sample phish uses a quote theme to deliver a pdf attachment with a link to azorult stealer

Phish Found in Proofpoint-Protected Environments – Week Ending September 13, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Attackers continue to find ways to hide their intentions from technical controls using encrypted attachments and malware hosted on trusted platforms.

sample phish uses a quote theme to deliver a pdf attachment with a link to azorult stealer

TYPE: Malware – AZORult Stealer

DESCRIPTION: This quotation-themed phish has all the pressure of a high stakes auction. It’s a lot of words – many of them impactful – in a short amount of space. Rather than raising their hand for an unintended bid, the recipient of this email clicked the Cofense Reporter button so our PDC could identify a malicious link in the attached PDF that led to the AZORult Stealer malware. Going once. Going twice. Gone!

sample phish uses a document theme to deliver a password-protected zip to install iced-id

TYPE: Malware – Iced-ID

DESCRIPTION: This phishing threat isn’t just cryptic, it’s encrypted! This response-themed attack delivers a password-protected .zip archive containing a macro-laden Microsoft Office document with a .hta downloader for Iced-ID. Opening this chilly attachment would have been a grave mistake.

sample phish uses an invoice-theme to deliver a malicious link leading to the wsh remote access trojan

TYPE: Malware – WSH Remote Access Trojan

DESCRIPTION: Many of us long for the days of unfettered travel and this email spoofs an aviation company with an invoice for a booked flight. It actually delivers a link to Google Drive that will download a VBS Loader to install the WSH Remote Access Trojan. Be careful what you wish for!

sample phish uses a response theme to deliver ursnif via embedded link on google docs

TYPE: Malware – Ursnif

DESCRIPTION: Skipping the friendly skies, there’s always the open road. And any decent road trip requires a sound insurance policy. This response-themed phish goes into considerable detail to convince the recipient to click the embedded links that will lead to a password-protected .zip archive containing VBS Droppers to run Ursnif. Our recipient appraised the offer and reported it to the security team.

sample phish uses a document theme to deliver a link to a credential harvesting site

TYPE: Credential Theft

DESCRIPTION: Un autre phish! Using a document theme, this simple attack uses Microsoft OneDrive links to host credential stealing web pages. Incroyable!

example phish with a bonus theme uses a .html attachment to install a reconnaissance tool

TYPE: Malware – Reconnaissance

DESCRIPTION: Just like the attackers, we’re throwing in this last phish as a bonus. A promise of money is often enough to lure a recipient into clicking. Had they opened the attached .html file, they would have been led to a macro-laden Microsoft Office document delivering a reconnaissance tool.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Spoofed Training Email from Phishing Simulator Company

By Max Gannon and Brad Haas, Cofense Intelligence

Cofense Intelligence has analyzed a security awareness training-themed campaign that spoofs a training reminder email from KnowBe4. Embedded links in the email direct victims to a credential phishing page targeting both Microsoft Outlook credentials and personal information. The phishing kit is hosted on compromised sites and has been used on at least 30 domains since mid-April 2020, as detailed below.

The emails used in this campaign attempt to pressure recipients into clicking the link by warning that the user only has one day left to complete a required training. They also discourage recipients from browsing directly to legitimate company training pages with the following statement: “Please note this training is not available on the employee training Portal. You need to use the link below to complete the training[.]”

Figure 1: Phishing email spoofing a KnowBe4 notification

The phishing kit used in this attack first collects Outlook credentials, then loads another page soliciting several pieces of personal information.

Figure 2: First page of the credential phishing kit

Figure 3: Second page of the credential phishing kit

As noted, the campaign’s credential phishing kit has been hosted on at least 30 other sites since mid-April 2020. The kits all used the same exfiltration methods and files as the spoofed KnowBe4 campaign, targeting Outlook credentials. Previous campaigns using this kit had a sexual harassment training theme rather than a security training theme. Those campaigns redirected to a legitimate page related to sexual harassment, shown in Figure 4, after the credentials requested in Figure 2 and Figure 3 were entered. The credential phishing kit linked in the spoofed KnowBe4 campaign has already been taken down, but it is very likely that the threat actors redirected from it to a security training-related page instead.

Figure 4: The credential phishing kit from previous campaigns redirected to this page

After additional analysis, we discovered that several of the compromised sites, many of which run WordPress, had recently been used to host a specific web shell, “CHips L MINI SHELL.” The shell has a relatively small feature set, allowing attackers to upload and edit files on a compromised site. It has already been removed from the sites in most instances. However, it was installed on some of them in a way that made it publicly visible, so cached Google search results show that it had been present, as shown in Figure 5.

