Coronavirus-Themed Phish Continue to Surge

By Max Gannon

Since our reporting on Coronavirus-themed phishing campaigns began, Cofense Intelligence has seen them surge, along with associated malware families. As more enterprises and government entities mandate remote work, threat actors stand to gain from using “work from home” or “Coronavirus” themed phishing emails. We recently explored this in a Flash Alert and Strategic Analysis that Cofense Intelligence customers received, highlighting the impersonation of trusted brands like Google Drive in complex campaigns and offering mitigation steps.

Primary Observed Trends

Over the past month, Cofense Intelligence has identified the following trends prevalent in COVID-19 themed phishing campaigns. Credential phishing campaigns have been the most common, though we have seen several malware families delivered as well.

Most Common Delivery Mechanisms:

  • Attached spreadsheet or Word document delivering a second-stage malware executable
  • Attached archived executable
  • Embedded URLs delivering ransomware
  • Office macros
  • CVE-2017-11882
      • Auto-IT Dropper (which exploits CVE-2017-1882)

 

Malware Delivered:

·       Agent Tesla Keylogger ·       Ave_Maria Stealer ·       Black RAT ·       FormGrabber
·       Hakbit Ransomware ·       Hawkeye Keylogger ·       KPOT Stealer ·       Lime RAT
·       Loki Bot ·       NanoCore ·       Nemty Ransomware ·       Pony
·       Remcos RAT ·       SalityBot ·       TrickBot

 

Commonly Spoofed Organization Types:

  • World Health Organization
  • Centers for Disease Control
  • Other global/regional health organizations
  • Health related non-profits/medical associations
  • Federal, State and Local Departments of Health/Ministries of Health
  • Transportation companies
  • Shipping companies

Many COVID-19 phishing templates have been more convincing than your average phish. In one example, seen in Figure 1 below, threat actors hosted the logo of the spoofed organization on Google Drive and added an additional threat at the end of the email: a whopping $1,000 fine if the supposedly attached forms to approve travel outside of the home are not filled out by the recipient. The attachment delivers the information stealer KPOT via a VBS script to AutoIT dropper. The dropper uses legitimate Windows utilities to disguise its actions.

Figure 1: Coronavirus-Themed Email Delivers Complex Chain

Phishing Threat Landscape Future Changes

Coronavirus themes have predictably grown in popularity and will almost certainly continue to do so. These phishing campaigns are also likely going to adapt over time to incorporate related work from home, teleconference or videoconference invites or notices, government refund, unemployment filing, and online ordering themes. Some threat actors have already begun to do this, as shown in Figure 2, where threat actors used a “Work Remotely Enrollment (Action Required)” subject, spoofing internal Human Resources to deliver links to credential phishing pages hosted on Microsoft SharePoint. Additional  Coronavirus phishing email examples that evade email gateways are available on the Cofense Coronavirus Phishing Information Center. This center is continually updated with campaigns identified by Cofense Intelligence, and the related IOCs are sent to our customers daily.

Figure 2: Example Email with Coronavirus “Work From Home” Related Theme

If COVID-19 continues to affect business operations, it is likely this will affect the phishing threat landscape more broadly. While many organizations continue to maintain some operations, there are likely to be some longer-term shifts in normal business communications.  For example, an email about an office party or an in-person meeting is more likely to make employees suspicious than it would have previously.

These kinds of changes will also likely extend to our personal lives as well in the “stay home” era. An email about new concert tickets or in-store sales will likely raise a red flag. Simply causing individuals to pause for a few extra seconds because something seems suspicious may not seem particularly monumental. However, when users briefly break out of their ordinary mindsets, they gain the opportunity to report a link rather than click a link—a key component of effective phishing reporting programs. Although, as noted above, threat actors will almost certainly adapt as well in their phishing templates.

As Coronavirus continues to affect everyone, there will likely be a significant shift in the phishing threat landscape for the most common malware and phishing themes, even excluding specifically Coronavirus-related themes. Although there has been a massive shift to remote work, some organizations have minimal remote operations infrastructure. In order to operate, they have no choice but to allow some users to connect to infrastructure with a lowered accepted standard of security. Organizational responses to suspicious network or user behavior may also be complicated due to these changes. Previously, such incidents of suspicious network or user behavior could be dealt with by physically quarantining the computer and quickly supplying a replacement as incident response teams investigate the issue. Currently, this may not be possible if the only way the employee can contact work-related support is via their potentially compromised computer. More laborious responses may delay investigations and mitigations.

These kinds of scenarios are what makes it ever more important for organizations to ensure phishing prevention is as much a focus as post-compromise detection. Incident response and mitigation will certainly be more difficult as long as workforces need to remain dispersed.

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Coronavirus Redefines the Phishing Threat Landscape

By Aaron Riley

Cofense Intelligence has seen a stark increase in phishing email campaigns relating to the COVID-19 pandemic that spoof trusted health services to deliver credential phishing or malware. Credential phishing makes up the majority of the campaigns analyzed, with the minority ranging from simple to complex delivery chain and malware samples. With some companies quickly adopting work-from-home (WFH) policies, threat actors are poised to take advantage of the newly created security gaps by playing on pandemic fears. The potential impact of these phishing campaigns, along with the current economic uncertainty, can be devastating to an organization.

As soon as threat actors began weaponizing this crisis in phishing emails, Cofense Intelligence published a Flash Alert reporting that the Centers for Disease Control and Prevention (CDC) and World Health Organization (WHO) were spoofed in a Coronavirus-themed phishing campaign to deliver the Agent Tesla keylogger. Since that alert, we have seen an increase in phishing campaigns that spoof organizations in aviation and other transportation industries.

Coronavirus-themed campaigns that deliver malware are starting to evolve in complexity as well. For example, the Agent Tesla keylogger campaign mentioned above was delivered via an email attachment, which would have been blocked by sandbox analysis. In comparison, the most recent campaign used a Microsoft Office Word document with the CVE-2017-11882 exploit, which delivered an AutoIT dropper that placed five different malware family samples onto the endpoint: Remcos RAT, Black RAT, Ave_Maria Stealer, Lime RAT, and Sality Bot. All five of these payloads are designed to steal information and provide persistent control to a threat operator, and only one needs to be successful in its attempts to compromise the machine.

Most organizations are not set up to have all employees work from home. As these organizations attempt to quickly develop their WFH business requirements, they might overlook security. An organization’s most reliable and hardened security features are typically within its physical facility and do not extend much beyond that domain. These security features include, but are not limited to, Network Access Control (NAC), content filtering, Data Loss Prevention (DLP), eavesdropping / Machine In The Middle (MITM) prevention, and update/patch management. With some of these security features effectively “bypassed” for the attacker in a WFH situation, organizations face an increased risk that a phishing campaign will impact them. A malicious incident or event could go unnoticed by overburdened IT administration and security teams for longer than normal periods.

Most of the newly created risk can be mitigated. Network Access Control can be done with a software agent on each endpoint attempting to connect to the organization. The agent communicates to an authoritative entity to prove the machine has the organization’s trusted certificate to connect to the internal network, is up to date with antivirus definitions, and is fully patched to the organization’s requirements. Mandatory network tunneling for the endpoint can mitigate the lack of content filtering, network DLP, and MITM security measures. A Virtual Private Network (VPN) connection to the enterprise network, which forces the network traffic through its egress and ingress points, will help cover the risk created by WFH employees—as long as employees do not reintroduce the vulnerability by turning off the VPN. These measures are effective but require resources and time to implement, which some organizations might find challenging while rapidly rolling out WFH.

Organizations need to educate their employees about the risk of Coronavirus-themed phishing attacks and, at the same time, ensure that employees do not dismiss legitimate information. Creating phishing simulation templates around the Coronavirus theme is not advised. Doing so could cause undue panic or add unnecessary noise. Instead, organizations should describe what to look for in Coronavirus phishing attempts and then explain how legitimate information will be communicated.

Cofense Intelligence anticipates the volume of Coronavirus-themed phishing campaigns will continue to increase in the near future and will target specific industry sectors such as healthcare, energy, and public services. These campaigns will make increased use of malware and will spoof a larger number of legitimate businesses. Security teams will need to act quickly to determine new WFH risks and the proper mitigations. Clear, concise communication and education, coupled with secure technology and the right implementation strategies, is the best way to secure the target base of these phishing attacks.

