Threat Actors Subscribe To Patches

Cofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld. The patching subscription model may be a burden to some enterprise environments, but its underworld equivalent is a significant boon to law enforcement and network defenders. Personnel tasked with combating nefarious software can leverage the patching and licensing mechanisms of subscription-based malware to track down distributors.  

The Reasons Behind The Model 

Much like with legitimate software, threat actors decide what malware to buy based on several factors including the reviews, price, type (such as a keylogger or a Remote Access Tool (RAT), developer, and marketing. However, to make money in this competitive environment, malware developers need to take different approaches, such as: 

  • Sell the product for much less than similar malware. 
  • Give the product away. While this strategy may appear to be a good deal, malware developers have been known to include a back door enabling them to steal their “customer’s” stolen data.  
  • Base the new malware on a pre-existing and well-known malware, such as WSH RAT. As discussed in a previous CofenseTM report, the developers of this RAT billed it as a “new” RAT with advanced features and offered it at a starting subscription price of only $50 per month. However, in reality, WSH RAT wasn’t new at all and was a variant of the pre-existing and long-lived Houdini Worm with some minor feature improvements. 
  • Focus on spending heavily on marketing. While concentrating on marketing can be profitable, it is likely the reason that some malware perceived as the “next big threat” disappears shortly after making headlines – probably because the budget was spent mainly on marketing rather than development.  

Possibly taking a lesson from legitimate software companies and the frequent failure of the options mentioned above, more and more malware developers have started to adopt the patching subscription model. This model allows them to take the middle road, charging relatively smaller subscriptions (in the case of Alpha Keylogger, $13 per month) while claiming to deliver more and being able to delay feature release.  

The glut of available products, however, often leads malware developers to over-promise on features for which they then must include a basic test or example of in their code. Expedited or rushed releases of the software lead to buggy code, in turn hurting the credibility of malware authors. For instance, Alpha Keylogger claims to have a suite of features including the ability to exfiltrate data over email, FTP, or via the API of the messaging company Telegram. In practice, customers (threat actors) can choose FTP or email, and the keylogger will still attempt to exfiltrate information via Telegram API even when the configuration data is blank. This attempt creates a distinct and apparent HTTPS request on infected machines that do not successfully exfiltrate data and can be used to help identify this malware in network traffic. 

Why Network Defenders Like Updates 

The “bug” in Alpha Keylogger that causes extraneous network traffic could allow network defenders to look for such malformed URLs as signs of malicious activity despite the involvement of a legitimate domain. Even intentional updates on the part of malware developers can assist network defenders. An example of this is when the Geodo/Emotet botnet began distributing a new module. The nature of this deployment allowed Cofense to correctly assess and prepare for the delivery of more sophisticated phishing emails. If the changes had been made by a new family of malware rather than as part of an update that Cofense was looking for, it would have been more challenging to prepare. 

Why Law Enforcement Likes Licensing 

The bugs and hints provided via malware updates are helpful to network defenders, but the licensing system behind these updates can be even more useful to law enforcement. Many RATs store the license key of the individual that purchased the malware builder as a registry entry on infected computers. Depending on the method used to obtain this license key, the payment information may be associated with the key even if it is not directly associated with the individual who purchased the key. Subsequentially, a receipt of some sort may be sent to an account that is accessed by the threat actor who bought the license key. Under the right circumstances, a license key saved as a registry entry on a victims computer could be linked with a receipt in a threat actor’s inbox, attributing them to the attack. Law enforcement organizations could then build a case using this link and additional information, such as the IP address used to access the inbox. 

Applicability In Enterprise Environments 

Organizations with enterprise-scale infrastructure often encounter “shadow IT” software or malware applications that can be difficult to spot and eradicate. The licensing mechanisms found in subscription-based malware—to include potential receipts in email—can be used by threat hunters to identify insider threats. Organizations impacted by malware akin to Alpha Keylogger can weed out further infections by leveraging incident response tools and YARA rules (such as the ones provided by Cofense IntelligenceTM) which inspect registry keys. Furthermore, the potential for attribution and legal action against a threat actor through license tracking provides large corporations with enhanced defensive capabilities. 