Figure 5: Web shell on compromised site hosting the credential phishing kit

The indicator of compromise (IOC) table below includes the phishing kit URLs mentioned above.

Table 1: IOCs

Associated Credential Phishing URLs
hxxps://2014[.]digitree[.]co[.]kr/samhwa/lib/bid/login[.]php
hxxps://acertijos[.]com[.]ar/Blog/wp-includes/bid/login[.]php
hxxps://avellanoeuropeo[.]ufro[.]cl/wp-content/plugins/bid/login[.]php
hxxps://breckinridgecounty[.]net/[.]well-known/acme-challenge/bid/login[.]php
hxxps://docentes[.]uto[.]edu[.]bo/dmoyaa/wp-includes/bid/login[.]php
hxxps://g5lab[.]com/aspera/uploads/bid/login[.]php
hxxps://greenup[.]co[.]in/wp-includes/bid/login[.]php
hxxps://kikihalekararlari[.]com/assets/plugins/flot/bid/login[.]php
hxxps://mobiletradesman[.]co[.]uk/wp-admin/bid/login[.]php
hxxps://modoou[.]net/wp-content/bid/login[.]php
hxxps://msk[.]turbolider[.]ru/wp-includes/bid/login[.]php
hxxps://niceoldtownapartment[.]com/wp-content/plugins/fusion-core/tinymce/bid/login[.]php
hxxps://otorrinosensantafe[.]com[.]mx/[.]well-known/pki-validation/bid/login[.]php
hxxps://pandeyize[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://plazaempresarial[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://propertyask[.]com/[.]well-known/pki-validation/bid/login[.]php
hxxps://rashifal[.]com/img/bid/login[.]php
hxxps://rotularltda[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://skinnyontherunapp[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://somelit[.]org/wp-content/plugins/bid/login[.]php
hxxps://tcvsat[.]com/tcvsat-respnov19/wp-includes/IXR/bid/login[.]php
hxxps://thegsmshop[.]com/wp-includes/css/bid/login[.]php
hxxps://www[.]aajtaknews[.]in/wp-content/cache/all/bid/login[.]php
hxxps://www[.]auntynise[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://www[.]happychappybrands[.]com/wp-includes/bid/login[.]php
hxxps://www[.]healthfavour[.]com/wp-includes/css/bid/login[.]php
hxxps://www[.]mvoguesalon[.]com/bootstrap/cache/bid/login[.]php
hxxps://www[.]samicultura[.]com[.]br/includes/bid/login[.]php
hxxps://www[.]search4blog[.]com/wp-content/plugins/bid/login[.]php
hxxps://digitalprakhar[.]com/wp-content/uploads/2016/08/bid/login[.]php

Recommendations

Educating your workforce to identify these threats is key. Organizations can also stay on top of today’s dynamic threat landscape using Cofense Intelligence. Phishing causes nine out of ten data breaches. With Cofense Intelligence, you’ll get access to preemptive phishing alerts you can act on before you’re attacked.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
sample phish uses a document theme to deliver a linked image to an installer for nanocore remote access trojan

Phish Found in Proofpoint-Protected Environments – Week Ending September 6, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Phishing attackers like saving money as much as they like making money, and they’re continuing to leverage trusted cloud providers to host their kits cheaply.

sample phish uses a proposal theme to deliver links to a credential harvesting site

TYPE: Credential Theft

DESCRIPTION: This RFP is Ripe For Phishing, with an attack chain that starts with embedded Microsoft OneDrive links leading to a Googleapis domain designed to perform credential harvesting. Request For Password, anyone?

sample phish uses quote theme to deliver a linked image that leads to an install of agent tesla keylogger

TYPE: Malware – Agent Tesla

DESCRIPTION: Another phish that uses those oh-so-trustworthy Microsoft OneDrive links. These links lead to a .iso file that Microsoft Windows will dutifully mount to deliver the Agent Tesla keylogger. Cofense has examined the use of .iso files in phishing attacks before.

sample phish uses a document theme to deliver a linked image to an installer for nanocore remote access trojan

TYPE: Malware – NanoCore RAT

DESCRIPTION: They say third time’s a charm. This phish is less than charming as it too uses Microsoft OneDrive links behind a finance-themed image to deliver a .ace archive containing the NanoCore Remote Access Trojan. If this had been a simulation, our well-trained human would have aced the test.