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolves. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

For Cofense Intelligence customers who would like to keep up with the Active Threat Reports and indicators being published, all COVID-19 campaigns are tagged with the “Pandemic” search tag.

Cofense Intelligence customers can also search up to date reports in ThreatHQ using the “Search Tags” field in the Search Form.

Indicators of Compromise
To view the full list of IOCs, click on the menu below to expand further.

36802, 36908, 36937, 36938, 36939, 36940, 36941, 36942, 36943, 36957, 37146, 37148, 37149, 37151, 37152, 37226, 37227, 37228, 37230

PM_Intel_Nemty_37230
PM_Intel_AgentTesla_37227
PM_Intel_AgentTesla_37226
PM_Intel_TrickBot_37151
PM_Intel_AgentTesla_37152
PM_Intel_Loki_37149
PM_Intel_Hawkeye_37148
PM_Intel_Hawkeye_37146
PM_Intel_AgentTesla_36802
PM_Intel_CredPhish_36943
PM_Intel_CredPhish_36942
PM_Intel_CredPhish_36940
PM_Intel_CredPhish_36939
PM_Intel_CredPhish_36938
PM_Intel_CredPhish_36937
PM_Intel_CredPhish_36941
PM_Intel_BlackRAT_36957
PM_Intel_Loki_36908