Table 1: Malware Artifacts 

Filename  MD5 
Company Profile.doc  b46396f32742da9162300efc1820abb3 
bukak.exe  3ceb85bcd9d123fc0d75aefade801568 

 

Table 2: Network IOCs 

IOC 
biz[@]Bootglobal[.]com 
kamonubilel[@]gmail[.]com 
hxxp://ktkingtiger[.]com/bukak[.]exe 

 

 

HOW COFENSE CAN HELP 

Cofense Intelligence processes and analyzes millions of emails and malware samples each day, providing a view of emerging phishing and malware threats. 

The Cofense Phishing Defense CenterTM identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats. 

Condition end users to be resilient to ransomware and other attacks with Cofense PhishMeTM.  It includes a variety of ransomware templates to help users recognize the threat. Empower users to report phishing emails with one click using Cofense ReporterTM. 

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM. 

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekeTM. 

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understanding, read the 2019 Phishing Threat & Malware Review. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Cofense Vision UI: Quarantine Phish Faster, Without Disrupting the Mail Team

By Karen Kokiko

The holy grail of phishing defense is now within your grasp. Cofense VisionTM now comes with a user interface that lets you quarantine phishing emails with a single click—without disrupting the mail team and slowing down your response.

Let’s stop and let that sink in. You can quarantine phish right from your desktop, without asking the busy mail team to stop and perform a search. There’s no more waiting while an active phish does the backstroke in your inboxes. Faster, more precise phishing response is here.

Fast and Flexible Searching

Traditional email search and quarantine tools are slow and inflexible, offering limited search scope like ‘Sender’ and ‘Subject.’ It’s difficult to find the entire attack fast enough and account for the way tactics, techniques, and procedures morph.

The Cofense Vision user interface allows SOC analysts to search by combinations of fields, grouping emails together by selected criteria. You can search for recipients, senders, MIME type, attachments, a specific time, and more, essentially creating your own cluster. Then quarantine one or hundreds of malicious emails with a simple click. If you later determine that emails are harmless, you can “un-quarantine” them just as easily.

Built for Companies of All Sizes

The new Cofense Vision UI supports smaller customers who don’t have engineering teams or power users to write scripts and code. You can simply search natively and quarantine quickly. An hour after installation, analysts are ready to defend.

For example, an end-user at a small business sends a suspicious email to IT for investigation. IT determines it is malicious and wants to find out if anyone else received it. With the new Cofense Vision UI, they can search on key criteria found in the malicious email to determine if more than one instance of the message is in their environment, then quarantine it in seconds.

If your company is larger, the interface improves the experience of power users and operators who are writing scripts or otherwise programmatically interacting with Cofense Vision. Proactive analysts, those with some information about where and how the bad guys are likely to attack, can use the UI to identify and quarantine malicious actors before any damage is done. SOC analysts can write rules to look for signs of malicious activity, searching criteria such as To, From, Subject, Attachment Hash, and the content of the message.

All of this shortens “dwell time” and the amount of damage an attacker can cause in your email environment. According to a SANS Institute survey, 75 percent of respondents say they reduced their attack surface by through more threat hunting. Fifty-nine percent believed that threat-hunting enhanced the speed and accuracy of their company’s incident response.1

The new Cofense Vision UI makes threat-hunting faster, easier, and more effective. Learn more or sign up for a demo now!

More Ways Cofense Can Help

90% of phishing threats observed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Then reduce exposure time by rapidly quarantining threats with Cofense Vision.

Be proactive against evolving phishing threats. Easily consume high-fidelity phishing-specific threat intelligence to defend your organisation with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threat than Cofense. Understand the current phishing threat – read the 2019 Phishing Threat & Malware Review.

 

1SANS Institute, “2018 Threat Hunting Survey”: https://www.sans.org/media/analyst-program/Multi-Sponsor-Survey-2018-Threat-Hunting-Survey.pdf

  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Under the Radar – Phishing Using QR Codes to Evade URL Analysis

Phishing attacks evolve over time, and attacker frustration with technical controls is a key driver in the evolution of phishing tactics.