sample phish uses wetransfer to deliver links to a credential harvesting site

TYPE: Credential Theft

DESCRIPTION: Would you believe that a phishing attack could spoof a popular file transfer service and yet deliver Microsoft OneDrive links? Well, seeing is believing as this attack links to hosted .htm files that harvest email login credentials.

sample phish with a finance theme delivers a linked image to the pyrogenic stealer malware

TYPE: Malware – Pyrogenic Stealer

DESCRIPTION: Are you ready for a change? This phish uses an image of a PDF document to hide a link to a Pyrogenic Stealer download. I bet you thought I was going to mention Microsoft OneDrive?

sample phish uses invoice theme to deliver a linked image to a credential harvesting site

TYPE: Credential Theft

DESCRIPTION: Here’s another example of a PDF image being used to mask a link to something bad. In this case, the recipient will be taken to a credential harvesting site.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Message Quarantine Campaign with Overlying Potential

By Dylan Main, Cofense Phishing Defense Center 

Message quarantine phish are back, this time with a new tactic utilizing the targeted company’s homepage as part of the attack. The Cofense Phishing Defense Center (PDC) has identified this campaign which attempts to steal employee credentials by posing as a message quarantine email. Using an overlay tactic to disguise itself, this attack is an example of how threat actors are using more advanced techniques to make these malicious emails appear as though they are from a trusted source. 

Figure 1: Phishing Email

This campaign attempts to imitate the technical support team of the employee’s company and makes it appear as though the company’s email security service has quarantined three messages, blocking them from entering the inbox. It claims these messages failed to process and need to be reviewed in order to confirm validity. It even states that two of these were considered valid and are being held for deletion. This could potentially lead the employee to believe that the messages could be important to the company and entice the employee to review the held emails. Another social engineering technique the threat actor uses to lure the employee into interacting with the email is giving the messages urgency, asking the recipient to review them or they will be deleted after three days. Potential loss of important documents or emails could make the employee more inclined to interact with this email.

Figure 2: Phishing Email 

As seen in Figure 2, hovering over “Review Messages Now” shows the malicious URL. However, upon interacting with the link, the user will be directed to a phishing page unique to the employees’ company. Here is where this campaign uses advanced mechanics to make it appear even more legitimate. 

Figure 3: Cofense Phishing Page 

After interacting with the email, the employee will then be redirected to what appears to be a login screen on the company website (Fig 3). However, further analysis has determined that the page shown is actually the company’s website home page with a fake login panel covering it. This gives the employee a greater comfort level, by displaying to  a familiar page. It is also possible to interact with this page by moving outside of the overlay, showing that it is the actual page they have seen and used before. The overlay itself is attempting to prompt the user to sign in to access the company account. The entered credentials are then sent to the threat actor, giving them access to the target’s company account. 

Figure 4: Microsoft Phishing Page

Based on the analysis performed by the PDC, it was determined that each link, while still going to the same base domain, uses specific parameters to determine which web page pull, then overlays the fake login panel on top. Depending on what company the threat actor is targeting, the link will populate the address of the original recipient of the email. Figures 3 and 4 are examples provided by entering an address, in this case Cofense or Microsoft.  After the equal sign, the link will look at the domain of that address and pull the homepage. This campaign shows that threat actors can and will use any resource available to compromise business accounts.  

HOW COFENSE CAN HELP 

Cofense Resources 

Cofense PhishMeTM offers a simulation template named Email Quarantine Report – Alternate. 

Network IOC IP   
hxxp://google[.]com@ashousingcompany[.]com/www/?email=  104[.]27[.]158[.]208 
hxxp://traximgarage[.]com/www/webmail-std/appsuite/1ogin/mai1/  185[.]68[.]16[.]137 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending August 30, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week’s sampling focuses on our finances, with payments, invoices, and taxes luring recipients to click. Organizations with solid awareness and reporting programs reap the benefits of human intelligence that technology can’t match.

phishing example uses a finance theme to perform credential theft using a .html attachment

TYPE: Credential Theft

DESCRIPTION: Everybody wants to get paid. And when an email arrives with a confirmation request, how can you resist? Fortunately, the recipient of this phish did resist. They reported it and protected their credentials, as the attached HTML file was spoofing a Microsoft login page.
Humans – 1
Technology – 0

phishing example uses a shipment theme to deliver loki bot with a linked image

TYPE: Malware – Loki Bot

DESCRIPTION: Looks like an invoice. Sounds like an invoice. It’s not an invoice. This phish embeds an image that only looks like an invoice, but actually links to GuLoader, which will install Loki Bot. Cofense has been seeing Loki Bot for over 3 years.