hxxp://euromopy[.]tech/etty/black/download/fre[.]php
hxxps://drive[.]google[.]com/uc?export=download&id=1V8530tZ-SNHELlaVL4BMQpJrRU2DBPSL
hxxps://gocycle[.]com[.]au/cdcgov/files/
hxxps://urbanandruraldesign[.]com[.]au/cdcgov/files/
hxxps://healing-yui223[.]com/cd[.]php
hxxps://onthefx[.]com/cd[.]php
hxxps://www[.]schooluniformtrading[.]com[.]au/cdcgov/files/
hxxp://my[.]pcloud[.]com/publink/show?code=XZO5BWkZjc6l5EBCtnkTYqw2DHqzEBT4LAay
hxxps://takemorilaw[.]com/wp-content/micro-update-1-2/
hxxp://www[.]dogogiaphat[.]com/ecdc[.]php
hxxps://www[.]scholarcave[.]com/owa/owa[.]php
hxxps://jetluxinc396[.]sharepoint[.]com/:b:/g/ERt-r1ZM6PRGhKdxb6bfZSIBcOX2b0y8snN4fg8f7z22rA
hxxps://southhillspros[.]com/citrix/Ward/broward[.]php
hxxps://southhillspros[.]com/Rovince/Jelink[.]html
hxxps://southhillspros[.]com/citrix/Ward/broward[.]htm
hxxps://wusameetings[.]tk/boding/Jelink[.]html
hxxps://noithatgoocchoav[.]com/cd[.]php
hxxps://www[.]brightparcel[.]com/corona/owa[.]php
hxxps://toyswithpizzazz[.]com[.]au/service/coronavirus/
hxxps://notmsg[.]smvm[.]xyz/
hxxp://sevgikresi[.]net/logof[.]gif
hxxp://datalinksol[.]com/logo[.]gif
hxxp://autocarsalonmobil[.]com/wp-content/uploads/Internetsonline[.]txt
hxxp://nlcfoundation[.]org/images/xs[.]jpg
hxxps://pastebin[.]com/raw/vnPLhhBH
hxxp://snsoft[.]host-ed[.]me/images/logos[.]gif
hxxp://edirneli[.]net/tr/logo[.]gif
hxxp://185[.]244[.]30[.]4:6669
hxxp://68[.]168[.]222[.]206/logos[.]gif
hxxp://babystophouse[.]com/images/logo[.]gif
hxxp://glamfromeast[.]com/image/logo[.]gif
hxxp://bit[.]ly/2TpOpNS
hxxp://natufarma[.]net/imagens/logof[.]gif
hxxp://mabdesign[.]unlugar[.]com/button[.]gif
hxxp://gardapalace[.]it/logo[.]gif
hxxp://hidroservbistrita[.]ro/images/logo[.]gif
hxxp://krupoonsak[.]com/logo[.]gif
hxxp://emrahkucukkapdan[.]com/img/button[.]gif
hxxp://onlinepreneur[.]id/license/love[.]exe
hxxp://onlinepreneur[.]id/manager/brain[.]exe
hxxps://site-inspection[.]com/[.]well-known/acme-challenge/w[.]php/9SG2m697HN
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=6350FGwOB6MQS5d7ZcXy
hxxps://114[.]8[.]133[.]71:449/red5/
hxxps://181[.]129[.]104[.]139:449/red5/
hxxps://51[.]89[.]73[.]158:443/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=lcasCwk4Qjbk8sBCAE8g
hxxps://194[.]5[.]250[.]150:443/red5/
hxxps://186[.]71[.]150[.]23:449/red5/
hxxps://107[.]172[.]191[.]12:443/lib698/
hxxps://46[.]17[.]107[.]65:443/lib698/
hxxps://64[.]44[.]51[.]113:447/red5/
hxxps://181[.]112[.]157[.]42:449/red5/
hxxps://212[.]80[.]217[.]220:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=WjL3jrVFwBBnlQp3xn8K
hxxps://185[.]14[.]31[.]252:443/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=PzKFqjTUgsVxfN2OL347
hxxps://46[.]4[.]167[.]250:447/lib698/
hxxps://172[.]245[.]156[.]138:443/lib698/
hxxps://180[.]180[.]216[.]177:449/lib698/
hxxps://203[.]176[.]135[.]102:8082/red5/
hxxps://146[.]185[.]253[.]122:447/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=hNRuyY0glKhPxpDGkhRh
hxxps://146[.]185[.]253[.]178:443/lib698/
hxxps://181[.]140[.]173[.]186:449/red5/
hxxps://36[.]89[.]85[.]103:449/red5/
hxxps://51[.]254[.]164[.]244:443/red5/
hxxps://194[.]5[.]250[.]150:443/lib698/
hxxps://185[.]244[.]39[.]65:447/red5/
hxxps://172[.]245[.]157[.]135:443/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=Yagk0Foy3wjdzOq6nQcP
hxxps://5[.]2[.]79[.]66:443/lib698/
hxxps://193[.]37[.]213[.]128:443/red5/
hxxps://185[.]99[.]2[.]221:443/lib698/
hxxps://146[.]185[.]253[.]179:447/red5/
hxxps://96[.]9[.]73[.]73:80/lib698/
hxxps://121[.]100[.]19[.]18:449/red5/
hxxps://185[.]99[.]2[.]140:447/lib698/
hxxps://195[.]123[.]239[.]67:443/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=bpj5AXSdClkWLG84Xv02
hxxps://185[.]62[.]188[.]159:443/lib698/
hxxps://181[.]140[.]173[.]186:449/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=xhyi95QEt2sH7ZGSl5FV
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=rOE8Tr0FuFXfSSUaDO6M
hxxps://146[.]185[.]253[.]122:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=rtvUCSO49CMSm2QTlDcH
hxxps://85[.]204[.]116[.]253:443/lib698/
hxxps://46[.]174[.]235[.]36:449/lib698/
hxxps://119[.]252[.]165[.]75:449/red5/
hxxps://146[.]185[.]253[.]176:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=YJZHjkZ5qSUBheGScz5O
hxxps://178[.]156[.]202[.]157:447/red5/
hxxps://194[.]5[.]250[.]69:443/lib698/
hxxps://146[.]185[.]253[.]178:443/red5/
hxxps://36[.]89[.]85[.]103:449/lib698/
hxxps://185[.]203[.]118[.]37:443/red5/
hxxps://119[.]252[.]165[.]75:449/lib698/
hxxps://4cao4pyxbarkxf4n[.]onion:448/red5/
hxxps://185[.]142[.]99[.]89:443/red5/
hxxps://180[.]180[.]216[.]177:449/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=GmZr9Sd6TdL9g237BJFd
hxxps://195[.]123[.]239[.]29:447/red5/
hxxps://104[.]168[.]96[.]122:447/red5/
hxxps://46[.]4[.]167[.]250:447/red5/
hxxps://46[.]174[.]235[.]36:449/red5/
hxxps://185[.]14[.]31[.]98:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=MXtg3z4uEXlCKNSMW10E
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1547738007155673&id=pTCpS2vUujsK8z3zXJ0L
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=nZLf5Zn5ckDvobxOozo2
hxxps://5[.]255[.]96[.]187:447/red5/
hxxps://190[.]119[.]180[.]226:8082/red5/
hxxps://185[.]99[.]2[.]221:443/red5/
hxxps://5[.]182[.]210[.]226:443/red5/
hxxps://192[.]210[.]226[.]106:443/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=1eufomiZKmEvZe8AXaZK
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=SgRoybJA35wuTbDNCEs7
hxxps://5[.]2[.]76[.]29:447/red5/
hxxps://96[.]9[.]77[.]142:80/red5/
hxxps://194[.]5[.]250[.]69:443/red5/
hxxps://85[.]143[.]221[.]183:447/lib698/
hxxps://96[.]9[.]73[.]73:80/red5/
hxxps://195[.]123[.]239[.]67:443/red5/
hxxps://202[.]29[.]215[.]114:449/red5/
hxxps://45[.]135[.]164[.]193:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=HJb3L1X7FaO9MFRM2xJW
hxxps://146[.]185[.]253[.]18:447/lib698/
hxxps://45[.]135[.]164[.]193:447/red5/
hxxps://103[.]94[.]122[.]254:8082/red5/
hxxps://186[.]232[.]91[.]240:449/lib698/
hxxps://96[.]9[.]77[.]142:80/lib698/
hxxps://64[.]44[.]51[.]124:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=UqKF7TJ4pK6nu55Nq5SR
hxxps://51[.]254[.]164[.]244:443/lib698/
hxxps://51[.]89[.]73[.]158:443/red5/
hxxps://23[.]94[.]185[.]27:446/response/rcrd[.]php?s=1584097681876834
hxxps://46[.]17[.]107[.]65:443/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=YNsg198eIe2CENiLH2Q6
hxxps://103[.]94[.]122[.]254:8082/lib698/
hxxps://85[.]204[.]116[.]253:443/red5/
hxxps://185[.]62[.]188[.]159:443/red5/
hxxps://217[.]12[.]209[.]200:443/red5/
hxxps://192[.]210[.]226[.]106:443/red5/
hxxps://146[.]185[.]219[.]63:443/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=uOggu83wFMsZgJy2gYXR
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=KTjaFGA6rzAIRhzYpxsn
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=7aybmyzTyxjVkmAgca3q
hxxps://181[.]129[.]134[.]18:449/lib698/
hxxps://103[.]84[.]238[.]3:80/red5/
hxxps://36[.]89[.]106[.]69:80/red5/
hxxps://64[.]44[.]51[.]113:447/lib698/
hxxps://5[.]255[.]96[.]187:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=f2hUQzGxBwEot8ExHJ1m
hxxps://185[.]20[.]185[.]76:443/red5/
hxxps://198[.]23[.]252[.]127:447/lib698/
hxxps://185[.]216[.]35[.]10/3/L2KSUN[.]php
hxxps://146[.]185[.]253[.]18:447/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=Vs9fOJw0UArIH5NRL2Fi
hxxps://172[.]245[.]156[.]138:443/red5/
hxxps://114[.]8[.]133[.]71:449/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=LcVEiKUW9394wikl1RmW
hxxps://170[.]238[.]117[.]187:8082/lib698/
hxxps://185[.]14[.]31[.]97:443/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=YCZPUzOj6gGO3b0oxZXp
hxxps://193[.]111[.]62[.]50:447/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=eVMWyxkROwNbwzrByPGK
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=qVO7FmnWdv3CqlwU53XE
hxxps://5[.]182[.]210[.]226:443/lib698/
hxxps://195[.]123[.]239[.]29:447/lib698/
hxxps://202[.]29[.]215[.]114:449/lib698/
hxxps://181[.]196[.]207[.]202:449/red5/
hxxps://188[.]120[.]242[.]75:447/lib698/
hxxps://85[.]143[.]221[.]183:447/red5/
hxxps://121[.]100[.]19[.]18:449/lib698/
hxxps://186[.]232[.]91[.]240:449/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=gKmNNEREiPRIKGQp2dmg
hxxps://170[.]238[.]117[.]187:8082/red5/
hxxps://46[.]4[.]167[.]242:447/red5/
hxxps://62[.]109[.]11[.]248:447/lib698/
hxxps://190[.]214[.]13[.]2:449/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=tN8O8VDbWyHtPRydtWy0
hxxps://198[.]15[.]82[.]162:443/red5/
hxxps://170[.]84[.]78[.]224:449/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=NlWlLA26RToHt8mTsgOI
hxxps://198[.]23[.]252[.]127:447/red5/
hxxps://185[.]99[.]2[.]140:447/red5/
hxxps://200[.]21[.]51[.]38:449/lib698/
hxxps://104[.]168[.]96[.]122:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=eMimeUZPy76ZHmG1apBW
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=nN2EWQAMeD3cg32aDQtJ
hxxps://188[.]209[.]52[.]162:443/red5/
hxxps://181[.]112[.]157[.]42:449/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=j3x1pd2ADExKICKojgcV
hxxps://186[.]71[.]150[.]23:449/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=IqS9Lp3Qs0uILRwyvocO
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=8ldKgFEC3ev2pLmqqKYu
hxxps://31[.]131[.]21[.]168:447/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=qAfHjNJAMHs8TCAv8VAY
hxxp://142[.]93[.]22[.]0:80/
hxxps://200[.]21[.]51[.]38:449/red5/
hxxps://5[.]255[.]96[.]186:447/red5/
hxxps://200[.]127[.]121[.]99:449/red5/
hxxps://5[.]2[.]79[.]66:443/red5/
hxxps://185[.]99[.]2[.]137:443/lib698/
hxxps://51[.]254[.]164[.]245:443/red5/
hxxps://185[.]99[.]2[.]137:443/red5/
hxxps://64[.]44[.]51[.]124:447/red5/
hxxps://177[.]74[.]232[.]124:80/red5/
hxxps://200[.]127[.]121[.]99:449/lib698/
hxxps://171[.]100[.]142[.]238:449/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=juhyLxqVBnei6qmSsjZ7
hxxps://178[.]156[.]202[.]157:447/lib698/
hxxps://172[.]245[.]157[.]135:443/lib698/
hxxps://185[.]99[.]2[.]115:443/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=HMucklYySnPDh9NWPo2h
hxxps://217[.]12[.]209[.]200:443/lib698/
hxxps://185[.]244[.]39[.]65:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=gjBKrgh9ZivFEv6OnkVg
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=QKf1HHY4dLUK3t2czTR3
hxxps://31[.]131[.]21[.]168:447/lib698/
hxxps://103[.]84[.]238[.]3:80/lib698/
hxxps://177[.]74[.]232[.]124:80/lib698/
hxxps://203[.]176[.]135[.]102:8082/lib698/
hxxps://181[.]129[.]104[.]139:449/lib698/
hxxps://131[.]161[.]253[.]190:449/lib698/
hxxps://188[.]120[.]242[.]75:447/red5/
hxxps://181[.]196[.]207[.]202:449/lib698/
hxxps://62[.]109[.]11[.]248:447/red5/
hxxps://36[.]89[.]106[.]69:80/lib698/
hxxps://198[.]15[.]82[.]162:443/lib698/
hxxps://181[.]113[.]28[.]146:449/lib698/
hxxps://185[.]14[.]31[.]98:447/red5/
hxxps://185[.]142[.]99[.]89:443/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=93vdwyq6sh9oBUrUmnzS
hxxps://107[.]172[.]191[.]12:443/red5/
hxxps://185[.]203[.]118[.]37:443/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=IJgYwiMilRq9dmvYXx5O
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=oViUuJw2ydNIx3h3QEYd
hxxps://46[.]4[.]167[.]242:447/lib698/
hxxps://5[.]2[.]76[.]29:447/lib698/
hxxps://146[.]185[.]219[.]63:443/lib698/
hxxps://190[.]100[.]16[.]210:8082/lib698/
hxxps://23[.]94[.]185[.]27:446/response/rcrd[.]php?s=1547738007155673
hxxps://4cao4pyxbarkxf4n[.]onion:448/lib698/
hxxps://112[.]78[.]164[.]34:8082/lib698/
hxxps://185[.]99[.]2[.]115:443/lib698/
hxxps://45[.]148[.]120[.]153:443/lib698/
hxxps://193[.]37[.]213[.]128:443/lib698/
hxxps://45[.]148[.]120[.]153:443/red5/
hxxps://190[.]214[.]13[.]2:449/lib698/
hxxps://185[.]20[.]185[.]76:443/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=d4wYKmoNAL4jbXsWnwNP
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=uCQHZmGWTLLlfhfR94Wj
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=kpmcigmW4tIXJAliL5SP
hxxps://5[.]255[.]96[.]186:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=9kgyvNnUnLXBHKxfhR76
hxxps://131[.]161[.]253[.]190:449/red5/
hxxps://185[.]14[.]31[.]97:443/lib698/
hxxps://188[.]209[.]52[.]162:443/lib698/
hxxps://185[.]14[.]31[.]252:443/lib698/
hxxps://212[.]80[.]217[.]220:447/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=hhHR67XuY9k7vxRMdwoh
hxxps://193[.]111[.]62[.]50:447/lib698/
hxxps://170[.]84[.]78[.]224:449/lib698/
hxxps://112[.]78[.]164[.]34:8082/red5/
hxxps://181[.]129[.]134[.]18:449/red5/
hxxps://146[.]185[.]253[.]179:447/lib698/
hxxps://190[.]100[.]16[.]210:8082/red5/
hxxps://146[.]185[.]253[.]176:447/red5/
hxxps://190[.]119[.]180[.]226:8082/lib698/
hxxps://171[.]100[.]142[.]238:449/lib698/
hxxps://181[.]113[.]28[.]146:449/red5/
hxxps://51[.]254[.]164[.]245:443/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=O6D4aGfNwIxDT5OfEo9d
hxxp://uzoclouds[.]eu/dutchz/dutchz[.]exe
hxxp://bibpap[.]com/1g7/pin[.]php
hxxp://posqit[.]net/TT/50590113[.]exe
hxxp://bitly[.]ws/83FN
hxxp://nemty[.]top/public/pay[.]php
hxxp://nemty10[.]biz/public/gate[.]php
hxxps://marsdefenseandscience[.]com/reports[.]zip
hxxp://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad[.]onion/public/pay[.]php