In today’s modern enterprise, it’s not uncommon for our emails to run the gauntlet of security products that wrap or scan embedded URLs with the hope of finding that malicious link. Products like Proofpoint URL Defense, Microsoft Safe Links, and Mimecast URL Protect hope to prevent phishing attacks by wrapping or analyzing URLs.  These technologies can only be effective IF they can find the URLs in the first place.

Fast forward to this week where our Phishing Defense Center™ stopped a phishing campaign aimed at customers in Finance. The analysis below outlines the attacker’s use of a URL encoded in a QR code to evade the above-named technologies.  While you’ve probably seen QR codes in your everyday life, this might be the first time you are seeing QR codes used as a phishing tactic.

The Phish:

The email itself is relatively simple. It poses as a pseudo SharePoint email with the subject line: “Review Important Document”. The message body invites the victim to: “Scan Bar Code To View Document”. The only other visible content is a tantalizing QR code that a curious user may be tempted to scan.

Figure 1, Email Body

The message body in plain text consists of several basic HTML elements for styling and an embedded .gif image file of the QR code. Very basic, but very effective.

When the QR code is decoded we can see that that it contains a phishing URL: hxxps://digitizeyourart.whitmers[.]com/wp-content/plugins/wp-college/Sharepoint/sharepoint/index.php

Most smartphone QR code scanner apps will instantly redirect the user to the malicious website via the phone’s native browser. In this case the victim would be redirected to a SharePoint branded phishing site. The victim is then confronted with options to sign in with AOL, Microsoft, or “Other” account services. While this sounds like a simple phish, there is a more nefarious tactic in play: removing the user from the security of a corporate business network.

Figure 2, Phishing site

Standard Security Controls Circumvented:

By enticing the victim to pull out their smartphone and scan the QR code the attacker manages to evade standard corporate security controls. Secure email gateways, link protection services, sandboxes, and web content filters no longer matter because the user is now interacting with the phishing site in their own security space: their mobile phone. And yes, the phishing site is optimized for mobile viewing. Here’s a glance at what the site looks like on a smartphone:

Figure 3, Phishing page viewed on phone

Though the user may now be using their personal device to access the phish, they are still in the “corporate” mindset as the original email was received at their business email address. Therefore, it is highly likely that the victim would input their corporate account credentials to attempt to access this “document”. 

Gateway Evasion:

This attack was observed passing through an environment utilizing Symantec Messaging Gateway. When scanned, the message was deemed “Not spam” by the system as seen in Fig 4 below.

Figure 4, Email Header Snippet

Conclusion:

In the past QR codes were reserved for geeks on the bleeding edge of technology. Today we interact with QR codes more and more as we cut the cord on cable, setup home internet devices, transact crypto currencies, etc…  Will QR codes be a common phishing tactic of the future? Time will tell.  But THIS phishing attack that snuck past best in class phishing technologies was only stopped by an informed, in tune human, who reported it with Cofense Reporter ™ , so that their security teams could stop it.

Today over 90% of phishing threats observed by the Cofense Phishing Defense Center ™ bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe ™ and remove the blind spot with Cofense Reporter.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Phishing Attacks on High Street Target Major Retailer

By Jake Longden

The Cofense Phishing Defense Center™ has observed a phishing campaign that purports to be from Argos, a major retailer in the UK and British High Street. During 2018, Argos was the subject of a large number of widely reported phishing scamsi; this threat specifically targets Argos customers for their personal information and looks like a continuation of what was seen last year.

With the goal of stealing your store credit card and login information, here’s how it works:

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Fig 1. Email Body

Email Body:

The message itself follows a standard phishing template to inform the user that their account has been restricted and that user sign in is required for verification. The use of bad grammar and typos are a dead giveaway that this email communication is not genuine.

Message body in plain text:

In reviewing the body of the email, we see the hyperlink for “Sign into your account” which directs the potential victim to: hxxps://www[.]argos[.]co[.]uk[.]theninja[.]gknu[.]com/www[.]argos[.]co[.]uk/account-login/

The attacker repeatedly used the string of the legitimate Argos site in the URL, both as part of the subdomains, and as a subdirectory. This was an attempt to mask the true source, and to lure the victim into trusting the legitimacy of the website.