phishing example uses an invoice theme to deliver a link to the bazarbackdoor malware

TYPE: Malware – BazarBackdoor

DESCRIPTION: Talk about bizarre. Or, in this case, Bazar. This phishing attack tells us we’re tardy on our payments and sends us to a macro-enabled Microsoft Office document hosted on Google Docs. From there, the macros install the recently discovered BazarBackdoor, believed to be the work of the same developers as TrickBot. Once again, human intelligence delivers where technology falls short.

phishing example uses a linked image to deliver async remote access trojan

TYPE: Malware – Async RAT

DESCRIPTION: And still the payments flow. In this case, a simple banking confirmation using a linked image with a GuLoader to Async Remote Access Trojan attack chain. The creator of this malware – NYANxCAT – is a threat actor Cofense has discussed in the past.

phishing example uses a tax theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: They say nothing is certain but death and taxes. We’d still rather receive an email notification of the latter over the former. In this case, though, our relief is short-lived, thanks to a credential harvesting attack hosted on Microsoft OneDrive.

phishing example uses an accident report theme to perform credential theft with a .html attachment

TYPE: Credential Theft

DESCRIPTION: Accidents happen, and when they do, lawyers can be of great assistance. This phishing attack posing as an accident report from a lawyer is an accident waiting to happen, however. The attached HTML file is designed to steal Office 365 credentials. Another near miss, thanks to an attentive human.

phishing example uses a finance theme to deliver a malicious ppsx attachment with an embedded url

TYPE: Malware – URL

DESCRIPTION: Here’s an excellent example of a reply chain that really makes the attack look like a legitimate email thread. We may not even notice the attachment is a Microsoft PowerPoint Show – an odd way of requesting payment. Again, technology didn’t pick this up, but an astute human did. Better luck next time, Skynet!

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Sample phish uses a shipping theme to deliver a credential stealing link

Phish Found in Proofpoint-Protected Environments – Week Ending August 23, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. With a preponderance of XXE attachments being used to reach inboxes, organizations would be best served by restricting these attachments manually as well as inventorying their archive management tools, such as WinRAR, to assess their risk.

sample phish uses an embedded image linked to agent tesla

TYPE: Malware – Agent Tesla

DESCRIPTION: This German-language, quote-themed phish uses a linked image that looks like a quote but leads to the Agent Tesla Keylogger. Cofense has written about the commercialization of Agent Tesla, bringing malware to the masses.

Sample phish uses a shipping theme to deliver a credential stealing link

TYPE: Credential Theft

DESCRIPTION: Delivery-themed phish are a global phenomenon, as this French-language email delivers embedded links to lure a recipient into clicking and giving up their credentials. Just report as phish and delete, s’il vous plait.

sample phish uses a banking theme to deliver the remcos rat with a .xxe attachment

TYPE: Malware – Remcos

DESCRIPTION: This finance-themed attack continues the recent surge in the use of .xxe archives to get malware into inboxes. This phish delivers the Smoke Loader that will then install both the Remcos and NetWire Remote Access Trojans. Talk about a double-whammy!

sample phish with a billing theme delivers remcos rat via .xxe attachment

TYPE: Malware – Remcos

DESCRIPTION: Another .xxe example with a similar look and feel as the previous, but using a shipping theme. In this case the Remcos Remote Access Trojan is delivered by the GuLoader malware held within the delivered archive.

sample phish with a finance theme uses a .xxe attachment to deliver the smoke loader

TYPE: Malware – Smoke Loader

DESCRIPTION: Another finance-themed phish. This one spoofing a bank to deliver… you guessed it… another .xxe archive. This one installs the Smoke Loader malware, which Cofense used to see delivered via Microsoft Office exploits. It seems you can teach an old dog new tricks.

sample phish uses a shipping theme to deliver a .xxe attachment to install remcos rat

TYPE: Malware – Remcos

DESCRIPTION: While it normally only takes 3 examples to indicate a pattern, we have a 4th XXE archive delivery this week. Another finance-themed phish that delivers a GuLoader to download and activate the Remcos Remote Access Trojan.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Avaddon Ransomware Joins Data Exfiltration Trend

By Aaron Riley, Cofense Intelligence

Summary 

A new attack pattern indicates that another ransomware family is expanding into data exfiltration. Ransomware traditionally forces victims to send a payment to recover their encrypted data. However, a growing number of ransomware operations is adding pressure using data exfiltration – victims who do not pay the ransom will have their data exposed publicly. Avaddon, a ransomware as a service (RaaS) that emerged this summer, is the latest family to join this trend, and its operators are almost certainly gearing up to leak the sensitive data of victims who do not quickly pay.  