euromopy[.]tech
wusameetings[.]tk
emrahkucukkapdan[.]com
gardapalace[.]it
snsoft[.]host-ed[.]me
cornerload[.]dynu[.]net
seasonsnonaco[.]ddnsking[.]com
datalinksol[.]com
nlcfoundation[.]org
sevgikresi[.]net
autocarsalonmobil[.]com
seasons444[.]ddns[.]net
krupoonsak[.]com
natufarma[.]net
edirneli[.]net
mabdesign[.]unlugar[.]com
babystophouse[.]com
glamfromeast[.]com
hidroservbistrita[.]ro
onlinepreneur[.]id
onlinepreneur[.]id
site-inspection[.]com
uzoclouds[.]eu
bibpap[.]com
posqit[.]net
zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad[.]onion
nemty10[.]biz
marsdefenseandscience[.]com
nemty[.]top

45[.]64[.]97[.]178

185[.]216[.]35[.]10

ef07feae7c00a550f97ed4824862c459
05adf4a08f16776ee0b1c271713a7880
29e8800ebaa43e3c9a8b9c8a2fcf0689
970bc68378526981f7b470b014e4a61d
648a2da84b857520830981af55bbd4f2
e36b292de6db73e78f77ea2fed092848
dca53f253066ff1736d9735e0e4f861b
ecdcf6e29f917239ecd9f3c4cd4bd4b4
4ad1b0398bc3a371a82923383de2d0a4
54fb481530500d781d0aa282e8524016
0c6fa100c0fd612d9f55a87017989621
457d4329b66efcbd6bcba521502df6a8
6053a2d672f9f9bd5cd0725d4b106493
c1ab6a9a559d54c071eb110235f77fe2
be950f0aaa6654c30532168a3f82d4e6
33498c2e5ce532fdbcabfc2caa882e04
ca0951249ef447ca0443ebf519b7ec7e
24cabc6a0a02674fc6a1e778cd265ecc
d6557715b015a2ff634e4ffd5d53ffba
2858a05f4ec255cb383db26019720959
4e9aa334811b6a4fa6542483a34fc9c5
caf133755a01fea99b323e3fa1965705
c6f8278ee29471ce84b4f6bb148161de
1f7ff50f672288616ef80220ab41cddc
ef991e614208324eecb10831f0b6990d
93109ef58dc7fa86e2cb186e8d8cfc8a
8f9c95b359a574f16801184b095a027d
ba0b4e05e3b26e26f2e0793b9190ba2c
f4d2bdeeb7c5c3eac0afe845b988b31a
a39694b7311fc2d0991d6f7aa4d22460
d9822e032bb6f0d39aba533ba5b50dca
ba6a13ad9f673e365580b389a7297611
64574f1a3b4d554322279a238c7943f1
8aa849595f1065dce6488dcff4caa043
34b9244ead7f1d1d4a94e04a05d8f474
222d2f0dcae9889174e500fea7655b9a
811e21aadc64bbbedaa2d616bd258f58
4ed0cbc8dc2c3208bf760976d854b276
1cd9c1348db93cd674066f566740d697
3a7d8ab97cc7cacdc6b613632f79ae36
777250fb412071ab4b655883de6b888b
fa1ed07a84d0f6db0560edffc0f5cd0c
cc24481d8673278c9ca9a427aebfaf30
a98c28d9666e6050b2c76d0062342078
62ded00158221fd7b3e678b9d9edbd7b
ecf4c248beb954f59901bba955646c19
64574f1a3b4d554322279a238c7943f1
62025fefd240ac80326db825903da90e
2f1ac455d1c6e2a3f3e0d1137b047696
a5a2a55b29d20a684b09e40d4480029d
022e42a2ad49f8428f34435b595c7216
08dd5ee67ee69ddfa11cb55562baef58
e7351df51633435293ddc09de7fdc57c
1179a7989031fc4b6331505b388dcb12
378bbb172ccae5e28549a003e4e84bce
07d718b0b7f2bbe0ea001c76aca82b7d
f221f92d7f8ccb7133f58ae1a3f4257c
501318d315ba07554f92ff13ebb075c2
b57d2c252746baff47e12b4021a75ba4

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Evade Proofpoint and Microsoft 365 ATP Protection to Capitalize on COVID-19 Fears

By: Kian Mahdavi, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has witnessed a surge in Coronavirus phishing campaigns found in environments protected by Proofpoint and Microsoft Office 365 ATP. While these Secure Email Gateways (SEGs) are designed to safeguard end users from clicking on malicious links and attachments, both failed in a new phishing attack we recently observed.

Figure 1 – Proofpoint SEG within the Email Header

Figure 2 – Extracted Information in Email Header

The extracted header information above in Figure 2 displays fragments of the email from the received path. The threat actor spoofed the domain splashmath[.]com (an online learning game for children) with a spoofed IP address of 167[.]89[.]87[.]104, which is located in the United States. For this reason, the email slipped past basic security checks, such as DKIM and SPF, shown in Figure 2. The threat actor inserted key words, such as “who” and “community” in the sender email address to manipulate the user into thinking it’s from the World Health Organization.

Upon further investigation of the email header, the originating IP address of 88[.]119[.]86[.]63 was found to be from the Lithuanian city of Kaunas, as shown below in Figure 3. The phishing email was sent to different individuals, each with the same originating IP address, indicating the likelihood of a single threat actor carrying out these attacks.