Upon examination, we see that the link is wrapped by a URL filtering service.

href="hxxps://clicktime[.]symantec[.]com/3AuyExDNpRSjkQbgT2gXygH6H2?u=hxxps://www[.]argos[.]co[.]uk[.]theninja[.]gknu[.]com/www[.]argos[.]co[.]uk/account-login/" target="_blank" rel="noopener"><span class="ox-dad7652f0e-m_609589041267919212link-blue ox-dad7652f0e-m_609589041267919212MsoHyperlink ox-dad7652f0e-m_609589041267919212MsoHyperlinkFollowed">SIGN
INTO YOUR ACCOUNT

Fig 2. Email Body in Plain Text

 

Email Headers:

Analysis of the headers indicates that the “from” address is spoofed; the “reply to” field contains the address ‘no-reply[@]creativenepal[.]org’, which does not match ‘no-replays[@]multitravel.wisata-islam[.]com’.

Research on the ‘multitravel.wisata-islam’ domain failed to produce relevant data and reinforces the suspicion that the address is spoofed. At the time of analysis, we were unable to resolve an IP address, or load the domain.

From: <no-replays[@]multitravel[.]wisata-islam[.]com>
To: <xxxx.xxxxxx@xxxxxx.com>
Subject: [WARNING SUSPECTED SPAM]  [WARNING SUSPECTED SPAM]  Please make sure
 you complete the form correctly.
Thread-Topic: [WARNING SUSPECTED SPAM]  [WARNING SUSPECTED SPAM]  Please make
 sure you complete the form correctly.
Thread-Index: AQHVIXUk7CjiCOKjHEyntcvh4etMFg==
Date: Wed, 12 Jun 2019 23:18:17 +0000
Message-ID: <7d885f411da93272271ec8ad32e5064b@localhost.localdomain>
Reply-To: <“:no-reply”[@]creativenepal[.]org>

Fig 3. Email Headers

Phishing Page:

Once the user clicks on the “Sign into your account” hyperlink, they are redirected to a convincing imitation of the true Argos login page requesting the victims’ Username and Password.

This then leads the user to a second page, where the user is requested to supply details for their Argos store credit card account. This page follows the standard format for regular credit/debit cards with one key difference: the additional request for a ‘Card Amount’. This request is specific to the Argos Card as referenced in the copy: “The Argos Card lets you shop at Argos, with flexible payment plans that give you longer to pay” (see: https://www.argos.co.uk/help/argos-card/apply). This deviates from standard forms by asking the user for their credit limit.

 

 

Fig 4. Phishing Page

Gateway Evasion:

This campaign has been observed to pass through the ‘Symantec Messaging Gateway’.

We can see the influence of the Email gateway which injected ‘Warning Suspected Spam’ headers to the Subject Line and incorrectly presented this phish as a benign marketing email, and not a phishing attempt.

Conclusion:

To help protect against this type of credential phish, Cofense PhishMe™ offers a template called “Account Limitation.”

This credential phish eluded gateways and was actually mis-identified as harmless marketing spam. In fact 75% of threats reported to the Cofense Phishing Defense Center are Credential Phish. Protect the keys to your kingdom – condition end users to be resilient to Credential Harvesting attacks with Cofense PhishMe.

 

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

i Google Search “Argos Data Breach 2018”

John Podesta’s Phish Foreshadows Doom for 2020

If you haven’t read the Mueller Report, spoiler alert: the phish that netted the Clinton campaign was not sophisticated. As you may know, neither was the campaign’s phishing defense (understatement). All of which spells probable doom for the 2020 presidential candidates, despite the news that campaigns have looked at offers, some free, from cyber-security firms.

SMBs: 5 Ways to Avoid Becoming a Small Phish in a Big Pond

In the fall of 2016, I watched a good friend get her business ready for opening in her first retail space. She had previously run everything from her home and now she was entering a whole new phase. I observed her interactions during a few visits and she knew when I gave her that “look,” there was something that needed improving.

“What Wi-Fi network do you have your register assigned to in the shared retail space? You should put a password on that register device you’re using, so when you’re across the store someone can’t open your register.”