Avaddon caught our attention in June when the Trik botnet started sending it to a broad set of targets, signaling threat actors’ willingness to cast a wider net in search of ransom payments. More recently, security researchers indicated that the operators of Avaddon set up a data leak website to publish stolen data if victims fail to pay the ransom. Cofense Intelligence is now seeing a campaign that combines Avaddon with an information stealer, indicating that threat actors are preparing to make use of this new extortion feature. The campaign has successfully evaded secure email gateways (SEGs) and targets several different industries, as discussed in detail below. 

Figure 1: Avaddon ransomware data dump webpage.

Smoke Loader Delivers Avaddon and Raccoon Stealer 

The email in Figure 2 is part of a campaign that attempts to encrypt the victim’s computer with Avaddon ransomware. Spoofing the FedEx brand and using the shipping theme, this phishing campaign starts with a malicious embedded link that has evaded some SEGs. When a user clicks the link, it downloads a malicious program, Smoke Loader which, in turn, delivers a two-part attack to the victim’s machine. The attack combines Avaddon with Racoon Stealer that can perform the data exfiltration portion of the campaign.  

Figure 2: Phishing email with an embedded link leading to a sample of Smoke Loader.

Data Exfiltration Increases Pressure, Adds Risk 

The exfiltration of sensitive data can be damaging to an organization and levy heavy legal, financial and reputational consequences, which is why threat actors use it to leverage extortion payment. In this instance, Raccoon Stealer provided the data theft and exfiltration feature that was not inherent in the Avaddon ransomware. Considering that Avaddon is a RaaS, it would be consistent for it to employ a malware as a service (MaaS), Raccoon Stealer, to add features. Using a MaaS sample as the data exfiltration component also allows the threat actors to plug-and-play with other MaaS families as needed. Combining these two services with a successful delivery mechanism such as Smoke Loader creates an attack that is both more lucrative for threat actors and more harmful to victims. 

With these most recent developments, Avaddon has joined a few other ransomware families in adding data exfiltration to use as leverage for extortion payments. The campaign shown in Figure 2 continued the trend of broad targeting—it was sent to a wide range of industries including energy, healthcare, insurance, manufacturing, mining and retail. As Avaddon sees increasing success from these efforts, we can expect more ransomware operators to follow suit. 

Diligent backups will no longer suffice to save an organization from a ransomware incident if sensitive or confidential data has been exfiltrated. Not only can the organization be reputationally damaged by a data leak but, depending on the laws and regulations surrounding the data, may be subject to fines and penalties. Data owners or regulators can potentially hold the organization liable and pursue legal recourse, exacerbating the cost of the ransomware incident.  

In conclusion, we predict that the most dangerous part of ransomware to organizations soon will be data exfiltration. 

Not a Cofense Intelligence customer? Learn how our phishing alerts help mitigate today’s dynamic threats. 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

Humans and Machines – Phishing Mitigation Automation SOARing to New Heights

By Mike Saurbaugh

Cofense and Palo Alto Networks Cortex XSOAR integrate to counter phishing threats that evade secure email gateways (SEGs). Human-verified phishing indicators and automation squelch attackers. Cofense Intelligence, Cofense Triage and Cortex XSOAR combine to support SOCs in the fight against phish.

Conditioning employees to detect and report suspicious email is a strategy security leaders have adopted to protect the business and empower employees to become a defensive asset. As phishing emails evade secure email gateways (SEG), employees are the last line of defense and can be the difference between detection and response or an incident that leads to a breach. Cofense Triage ingests employee-reported suspicious email, allowing security teams to quickly assess and respond to threats. Cofense Intelligence is human-verified phishing intelligence powering security teams to respond to credible phishing threats.

Cofense Intelligence: What is Human-Verified Phishing Intelligence and Why Should I Care?

Cofense Intelligence is phishing-specific threat intelligence. Human-verified means that the Cofense intelligence and labs teams have vetted the indicators prior to consumption by customers. This ensures high-fidelity upon ingestion. Domains, URLs, IPs and hashes all have a corresponding impact rating that follows STIX. Major, moderate, minor and none ratings are applied to phishing indicators. This means that each indicator provided carries an impact rating so security teams can make educated decisions on what action to take.