Figure 3 – Originating IP Address

The body of the email in Figure 4, as shown below, urges the user to find out if there are cases of COVID-19 in their local area by clicking on ‘Read on’. When then end-user clicks, they are led to believe that they will be directed to an updated WHO document. However, the user is actually directed to a Microsoft branded credential phish to steal their Microsoft log-in information.

The subject of the email is “HIGH-RISK: New confirmed cases in your city,” followed by the spoofed WHO email address and display name (who[.]int-community[.]spread@ splashmath[.]com), thus making it appear as if the sender is really from the World Health Organization. The sender does not contain any information addressed to the recipient, such as “Good Morning” or “Dear…”, indicating that this is a mass-email attack sent to many individuals. In addition, there is an image that would have usually loaded, however in these stressful circumstances, individuals may overlook this and would click on the “Read on” link.

Figure 4 – Email Body

Network Indicators of Compromise (IOCs):

Users are under the impression that by clicking on the ‘read on’ link, they will be redirected to:

Hosted URL IP Address
hXXp://o[.]splashmath[.]com/ls/click?upn=H2FOwAYY7ZayaWl4grkl1LazPuy6jduhWjWPwf0O2D 167[.]89[.]118[.]52
167[.]89[.]123[.]54

The users are instead forwarded to one of the following malicious redirects:

Credential Phishing Pages URLs IP Address
hXXps://heinrichgrp[.]com/who/files/af1fd55c21fdb935bd71ead7acc353d7[.]php 31[.]193[.]4[.]14
hXXps://coronasdeflores[.]cl/who 186[.]64[.]116[.]135
hXXps://www[.]frufc[.]net/who/files/61fe6624ec1fcc7cac629546fc9f25c3[.]php 87[.]117[.]220[.]232
hXXps://pharmadrugdirect[.]com/who 31[.]193[.]4[.]14
hXXps://ee-cop[.]co[.]uk/who/files/3b9f575dac9cc432873f6165c9bed507[.]php 82[.]166[.]34[.]188

A quick Google search reveals the last phishing page listed above (hXXps://ee-cop[.]co[.]uk/who/files/3b9f575dac9cc432873f6165c9bed507[.]php) was created with “WordPress” within the description (Figure 5), a potential red flag for a savvy end user.

Figure 5 – Google Search of the Phishing Page

As shown in Figure 6 below, recipients are presented with a high-quality, spoofed Microsoft login page. Upon clicking, the user’s email address is attached within the URL of the webpage; therefore, the individual’s username automatically appears in the login box. Upon logging in, the user is under the impression he or she has been authenticated into a legitimate Microsoft website. At this point, the user’s credentials are unfortunately in the hands of the threat actor.

Figure 6 – Final Phishing Page

HOW COFENSE CAN HELP

Cofense has created the Coronavirus Phishing Infocenter with examples of real Coronavirus phishing scams, an infographic illustrating 5 signs of these phish, a publicly available YARA rule, and much more.

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe. Tp remove the blind spot, get visibility of attacks with Cofense Reporter.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received Yara rule PM_Intel_CredPhish_37315 and further information about this threat in Active Threat Report (ATR) 37315.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

One, Two, Three Phish: Adversaries Target Mobile Users

By Elmer Hernandez, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has spotted a phishing attack directed at mobile users purporting to come from Three, a British telecommunications and internet service provider. The attack relies on a well-spoofed html file, enticing users to provide everything from their password and personal details to their credit card information. 

Users are informed of a bill payment that could not be processed by their bank. They are urged to download the html file “3GUK[.]html” to edit their billing information in order to avoid service suspension. Users should always be wary of requests to download and open html/htm file attachments as opposed to being linked directly from their email client (which also, of course, is no guarantee of a legitimate email).

Figure 1 – Email Body

Spoofed Phish Page

As seen in Figures 2 and 3, The attached 3GUK[.]html file then requests login credentials, personal information and credit card details. The source code indicates this is a clone of actual Three html code, re-appropriated for malicious purposes; for instance, styling elements are pulled from actual Three websites. Additionally, all options in 3GUK[.]html direct to the legitimate relevant Three page so that, for example, if one clicks on “iPhone 11” under the Popular Phones section at the bottom, the end user is redirected to the real Three iPhone 11 page.

Figures 2 and 3 – Cloned Phishing Pages

The smoking gun is in the action attribute of the HTML form element. Figure 4 confirms that any information provided is processed by the “processing[.]php” script, located at hxxp://joaquinmeyer[.]com/wb/processing[.]php, a domain the adversary has compromised. Adversaries need only modify key sections of the cloned html code such as in Figure 4 below in order to turn benign code into a convincing phish.

Figure 4 – Malicious cloned html code

The Devil is in the Metadata

The From field, as seen in Figure 5 below, indicates “online@three[.]co[.]uk” as the apparent source of the email. The SPF check shows this was the address provided in the SMTP MAIL FROM command. We also see a SoftFail result for the originating IP 86.47.56.231; this means the domain of three.co.uk discourages, but does not explicitly rule out, this IP address as a permitted sender.

Figure 5 – SPF check

In other words, the SPF records for the domain of three[.]co[.]uk contain the ~all mechanism, which flags but ultimately lets the email through. Worried that legitimate email will be blocked by a stricter SPF policy, such as a (Hard)Fail with -all, many companies’ SPF records do not dare make an explicit statement regarding who is and is not permitted sender, potentially enabling spoofed emails.

DNS PTR record resolves the originating IP 86.47.56.231 to mail[.]moultondesign[.]com. Although an apparent subdomain of moultondesign[.]com, there is no evident relation between the two. There is no corresponding DNS A record, as confirmed by a Wireshark capture, as seen in Figure 6. The supposed parent domain is hosted by Namesco Ireland at 195.7.226.154, unlike the malicious IP address which is part the ADSL Pool of Irish provider EIR, suggesting a residential use.

Figure 6 – Missing DNS A Record

The email also contains a spoofed Message-ID (Figure 7). Although these do not need to conform to any particular structure, they often contain a timestamp. In this case, the digits on the left of the dot seem to follow the format YYYYMMDDhhhhss, amounting to 2020 February 5th 16:34:08; the digits to the right of the dot could or could not have any significance. Finally, the presence of Three’s Fully Qualified Domain Name adds a further element of credibility that might deceive more tech-savvy users.

Figure 7 – Message-ID

IOCs:

Malicious URLs:
hxxp://joaquinmeyer[.]com/wb/processing[.]php
mail[.]moultondesign[.]com

Associated IPs:
65.60.11.250
86.47.56.231

 

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense Reporter.

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 37144.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Innovate to Exploit COVID-19, Delivering OpenOffice .ODP Attachments on a Shoestring Budget

By Tonia Dudley, Cofense Security Solutions

Have you ever paid an invoice delivered in PowerPoint file, similar to Figure 1 below? No? Me neither. An accounts reconciliation aging report? Don’t those typically get sent as a .PDF file so your auditor can ensure you haven’t “adjusted” the report?

Figure 1: Phishing email with fake invoice delivered via an .ODP file, appearing as a .PPT file

We recently uncovered a new, previously unseen tactic used by threat actors eager to capitalize on organizations’ concerns around COVID-19. The threat actors use an OpenOffice file format as an .ODP file, recognized by Microsoft as .PPT file, thus leading unsuspecting users to easily recognize the PowerPoint icon.

But let’s go back to the emails that included this file type. Would you receive an email to process an invoice that used a PowerPoint file for this transaction? It’s no wonder a well-trained user was able to spot this email as suspicious and reported the message to the Cofense Phishing Defense Center.

As we continue to monitor suspicious emails related to COVID-19, both seen in the wild and reported by our customers, we noticed a few interesting tactics used in the email (Figure 2 below) that leverages the OpenOffice format to trick unsuspecting employees into opening the document. The email message is fairly basic and contains some simple phishing indicators. The salutation is generic and an incomplete sentence – “Good morning.” Is this how you punctuate this salutation? Speaking of punctuation – they also used a period after “signing” their name “Donna.” at the end of the email.

When digging into the header information, it was, however, surprising that this email was flagged as “Received-SPF: Fail”. Organizations have spent a great deal of time setting up and configuring DMARC, DKIM and SPF, and the message is delivered to the inbox? We’ll give this organization the benefit of doubt and assume they’re still finetuning and configuring that control.