The best part of helping her set that device password was watching her millennial daughters return to the store and try to guess the password – listening to their theories on creation was most amusing.

Following are 5 ways you can protect YOUR small business from phishing and other cyber threats.

  1. Train Your Employees!

A majority of small businesses have fewer than 50 employees. Ensure your staff are trained on the basics of cybersecurity for their roles. There are a number of free (YES really free!) resources available online to provide the basics: phishing, passwords, internet browsing and data protection.

The number one threat that will impact your business is phishing. Start with the simple actions. Teach employees to diligently check links – hover to see the real destination. If they did click on that link, do they have someone to tell? What if it took them to a website asking for their username and password?  If there’s an attachment, did it come from a trusted sender – if so, were they expecting to receive that invoice or resume file?

In June this year, the FBI issued a warning about the dramatic increase in business email compromise (BEC), which results in financial loss for the business targeted. The BEC scam is a simple email from a fraudster masquerading as a legitimate business executive asking for funds to be wired. These messages are typically targeted to individuals in the organization that process invoices or payments.

With a small staff, it’s not always easy to build your processes to include segregation of duties. But having controls in place related to handing out funds will not only save you on insider theft, it will also reduce the potential wire fraud from a random email spoofing your email address to your finance team. If your business does become a victim, the FBI encourages you to report the incident.

Remember the Target breach? The malicious actors started with sending a phishing email to the HVAC maintenance technician – a small business.

  1. Get Cyber Insurance.

You have an insurance policy on your car to protect you if you’re in an accident. You purchase liability insurance to cover your risk, should you encounter an unforeseen disruption in your business. In order to protect your business from a security incident that could result in a data breach or business disruption, you should invest in a cybersecurity insurance policy.

  1. Invest in IT/Cybersecurity Services

Enlisting the help of your teenage nephew is great for setting up your new phone or laptop, but that’s not the best solution to support your growing business. There are plenty of managed service providers to contract support for your technology and cybersecurity needs. Tap into your local small business networks or professional sharing networks for recommendations.

  1. Protect your Online Business Accounts

I put it in the cloud! The cloud service offerings today are far more readily available and robust than even five years ago. Entering your credit card info to purchase a piece of the cloud is easy, but make sure you know what you’re putting where. Keeping an inventory of these services, along with the type of data your storing, is important if the service experiences a breach or an outage.

While it might be easy to use that same username and password across all your accounts, it only takes one data breach to put all these services at risk. Get a password vault to manage these accounts.

  1. Protect your Social Media Accounts

As a small business owner, your number one “go to” place for your marketing campaign is social media. Managing these accounts is critical to protecting your online identity. Who has access to post on your behalf? Limit who has access to the account. Review your profile settings to ensure you have the highest level of security enabled. If the provider allows you to enable two-factor authentication – ENABLE IT!

Learn what two-factor authentication is and how to enable it at https://www.lockdownyourlogin.org/

YOU can do this – small steps can make a BIG difference!

Whether your family business was handed down to you through generations, or you’re a new start up, or  a nonprofit, small city, county, or community organization – you have intellectual property or personal data that you need to protect. And you have employees that need to take actions to support your business.

You built your business to live your dream; don’t let a malicious actor take that away from you! As you grow your business, make sure you grow your cybersecurity capabilities right along with it.

Hey! I know I’ve never talked to you before – but can you send some money – QUICK!

Business Email Compromise (BEC), also known as CEO Fraud, is a type of phishing email designed to impersonate an executive. In a BEC campaign, the “executive” urgently instructs an employee to wire money, sometimes lots of money, to a bank account. The FBI reports that BEC scams hit businesses to the tune of $12.5 billion annually.

What makes BEC campaigns different?

In a BEC attack, the weapon of choice is simple words. Instead of tricking people into clicking a malicious link or attachment, a BEC attack tries to lure recipients into taking action. The threat actor will spend time researching the organization, identifying execs whose high-priority messages would make employees respond ASAP.

Though this type of threat is fairly new in the phishing landscape, it is very successful. Actors have been able to make off with millions of dollars, using networks of mules to move the money back to the mothership.