A major impact-rating URL that was vetted by a seasoned security professional tells the customer that this URL is indeed malicious and should not be accessed. Knowing this information allows the security team to implement a block rule in the firewall to prevent employees from accessing a harmful link. Likewise, a suspicious domain may be an alert event. The point is that security professionals can more quickly implement rules with automation given the rigor that human vetting requires.

Machine-Readable and Human-Readable Phishing Intelligence

Cofense Intelligence provides context for analysts. Not just what’s bad, but what’s bad and why.

Integrations drive Cofense Intelligence via JSON, STIX or CEF, allowing SOARs, threat intelligence platforms (TIPs) and SIEMs to ingest updates on polling intervals because Cofense releases updates as soon as they’ve been vetted.

The end result is a cadence of polling machine-readable indicators to be leveraged in security solutions with the context to understand the phishing threat and its potential impact to the business.

Actionable Machine-Readable Intelligence

The following provides key fields to use in threat lookup validation, security solution integrations and threat hunting.

{
“success” : true,
“data” : {
“id” : 39377,
“relatedSearchTags” : [ ],
“feeds” : [ {
“id” : 23,
“permissions” : {
“WRITE” : false,
“READ” : true,
“OWNER” : false
},
“displayName” : “Cofense”
} ],
“blockSet” : [ {
“malwareFamily” : {
“familyName” : “NetWire Remote Access Trojan”,
“description” : “The Netwire RAT is used to take control of a user’s system, it has many capabilities including the ability to use a victim\u0027s computer as a proxy and keylogging functionality that extends to peripheral devices such as USB card readers.”
},
“impact” : “Major”,
“blockType” : “URL”,
“role” : “C2”,
“roleDescription” : “Command and control location used by malware”,
“data” : “hxxp://ddns[.]whsthings[.]xyz:4598”,
“data_1” : {
“url” : “hxxp://ddns[.]whsthings[.]xyz:4598”,
“domain” : “whsthings[.]xyz”,
“path” : “”,
“protocol” : “http”,
“host” : “ddns[.]whsthings[.]xyz”
}
}, {
“deliveryMechanism” : {
“mechanismName” : “CVE-2017-11882”,
“description” : “Microsoft Office exploit taking advantage of flaw in Microsoft Equation Editor
allowing for arbitrary code execution”
},
“impact” : “Major”,
“blockType” : “URL”,
“role” : “InfURL”,
“roleDescription” : “URL provided in email as means for infection”,
“data” : “hxxp://price2day[.]pk/CREDIT_NOTE_592609225.xlsx”,
“data_1” : {
“url” : “hxxp://price2day[.]pk/CREDIT_NOTE_592609225.xlsx”,
“domain” : “price2day.pk”,
“path” : “/CREDIT_NOTE_592609225.xlsx”,
“protocol” : “http”,
“host” : “price2day[.]pk”
}
}, {
“malwareFamily” : {
“familyName” : “NetWire Remote Access Trojan”,
“description” : “The Netwire RAT is used to take control of a user’s system, it has many capabilities including the ability to use a victim\u0027s computer as a proxy and keylogging functionality that extends to peripheral devices such as USB card readers.”
},
“impact” : “Major”,
“blockType” : “Domain Name”,
“role” : “C2”,
“roleDescription” : “Command and control location used by malware”,
“data” : “ddns[.]whsthings[.]xyz”,
“data_1” : “ddns[.]whsthings[.]xyz”

Figure 1: Machine-readable JSON output

Contextual Human-Readable Intelligence
When understanding the phishing threat and its severity are critical, Cofense’s portal and reports provide insight.

Figure 2: Executive Summary from Cofense Intelligence Active Threat Report

Figure 3: One of Many URLs Involved in the Threat Report

Figure 4: Description of Command and Control Malware with a Link to WebUI 

Cortex XSOAR Threat Intel Management Supercharges SOCs

Cortex XSOAR takes a new approach with native threat intelligence management, unifying aggregation, scoring, and sharing of threat intelligence with playbook-driven automation. With Cortex XSOAR, analysts eliminate manual tasks with automated playbooks to aggregate, parse, deduplicate, and manage millions of daily indicators across dozens of supported sources. From here, analysts take charge of their threat intelligence with playbook-based indicator lifecycle management and transparent scoring that can be extended and customized with ease.

With analysts potentially spread across the globe, Cortex XSOAR boosts collaboration to reveal critical threats by layering third-party threat intelligence with internal incidents to prioritize alerts for smarter response decisions.

Reputable sources of intelligence enable automated action to shut down threats across more than 450 third-party products with purpose-built playbooks based on proven SOAR capabilities.