Yet the most interesting part of this phishing email is the attachment itself – we had never seen an .ODP file type in a phishing email before.

Figure 2: Phishing email delivering an .ODP file masquerading as a COVID-19 preparation guide

In an effort to ensure our customers can detect this new tactic, we wrote a YARA rule to look for any OpenOffice file type. This new search took us back to late January to find the use of the .ODP filetype. It also bubbled up another OpenOffice file type of .ODT, displaying the MS Word icon to the user. In each of these files, the use case for the threat actor was to merely deliver the link to direct to the malicious website.

HOW COFENSE CAN HELP

Yara Rule: PM_LABS_OpenOffice_ImpressFiles

For more information and resources about COVID-19 related phish and malware, visit our Infocenter: https://cofense.com/solutions/topic/coronavirus-infocenter/

Every day, the Cofense Phishing Defense Center analyzes phishing emails that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Going Phishing in the African Banking Sector

By Elmer Hernandez, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has uncovered a phishing campaign aimed at customers of African financial services group ABSA. Mimicking ABSA’s online banking portal, the adversaries attempt to steal users’ online banking credentials to gain access to their bank accounts.

The phishing email presents the end user with a couple of lines of text informing him/her of pending transfers from another bank that need authorization. The user must download and open the htm attachment “IBPAYDOC.htm” in order to connect to the online portal. The email does not present any indication of an attempt to imitate a legitimate ABSA communication, completely relying instead on the user’s misplaced curiosity.

Figure 1 (Email Body)

Phishing Portal

Upon opening the htm file, the user is directed to a fake ABSA online banking portal at hxxps://www[.]ahmadnawaz[.]org/ched/tnop[.]php, which is almost identical to the legitimate ABSA portal, as seen in Figures 2 and 3. The user is prompted to provide an “access account” number, PIN and user number that are then posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail1[.]php.

Figure 2 – Legitimate ABSA Portal

Figure 3 – Copycat ABSA Portal

Adversaries have hijacked the ahmadnawaz[.]org domain on which the fraudulent ABSA portal is hosted, belonging to Pakistani education activist Ahmed Nawaz, and created the “/ched” directory to store their php files and subdirectories as seen in Figure 4.

Figure 4 – Index of /ched

Next, the recipient is asked to provide a password in hxxps://www[.]ahmadnawaz[.]org/ched/pass[.]php. This request should tip off users for three reasons. First, ABSA never asks for entire passwords. Second, and in contradictory fashion, instructions for ABSA’s usual password requirements can be found on the right-hand side of the page. Although the password guidelines only require specific characters, the adversaries seem to have kept these in an attempt to make their fake portal look as genuine as possible. Finally, the user’s SurePhrase, part of ABSA’s SureCheck service, is missing. Upon entering their password, it is posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail2[.]php.

Figure 5 – Fake password login page

The user is then directed to hxxps://www[.]ahmadnawaz[.]org/ched/profile[.]php, where a 60- second timer is displayed. Once it reaches zero, the user is instructed to provide a phone number and a code from the ABSA app. Verification messages are normally sent to the ABSA banking app. In this case, however, no such code is sent because the user is not accessing ABSA’s legitimate portal. The threat actors likely rely on curious or frustrated users who decide, nonetheless, to proceed with the login process despite not receiving a verification request, allowing them to steal additional personal information from the end user. The phone number and app code are then posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail3[.]php.

Figure 6 – Timer in profile .php

Figure 7 – Verification Request

Finally, when and if the user provides the last two pieces of information – the phone number and app passcode – the next stop is hxxps://www[.]ahmadnawaz[.]org/ched/finish[.]php, where the aforementioned timer will run out and restart indefinitely. Figure 8 shows the complete HTTPS traffic.

Figure 8 – HTTPS Traffic Overview

IOCs:

Malicious URLs

hxxps://www[.]ahmadnawaz[.]org/ched/tnop[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail1[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/pass[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail2[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/profile[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail3[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/finish[.]php

 

Associated IPs:

74[.]63[.]242[.]34

 

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Utilizing YouTube Redirects to Deliver Malicious Content

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) recently observed an increase in phishing attempts that deliver phishing pages via YouTube redirects.

Threat actors often use social media websites as redirectors to malicious pages. Most organizations allow the use of platforms such as YouTube, LinkedIn, and Facebook and whitelist the domains, allowing for potentially malicious redirects to open without any fuss. In this case, anyone who clicks on the phish is taken to a phony login page designed to steal credentials.

Figure 1: Email Header

The phishing email originates from a newly registered fraud domain sharepointonline-po.com. This domain was registered on February 19, 2020 through Namecheap.

The threat actor in this scenario has posed as SharePoint, indicating that a new file has been uploaded to the company’s SharePoint site. Although the email may appear illegitimate to a trained eye, a curious or unsuspecting end user may click the button expecting to see a legitimate file.

The link embedded in the email is: hXXps://www[.]youtube[.]com/redirect?v=6l7J1i1OkKs&q=http%3A%2F%2FCompanyname[.]sharepointonline-ert[.]pw

Users are redirected to YouTube that then redirects to companyname[.]sharepointonline-ert[.]pw, which in turn goes to the final landing page of the phish located at:

hXXps://firebasestorage[.]googleapis[.]com/v0/b/sharepointonline-fc311.appspot[.]com/o/Sharepoint2019427c31ba-0238-4747-bfd3-13369aa06b4d427c31ba-0238-4747-bfd3-13369aa06b4d427c31bb%2Findex[.]html

So far, all phishing links from this campaign utilize some variation on sharepointonline-ert[.]pw, specifically sharepointonline-xxx followed by a variation of 3 letters with the top-level domain always being .pw. Each of these fraud domains are quickly registered with Namecheap and used for this campaign, which suggests the possibility of bot automation. The SharePoint redirection domains collected so far include:

sharepointonline-eer[.]pw
sharepointonline-sed[.]pw
sharepointonline-ert[.]pw
sharepointonline-eyt[.]pw

With this trend of 3 letter variations in mind, the use of redirects means there’s at least 17,576 possible combinations of this domain. However, with some clever use of regular expressions, domains following this pattern can be blocked as well as the attack that follows.

Following both the YouTube and fraudulent SharePoint redirects, users are then taken to a Google Cloud page that is configured with the final page of this phish. Because the page is hosted on a legitimate Google site, googleapis.com, its certificate is verified by what appears to be Google itself, thus furthering the illusion of a legitimate page. Use of this legitimate website allows the threat actor to sneak by any Secure Email Gateways (SEGs) or other security controls.

Figure 3: Phishing Page

Once end users click on the link, they are presented with a typical Microsoft branded login page. Nothing appears amiss–in fact, it is almost a perfect replica. The main differences are: the box surrounding the login is black instead of white; the small detail of the banner at the bottom has different information than Microsoft’s actual login; and the copyright year is showing as 2019.

The recipient email address is appended within the URL, thus automatically populating the login box with the account name. Once users provide their password, it is sent to the threat actor.

Network IOCs
hXXps://www[.]youtube[.]com/redirect?v=6l7J1i1OkKs&q=http%3A%2F%2FCompany[.]sharepointonline-ert[.]pw%23john.smith@company.Com&=company=company&redir_token=-N5bmOAEmF36DCYcYY25tfVENgB8MTU4MjIwMTEyOEAxNTgyMTE0NzI4
hXXps://firebasestorage[.]googleapis[.]com/v0/b/sharepointonline-fc311.appspot[.]com/o/Sharepoint2019427c31ba-0238-4747-bfd3-13369aa06b4d427c31ba-0238-4747-bfd3-13369aa06b4d427c31bb%2Findex[.]html

 

HOW COFENSE CAN HELP

Every day, the Cofense Phishing Defense Center (PDC) analyzes phishing emails that bypassed email gateways, 75% of which are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe. To remove the blind spot, get visibility of attacks with Cofense Reporter.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 36586.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

The Value of Human Intelligence in Phishing Defense

By Guest Blogger, Frank Dickson, Program Vice President, Cybersecurity Products, IDC

The value of humans, our fellow employees, in phishing defense has been a hotly contested topic for quite some time. Advocates say that end users play a role, be it innocent and unintended, in just about every phishing campaign. Proper behavior modification can ultimately solve the problem. Detractors only to need point to the consistent “clickiness” of end users to question that value. Yet the reality is that responsibility lies somewhere in the middle.