In recent months, there has been a shift in the type of currency requested—gift cards. They’re easy to obtain and, if requested in smaller amounts, can go unnoticed but still add up. Researchers have also been doing their work, hunting these criminal groups with much success. Last summer the FBI announced the arrest of 74 fraudsters, all related to BEC. When an organization realizes it’s been hit with a BEC attack, it can reach out to the FBI, which will work with financial institutions to block the transfer of funds.

What can you do? A few tips.

I remember a few years back when this threat started to surface. I couldn’t help but think back to my days in finance and IT compliance, with a focus on Sarbanes-Oxley, and think about the controls breakdown BEC triggers. Here are some ways to KEEP control.

First and foremost, train your employees to be on the lookout for these types of messages. Secondly, implement controls within your payment process to require a secondary signature for release of funds. When I worked in the treasury department for a retail chain, there were many days I would have to walk to the Controller’s or CFO’s office to get a REAL signature on a check greater than $50,000 or a request for a direct wire. Also, look to the gateway controls and implement DMARC /DKIM as discussed in our previous blog post.

There is another control that is starting to become a best practice—tagging external messages in the subject line or message body and letting your employees know the message originated outside the organization. This tag is helpful in spotting BEC messages. Many times, executives or high value targets are reading their messages on mobile devices. The mail client on these devices doesn’t display the fully qualified email address, making it difficult to assess the validity of the message sender.

A BEC sample:

The importance of tagging for viewing on a mobile device – mail client vs mobile:

If your organization becomes the victim of a BEC scam, report it quickly to help the authorities stop the funds from going through. Reporting also provides law enforcement with more information about the threat actor, which further helps to fight these crimes.

Learn more about phishing threats and protection in the Cofense State of Phishing Defense report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

When You Unsubscribe to these Emails, You ‘Subscribe’ to the Loda RAT

CISO Summary

It’s critical that anti-phishing programs reflect the latest threats. Cofense IntelligenceTM has recently observed a phishing campaign that illustrates why. It entices users to download a malicious document from a seemingly legitimate source, an insurance company whose roots go back to 1896. Through a complex chain of abuse, including the exploitation of a legit subdomain hosted by Microsoft, this threat is capable of tricking users unfamiliar with wrinkles like multiple links to the same source and malicious “unsubscribe” links. If successful, the attack activates the Loda Remote Access Trojan, underscoring the importance of educating users to stop phishing emails.

Full Details

Cofense Intelligence recently observed a campaign that used convincing emails to entice recipients into downloading a malicious document from a seemingly legitimate source. These attention-grabbing emails contained multiple links to the same source, which was hosted on a subdomain of the legitimate Microsoft-owned domain azurewebsites[.]net. This source URL downloaded a Microsoft Word document that abused an object relationship to then download and open an RTF document. The RTF document abused CVE-2017-11882 to download the multi-functional Loda Remote Access Trojan. By taking advantage of users’ assumption that unsubscribe links are legitimate, along with their trust in verification, threat actors were able to craft a campaign capable of fooling even users with basic security awareness training.

What a Deal…

The emails used in this campaign have several attributes that give the appearance of legitimacy. The first email, the top of which is shown in Figure 1, impersonates Fidelity Life and claims to offer a good deal on life insurance.

 Figure 1: Body of the email spoofing Fidelity

In this email, the only actual text present is the unsubscribe information at the bottom of the email shown in Figure 2.

Figure 2: Unsubscribe section of the email spoofing Fidelity

The top three paragraphs in Figure 2 are in fact an image, while the bottom paragraph (with a pointer hovering over it) is searchable text that appears to have been added by the threat actor. All of the image shown in Figure 1 is a clickable link leading to the same URL as the unsubscribe link, hxxps://onlinefinances[.]azurewebsites[.]net/mowgli/fidelity_insurance[.]docx.

Verification Passed

If users who have been trained to be suspicious of links were to first visit the website by typing the URL into an internet browser and looking at the webpage information, they would see the information shown in Figure 3.

If users are particularly security conscious, they might even look up the domain on a website with tools that check for legitimacy. However, this would likely give them the same information as what is shown in Figure 3, because most tools will check the root domain, in this case azurewebsites[.]net, which is a completely legitimate domain owned by Microsoft. The only easily recognized indicator of malicious content is the prompt when a file is downloaded from an unsubscribe link.