Additionally, analysts can save time by executing intel-based playbooks to expedite threat hunting across disparate security tools. In this way, security teams can identify, gain context for, and prioritize alerts to advanced and relevant threats.

Leveraging Cofense Intelligence in Cortex XSOAR

Human-verified Cofense Intelligence complements Cortex XSOAR’s threat intelligence management module. Analysts can automatically block phishing threats by aggregating, deduplicating and syndicating protection from indicators sourced from Cofense Intelligence and other feeds.

From the JSON output shown earlier, analysts in Cortex XSOAR can enable the Cofense feed, provided they have a valid Cofense Intelligence license.

Figure 5: Cofense Feed Integration Application in Available in Cortex XSOAR

Within configuration settings, and because the intelligence feed is human-verified by Cofense, analysts can opt to set reliability to “completely reliable” and an indicator reputation as “bad.”

Figure 6: Cofense Intelligence Feed Configuration Settings

Cortex XSOAR’s dashboard is a quick and easy way to visualize Cofense Intelligence indicators.

Figure 7: Cortex XSOAR Threat Intelligence Management Dashboard – Cofense Intelligence Indicators

The URLs in this case can be assigned to an incident and attached to a playbook. In this way, as an example, one or more URLs within the Palo Alto Networks Next-Generation Firewall can be blocked.

Figure 8: URL Incident Remediation

Cofense Triage: Automating Analysis of Employee-Reported Phish

Security teams do their best to keep phish from making it to the employee’s mailbox. However, attackers are skilled at evading secure email gateways and other defenses. Cofense Triage ingests employee-reported phish to automatically uncover the latest attacks plaguing the enterprise.

Cofense pioneered phishing simulation to help organizations educate and condition employees to spot phish. Phishing simulation has been adopted by organizations worldwide and continues to be a staple of security programs.

Cofense Reporter empowers employees to report suspicious phish to the SOC so that they can analyze and respond to evasive perimeter phishing threats. A simple one-click feature in the email client is all that’s needed for employees to provide security teams with an additional source of intelligence.

Cofense Triage ingests and analyzes the reported emails, highlights real phish and removes benign messages mistakenly reported by employees. Cofense Triage benefits from Cofense Intelligence and several integrations, including Palo Alto Networks WildFire™.

Figure 9: Cofense Triage Infographic Workflow

Cofense Triage – An Enabler for Cortex XSOAR Playbooks

Cofense Triage APIs are accessible to Cortex XSOAR with an integration app to ingest processed phishing reports. This means that Cofense Triage and Cortex XSOAR customers can poll APIs from the application and assign to playbooks just as with Cofense Intelligence.

Analysts configure their app in Cortex XSOAR and ingest processed reports with designated threat indicators.

Figure 10: Cofense Triage Application in Cortex XSOAR

Figure 11: Cofense Triage Configuration – Assigning Incidents at Ingestion

Malicious Indicators Evading Secure Email Gateway

When employees report, security teams benefit. Take a look at malicious URLs and hashes as reported by conditioned employees who received phish and knew to report with Cofense Reporter.

Figure 12: Malicious Indicators in Cofense Triage

Cortex XSOAR Ingesting Threat Indicators from Cofense Triage

When a security analyst designates a file, URL or domain as malicious, they have vetted the threat as would Cofense’s Intelligence team. Knowing this, security professionals can ingest the indicators and allow them to run through a playbook for next step actions.

Figure 13: Ingested Malicious Hashes from Cofense Triage

Figure 14: Playbook Execution of Malicious File Attachment Reported by Employee

Multiple Sources of Intelligence in One View

Cortex XSOAR allows analysts to manipulate widgets to view all sources of intelligence or get more granular and investigate one source.

Figure 15: Dashboard View of Cofense Triage Feed

Secure email gateways and other security solutions are not impermeable. If your SOC is feeling the pain and is in need of some relief, Cofense and Cortex XSOAR bring that relief in seconds rather than days. When employee-reported and human-vetted sources of intelligence align, security teams can be more confident in their remedial actions. Whether it is endpoint or network-based remediation, or conducting a threat lookup to help make additional decisions, Cofense solutions complement the capabilities Cortex XSOAR offers to help customers centralize the security operation.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending August 16, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We note a preponderance of malware this week, both via attachment and image links. With security teams overloaded with phishing response, perhaps Cofense Intelligence can help?

sample phish delivers a .xxe attachment that uses guloader to install the remcos remote access trojan

