of what seems to be a fully functional BazarBackdoor call center shows just how far threat actors are willing to go for a successful infection. The threat actors are also constantly changing the campaign’s infrastructure by adding new phone numbers, email addresses and domains. This makes it very difficult to create effective rules and security controls for blocking the campaign. Other campaigns using methods similar to this have recently arisen, using call centers with malicious intent. While not necessarily a new tactic, other threat actors have been reported using AnyDesk (a remote desktop application) to infect users via call center. This tactic has been previously used in consumer phishing but is not usual in campaigns targeting businesses.

The analysis of these campaigns led to insight on threat actors’ ability to adapt and use atypical methods to reach end users. Like previous BazarBackdoor campaigns, the final payload is delivered later, and is usually dependent on the infected machine and network. This makes it difficult to see the campaign in its entirety. Because both campaigns assign a unique order ID to each email, it is possible that the ID will be used later to determine the final payload, tailored to the organization/location/role of the victim.

Both campaigns were reported directly to the Cofense Phishing Defense Center (PDC) by enterprise users with the PhishMe Reporter button. With further analysis by Cofense Intelligence, customers have received relevant IOCs and Active Threat Reports (ATRs) for these campaigns. Customers can access the most up-to-date list of all relevant Cofense Intelligence IOCs and ATRs tied to BazarBackdoor via our Threat Intelligence API and the ThreatHQ intelligence portal. Lear more here.

ATR IDs for the BazarBackdoor campaigns.

Active Threat Report Date Published
142393 2021-02-12
164206 2022-03- 25
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

Phishing Detection and Response: Speed and Automation with Cofense Triage and ServiceNow SIR

By Mike Saurbaugh

How quickly can your security team produce information about the success of phishing incident response capabilities?

What if company leadership asks the CISO for data about the number of malicious phish that bypassed the secure email gateway and that employees caught and reported? Is this information available? More importantly, how rapidly does the team remedy employee-reported phishing threats?

With an integration between Cofense Triage™ and ServiceNow Security Incident Response (SIR), security teams reap great benefits. These include:

  • Bi-directional APIs to integrate and enrich platforms
  • Accelerated phishing email identification and mitigation
  • Improved analyst efficiency to investigate and respond without switching screens
  • Centralized visibility into enterprise incident management and response

Cofense and ServiceNow have long been technology partners and created an integration with Cofense Intelligence for phishing threat lookups and an earlier interoperability with Cofense Triage, both of which are in the suite of products that make up the Cofense phishing detection and response platform. As products evolved, Cofense and ServiceNow boosted security teams’ ability to manage phishing threats.

Think of Cofense Triage as a source of truth to highlight and inform analysts, who in the company reported emails as malicious, while removing the noise from benign reported emails. Now, take these highly credible reported phish and populate ServiceNow SIR with phishing incidents for analysts to remediate through next-steps automation actions across the enterprise. The result is a streamlined process to investigate, prioritize and resolve phishing attacks.

The APIs That More Than GET It

With the advent of a new set of Cofense Triage APIs (version 2), customers benefit from capabilities they had been asking for. Among them:

  • Bidirectional support between platforms – GET, POST, PUT, DELETE
  • Cofense Triage data ingestion and updating outside of the user interface
  • Filtering, and sorting improvements using sparse fieldsets, for better performance
  • To-One (many reports to one category), and To-Many (one category to many reports) relationships
  • Expanding pagination parameters

Optimizing Your Phishing Incident Response

  • Ingest employee-reported phishing emails from Cofense Triage based on severity, category, threat indicators and reporter reputation.
  • Create security incidents in ServiceNow Security Incident Response (SIR) from events in Cofense Triage’s inbox, reconnaissance and processed queues.
  • Ingest phishing threat indicators from Cofense Triage into ServiceNow SIR to enrich and operationalize incident response.
  • Update and process/categorize phishing emails in Cofense Triage from ServiceNow SIR.
  • Bidirectionally manage phishing threat indicators and observables between Cofense Triage and ServiceNow SIR.

Go Configure…

1. First, configure ServiceNow SIR to create an incident based on the desired criteria.

Ingest email artifacts from Cofense Triage – Inbox, Recon or Processed locations. The example below will create a security incident in SIR based on conditions met searching Cofense Triage.

  • Location = Processed
  • Report Category = Crimeware
  • VIP Reporter = True

Figure 1. ServiceNow SIR Security Incident Creation Criteria Querying Cofense Triage

2. Review security incident in ServiceNow SIR after polling interval collects data matching criteria.

Figure 2. ServiceNow SIR Incident Locations Obtained from Cofense Triage

Figure 3. Security Incident Matching Creation Criteria (Processed location, Report Category, VIP)

3. Incident details shown below in figures 4-6 are from reported phish received by Cofense Triage and ingested into SIR. Fields populated were retrieved from polling APIs.