The detractors are indeed correct. Users do continue to click on malicious links and participate in other unintended ways. Training helps a lot, improving the effectiveness of a user’s ability to spot malicious email. Even though the human eye improves, cyber miscreants are clever, and even the best of us get tricked on an off day. However, what the detectors fail to acknowledge is that for a user to click on a link in a phishing email, the email first had to get past our messaging defenses—our organization’s security technology.

The Additive Factor

Here lies the crux of the argument: People are not perfect; but neither is technology. When you look at phishing, that pretty well sums up the problem. There’s so much complexity associated with IT architectures that, as of right now, the existing technology is:

A) clearly not getting it done, and
B) just too immensely complex to let any single technology fully cover it.

Malicious emails are getting through. Luckily though, technology defenses and human intelligence are not mutually exclusive. They are additive; both can be used together and, in fact, complement each other.

The factor that makes human intelligence so compelling is in the way it’s applied. As we look at layering technologies atop other technologies, we often wonder if we are indeed increasing our efficacy, or would less technology stop the same malicious emails? With human intelligence, it is only applied to emails that have gotten past our messaging security technologies. By default, human intelligence can only identify new threats.

Case in point: even if you do a great job taking out spam and malware, you still have malicious messages that get through. In the case of a compromised business email account, someone can grab credentials and take control of it. An email can appear to come from the CEO with a fictitious invoice sent to accounting saying, “Please pay this invoice.” The invoice gets paid—without the use of malware or a malicious link, right?

The email comes from a legitimate email box. Everything is “legitimate,” it’s just someone compromised the credentials. Dealing with that kind of use case is incredibly difficult. The long story short here is the complexity. Technology is great for dealing with standardized problems. When the complexity increases exponentially, however, human intelligence stands a better chance at inferring malicious intent.

Additionally, humans can scale, each applying a unique intelligence. If a malicious email gets past our technology defenses and into 10 inboxes, it only takes one out of those 10 people say, “Hmm, this doesn’t look right,” and report it. Essentially, security intelligence is crowdsourced.

The Feedback Imperative

Keep in mind, however, that human intelligence is neither free nor easy. It takes a commitment to make it work. Training users on what to look for is a good start. Users need background in terms of what’s in a malicious email, what does legitimate email look like, and what are the warning signs. You must give them the rudimentary training. That’s step one. Step two requires simulations, providing pop quizzes, for example, of obvious scenarios.

Training and simulations are great, but those by themselves are not the key. The key is the feedback loop. End users want to contribute. They want to be part of the solution. Sometimes IT thinks, “Ah, those silly end users. Easier not to keep them involved.”

But users want to know they are valued. They don’t want to feel like their time’s being wasted. If no one gets back to them and tells them that, hey, their feedback is important, then the user reasonably thinks, “I’m just wasting my time.” In addition to refining an end-user’s ability to detect malicious email, feedback from IT says, “Yes, your input was both considered and important.”

And that is the most effective security you can have.

Threat Actors Capitalize on Global Concern About Coronavirus in New Phishing Campaigns

By Kyle Duncan and Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign found in an environment protected by Ironport that aims to strike alarm and manipulate end users into clicking on a Microsoft-branded credential phish that prays on concerns surrounding the coronavirus.

The email appears to be from The Centers for Disease Control and the message is that the coronavirus has officially become airborne and there have been confirmed cases of the disease in your location. The email goes on to say that the only way to minimize risk of infection is by avoiding high-risk areas that are listed on a page they have personally hyperlinked to you – the recipient. The email is NOT from the CDC and the link to possible safe havens is actually malicious.

Since news of the coronavirus hit national headlines, many threat actors have played on its infamy to target unsuspecting users. While there are numerous phishing campaigns raving about the latest safety measures, all claiming to be reputable health organizations or doctors, this email differs in its methods, weaponizing fear to panic users into clicking malicious links.

Figure 1: Email Header

The following are snippets of the header information for the email. Looking at the first stop on the received path we see that the email originated from the domain veloxserv.net with an IP address of 193[.]105[.]188[.]10. This obviously has nothing to do with the Centers for Disease Control, as this is an IP located within the United Kingdom. However, the sender is issuing a HELO command which tells the email server to treat this email as if it were originating from the domain “cdc.gov”.

Figure 2: Email Body

The subject of the email is “COVID-19 – Now Airborne, Increased Community Transmission” followed by a spoofed display name, CDC INFO, and from address, CDC-Covid19@cdc.gov, thus making it appear as if the sender is really the CDC. Despite odd capitalization on some words in the email, it is a rather good forgery which, when combined with the high stress situation it presents, may cause most users to overlook those details and click the link immediately.

Users are led to believe they are clicking a link to:
hxxps://www[.]cdc[.]gov/COVID-19/newcases/feb26/your-city[.]html

However, embedded behind that link is the following malicious redirect:
hxxp://healing-yui223[.]com/cd[.]php

Which in turn goes to the final landing page of the phish located at:
hxxps://www[.]schooluniformtrading[.]com[.]au/cdcgov/files/

Upon further research, there were two additional compromised sites set up with this same phishing kit.

Additional redirecting URLs found were:
hxxps://onthefx[.]com/cd[.]php

Additional phishing pages:
hxxps://urbanandruraldesign[.]com[.]au/cdcgov/files
hxxps://gocycle[.]com[.]au/cdcgov/files/

In each of these three unique attacks, the URLs used to redirect the victim to the credential phishing site are of Japanese origin. All use the file cd.php, which forces the redirection to the phish. The phishing pages themselves have the same Top-Level Domain, .com.au, and each has a SSL certificate. These clues point to a single threat actor carrying out these attacks. Further observation may soon reveal the actor’s identity or at least a general attack vector that can be monitored for and blocked by network firewalls.

Figure 3: Phishing Page

Users will be presented with a generic looking Microsoft login page upon clicking the link.

The recipient email address is appended within the URL, thus automatically populating the login box with their account name. The only thing for the user to provide now is their password. Upon doing so, the user is sent to the threat actor.

Once users enter their credentials, they are redirected to a legitimate website of the CDC:

hxxps://www[.]cdc[.]gov/coronavirus/2019-ncov/php/preparing-communities[.]html

Indicators of Compromise:

Network IOC IP
hxxps://healing-yui223.com/cd[.]php 150[.]95[.]52[.]104
hxxps://www.schooluniformtrading[.]com[.]au/cdcgov/files/ 118[.]127[.]3[.]247
hxxps://onthefx[.]com/cd[.]php 153[.]120[.]181[.]196
hxxps://urbanandruraldesign[.]com[.]au/cdcgov/files 112[.]140[.]180[.]26
hxxps://gocycle[.]com[.]au/cdcgov/files/ 13[.]239[.]26[.]132

 

Spoofed World Health Organization Delivers Agent Tesla Keylogger

In addition to the spoofed CDC message discovered by the Cofense Phishing Defense Center, Cofense Intelligence also recently identified a phishing campaign spoofing the World Health Organization (WHO) to deliver the Agent Tesla keylogger. The phishing campaign is designed to invoke fear and curiosity of the intended recipient with the subject “Attention: List Of Companies Affected With Coronavirus March 02, 2020.”

The attachment accompanying the phishing email spoofing the WHO is labeled ‘SAFETY PRECAUTIONS’ and has a .exe extension. The icon of this executable is that of a Microsoft Office Excel file, intending to fool the end user into believing that the attachment is indeed an Excel document, listing the infected companies. The attachment is in fact an .exe, delivering a sample of Agent Tesla keylogger. The email body can be seen below.