TYPE: Malware – Remcos

DESCRIPTION: This phish reminds us of an important lesson: always do the needful. This does not include extracting the attached .xxe file, since that will execute GuLoader and download the Remcos Remote Access Trojan. And who needs that?

sample phish uses an image link to deliver the pyrogenic stealer

TYPE: Malware – Pyrogenic Stealer

DESCRIPTION: It’s a good thing the confidentiality notice in this email absolves the sender of any virus being passed on. This payment-themed phish provides what looks like a poorly rendered PDF, but is instead an image with a link to a Pyrogenic Stealer download.

sample phish uses an image link to deliver the nanocore remote access trojan

TYPE: Malware – NanoCore

DESCRIPTION: Another image link designed to look like an attachment. This one includes a very friendly “DOWNLOAD” instruction. Very helpful if you’re looking to download the NanoCore Remote Access Trojan, something we saw resurface in March of 2018.

sample phising in the finnish language uses an embedded url to deliver agent tesla

TYPE: Malware – Agent Tesla

DESCRIPTION: This phish is bad from start to finish (see what I did there?). Promising a shipping document with tracking number, it actually delivers a link to the Agent Tesla keylogger. Our Phish Fryday podcast gave it some good coverage earlier in the year.

sample phish delivers the wsh remote access troja with an embedded url

TYPE: Malware – WSH RAT

DESCRIPTION: Hoping to keep your balance up to date? Be careful what you wish for. This payment-themed phish delivers a link to the WSH Remote Access Trojan. We discussed this variant of the Houdini Worm back in 2019.

sample phish in italian delivers a jnlp file leading to the ursnif malware

TYPE: Malware – Ursnif

DESCRIPTION: My Italian is a bit rusty. Ok, non-existent. But a translation tells me this is a refund from the Italian social security agency. The attached .jnlp shortcut file leads to a JAR Downloader that then installs and runs the Ursnif malware. We’ve seen Italian speakers targeted with Ursnif before.

sample phish steals credentials with a dropbox hosted pdf

TYPE: Credential Theft

DESCRIPTION: You knew we wouldn’t make it through an entire post without a credential phish. This attack leverages trust in the Dropbox logo but actually uses Google Cloud Storage to host a linked PDF. The supposed “business proposal” will steal your credentials faster than you can say trusted cloud storage.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishing Threat Preys on Desperate Business Owners

By Kyle Duncan and Noah Mizell, Cofense Phishing Defense Center

For the past few months, businesses across the nation have suffered from the financial strain brought on by COVID-19. Government relief has become a major concern as businesses struggle to stay afloat. The Cofense Phishing Defense Center (PDC) has taken notice of a new phishing campaign that once again aims to abuse Covid-related fear and uncertainty. This campaign imitates the U.S. Small Business Administration (SBA) to harvest the credentials of business owners who may be expecting the administration’s assistance.

While the spoofed address for this attack is one the SBA uses and is even listed on their website, one brief look at this example’s “Received” path shows it did not originate from the SBA.

Figure 1-2: Email Header

These first four stops on the email’s Received path indicate that the email originated from Japanese email servers. This can not only be seen in the Received path but also in other fields of the header information. The Japanese IP address is seen in the Authentication-Results-Original and the Japanese domain can be seen in the Message-ID in some cases.

Figure 3-4: Email Body

The email body of this phish is very clean and well-constructed. Barring the excessive use of commas, the email looks legitimate at a glance. The threat actor has even compiled legitimate logo images and contact information to help sell the deception. Small business owners who have applied for federal aid would be hopeful and relieved to see this message in their inbox.

When you hover over the “Review and Proceed” button, however, the facade falls. Instead of sending users to SBA.gov, this button will redirect to the phishing page:

hXXps://ion-homes[.]com/sba/covid19relief/sba.gov/

The phishing page at this URL redirects to an SBA phishing login page with similar logo, positioning, and details to the real site. While the phishing domain differs, the threat actor has notably attempted to mirror the URL structure from the legitimate SBA’s login URL by tossing in ‘covid19relief’ into the directory name.

Figure 5: Phishing Page

Upon entering their login credentials, users are then redirected to the official SBA website, specifically the login page as seen in Figure 5.

Figure 6: Official Small Business Association Page

Instead of receiving aid, business owners who fall for the scam give away their credentials—adding insult to injury.

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops phishing attacks that elude email gateways.

Network IOC  IP  
hXXps://ion-homes[.]com/sba/covid19relief/sba.gov/ 173.231.209.178
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.