Figure 4: The phishing email spoofing the World Health Organization

 

Filename MD5 Hash
SAFETY PRECAUTIONS.rar 05adf4a08f16776ee0b1c271713a7880
SAFETY PRECAUTIONS.exe ef07feae7c00a550f97ed4824862c459

Table 1: Agent Tesla Keylogger Attachments

 

Agent Tesla C2s
Postmaster[@]mallinckrodt[.]xyz
brentpaul403[@]yandex[.]ru

Table 2: Agent Tesla Keylogger Command and Control (C2) Locations

 

YARA Rules
PM_Intel_AgentTesla_36802

 

Given the levels of concern associated with the COVID-19 outbreak, such phishing themes will almost certainly increase, delivering a broader array of malware families.

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actor Uses OneNote to Learn Credential Phishing and Evade Microsoft and FireEye Detection

By Max Gannon

Cofense Intelligence recently uncovered a long-term phishing campaign wherein a threat actor experimented with a OneNote notebook hosted on OneDrive to deliver both malware and credential phishing. Thanks to the ease of use and accessibility of OneNote, the threat actor was able to update a “phishing notebook” multiple times a day, experiment with various intrusion methods, and improve the odds to successfully evade email security controls. Numerous Agent Tesla Keylogger payloads as well as links to different credential phishing websites were included in the campaign. By using a public repository, the threat actor left an easily trackable trail, giving crucial insight into the process and planning involved in abusing trusted cloud hosting sources.

We investigated the experiments housed in this OneNote notebook and found multiple sites and templates the threat actor tested. Figure 1 shows an example email delivered by this threat actor, which was found in an environment protected by Microsoft EOP and FireEye enterprise gateways.

Figure 1: Original email with link to OneNote, leading to a tiny[.]cc link

Cybercriminals can leverage a wide array of trusted cloud hosting sources for credential phishing. Most commonly, a convincing page contains a link to a malicious external website that houses the actual forms used to harvest information. This kind of page can be an image or document hosted on Microsoft Sway, Microsoft SharePoint, Google Docs, or even Zoho Docs. An example from the OneNote was hosted on Zoho Docs, as shown in Figure 2. Note that when looking to download the invoice, the threat actor used the SmartURL link shortening service to circumvent security scanners and trick end users.

Figure 2: Document hosted on Zoho Leads to credential phishing website

The OneNote also housed an example demonstrating how threat actors take direct advantage of a trusted service. In Figure 3, Office 365 credentials are phished through Google Forms, which threat actors can access in their Google accounts. Having a readily accessible service that requires no maintenance and effectively acts as a free database significantly lowers the upkeep needed for the credential phish. A downside is that these services have evolved to look for nefarious activity, and Google displays a warning at the bottom of the form that warns the user to “never submit passwords through Google Forms.” Other services such as Microsoft Forms and survey sites can also enable this type of attack.

Figure 3: Google forms credential phish

Another less common, yet noteworthy, technique is to host a document on a file-sharing site and entice end users to download and open the file. Files housed on DropBox, OneDrive, Google Drive, Box, and other popular services lure email recipients into clicking a link or entering credentials into a form that exfiltrates back to the threat actor. Ultimately, users face some spoof or bait that exploits innate trust for nefarious purposes.

On one end, legitimate cloud hosting services continue to improve their defenses against some of these attacks. Even if only used as an intermediary, takedown requests and scanning solutions aim to remove malicious content as quickly as possible. This response is usually in the case of malware or well-defined phishing portals, which do account for the bulk of the abuse. However, multiple exceptions exist, such as the use of Microsoft OneNote. Given that an operator can update OneNote notebooks at any time, takedowns become more difficult as the threat is harder to track. In this particular case we investigated, OneNote was updated ten or more times a day, consisting not only of changes to the links leading to external credential phishing pages but also to the makeup and “template” of the page itself. OneNote has a version history tool that enables some limited forensics for investigators, but it is relatively easy for a threat actor to remove prior versions. In this instance, the actor did not remove the version history until later in the experimentation process.

Cofense Intelligence tracked content updates by this threat actor over the span of two weeks. Examining the “version history” of these pages over time revealed numerous progressions in the layout, malware, and credential phishing pages. The threat actor went through four templates that delivered a credential phishing portal and unique malware samples. Figure 4 highlights the evolution cycle, as each template underwent several revisions and variations.

  1. In the first template, the operator chose to send two URLs: one with an Office 365 credential phishing site, and another that downloaded malware. Both links were later changed to download malware samples instead of the lure portal.
  2. The second template offered a single link, directly straight to the same Office 365 credential phishing site but on a different URL path.
  3. No credential phishing link was found in the third template, offering a link to different malware versions that the threat actor updated several times.
  4. The fourth template features a phish-only link yet again that alternated between providing one of several different Office 365 credential harvesting portals.

Figure 4: OneNote template progression

In all cases where malware was delivered, the malware was a “first stage” downloader, attempting to download an encrypted binary that then decrypted and ran in memory. This binary proved to be the Agent Tesla Keylogger, tasked with collecting and exfiltrating stored logins and keystrokes. Initially, the two “first stage” malware downloaders had their encrypted payloads stored on Google Drive. Newer loaders attempted to fetch payloads from a compromised host, the same host that provided the malware downloaders. The newer loaders did, however, fail to accomplish their tasks due to improper customization by the threat actor. Such error is indicative of a less-capable operator who leverages premade kits but falls short on modifying them.

Like many other phishing sites hosted on OneNote, this threat actor’s primary objective was to steal credentials. A short experiment of delivering Agent Tesla Keylogger proved lackluster, leading the operator to shun malware use in the long-term. This particular threat actor likely decided against using Agent Tesla due to a lack of experience, indicated by the several improperly configured versions of the malware. However, if threat actors continue to use a source typically exploited for credential phishing to deliver malware, this could quickly become problematic. Based on the inherent risk posed by trusted sources, traditional protections trained against OneNote and similar services may prove ineffective. If not properly addressed, this could pave the way to a prolific infection vector for malware.

Table 1: Indicators of Compromise

Description Indicator
Cofense Intelligence™ ATR ID 35838
Cofense Triage™ YARA Rule PM_Intel_AgentTesla_35838
URLs Embedded in Email hxxp://tiny[.]cc/5n9wiz
hxxp://tiny[.]cc/fo9wiz
Destination URL Hosting OneNote Notebook hxxps://1drv[.]ms/o/s!Ap0JWbG5JDSSgQhsghgIsxdnVKZi
Phishing URLs hxxps://correlimmigration[.]com/wp-content/plugins/office_support
hxxps://relife-neiro[.]org/wp-content/Office_Mail/
hxxps://theloghomeshows[.]com/wp-content/Office_Support
hxxps://www[.]hbyygb[.]cn/wp-content/plugins/hello-dolly/Office/
Malware Download URLs hxxps://www[.]farcastbio[.]com/wp-content/invoice%20file[.]pif
hxxps://www[.]hbyygb[.]cn/wp-content/file[.]ace
hxxps://www[.]hbyygb[.]cn/wp-content/File[.]iso
hxxps://www[.]hbyygb[.]cn/wp-content/invoice[.]ace
Malware Payload URLs (From Malware Downloader) hxxps://www[.]hbyygb[.]cn/wp-content/plugins/hello-dolly/file1_encrypted_9099BFF[.]bin
hxxps://www[.]hbyygb[.]cn/wp-content/plugins/hello-dolly/file1_encrypted_B73A83F[.]bin
hxxps://drive[.]google[.]com/uc?export=download&id=1esad4jMAIdWBj8XwsKCpjULr_9WHLURU
hxxps://drive[.]google[.]com/uc?export=download&id=1FwNTU5RN6QOQzvolLFC5ipjsf1a88457
Malware C2 (From Agent Tesla Keylogger) mail[@]winwinmax[.]xyz

HOW COFENSE CAN HELP

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and the “Order Invoice-Agent Tesla Keylogger” template based on this threat, and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

Update March 5, 2020: FireEye provided the following statement after reviewing our blog post: “As a member of the research community, FireEye extensively tracks campaigns targeting SaaS providers and end users in order to keep up with new adversary techniques. The company first saw this OneNote campaign on January 20th, 2020 and quickly deployed temporary protections. By February 7th, FireEye had added a new OneNote detection capability to FireEye Email Security, a service that is capable of preventing the attacks referenced in this blog post, in addition to new OneNote-based campaigns.”

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.