Double Interest

The second email, shown in Figure 4, pretends to be a relatively benign “news” email from the company Livenlonpro about a new Amazon policy.

Figure 4: Body of the email spoofing Livenlonpro

In this case all links and images download a file from hxxps://onlinefinances[.]azurewebsites[.]net/mowgli/Amazon_Cancelled_order[.]docx. With this approach, any user that attempts to unsubscribe from what appears to be a spam email will instead download malware. Although differently named, the downloaded file is the same for both emails.

Actual Goal

Once the file is downloaded and opened, it attempts to use an object relationship to download a document with CVE-2017-11882 which, in turn, downloads the multi-functional Loda malware. Loda is capable of acting stealthily to download additional malware or provide the threat actor with full remote access to the victim’s computer.

Direct Importance

Attacks such as this demonstrate threat actors ability to adapt to changing circumstances and training methods. Organizations often focus employee training on the philosophy “don’t click suspicious links or open attachments.” While usually effective, this method can fall prey to creative threat actors. Using a training method that encourages employees to think critically can help protect organizations by avoiding situations where employees make assumptions about the nature of a link and act accordingly.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense™ Threat Alerts.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

DMARC Is NOT a Fail-Safe Defense against Phishing Attacks

DMARC, or Domain-based Authentication Reporting & Conformance, is an email authentication, policy and reporting protocol. It was conceived to prevent impersonation-based phishing attacks, but it doesn’t protect you 100%. Let’s examine why.

What DMARC Can Do

DMARC builds on the existing and widely deployed SPF and DKIM protocols. All mechanisms to protect the email infrastructure we so heavily rely upon should be gratefully received, but as with everything the benefits and limitations should be fully understood. It is this understanding that allows us to optimize our defenses against the perpetual menace of phishing attacks.

DMARC has most promise to help organisations defend against Business Email Compromise (BEC) type attacks, as successful impersonation can be an imperative for success. As a result, DMARC should be evaluated as a mitigating control for these types of attacks, protecting both outbound as well as inbound email.

DMARC aims to get email senders and receivers working together in a standardized, coordinated way to determine whether a given email is legitimately from the sender—and the actions to be taken if it isn’t.

Therefore, if alice@sender.com sends an email to bob@receiver.com, appropriate DMARC policies can help remove the guesswork and answer the question “Has this email really been sent by alice@sender.com?”. By protecting their messages with SPF and DKIM, and using DMARC, sender.com can tell receiver.com what to do if these authentication methods fail, for example, reject the message.

What DMARC CAN’T Do

It all sounds good, but what if the email comes from alice@sendr.com, or alice@sencler.com—does DMARC help then? Unfortunately, not. What about if the message is sent by alice@sendr.com, but the From: field has been modified to look like it comes from alice@sender.com—does DMARC keep Bob safe? No again.

While display-name abuse and adjacent-domain abuse are well recognized, there’s another growing phishing tactic that neutralizes DMARC completely. DMARC has capabilities to validate the sender’s authenticity, but it has no capability to validate the authenticity, of the email content.

Recently, the Cofense™ Phishing Defense Center has seen a significant rise in Man-in-the-Inbox style attacks. These attacks typically occur when user credentials have been compromised and are used to gain access to the compromised user’s mailbox and send malicious emails. These emails might be sent internally (no DMARC there…) or to a trusted third-party (DMARC might be configured, but as the message is coming from a legitimate user, SPF and DKIM check out, and the message is delivered…). The recent PDC zombie phish blog post discusses one style of Man-In-The-Inbox attack in more detail.

Given this, it’s important that emails teams don’t expect more from DMARC. It’s equally important that security teams ensure that end users are empowered to be “human sensors,” to identify and report emails that look suspicious. Users need to be alert to visual clues, such as adjacent sender domains, peculiar content, or unusual or unexpected emails, even if the emails come from internal senders or trusted third-parties.

We all need to remember that real phish are the real problem. This means knowing what real phish look like as they evolve day to day—and not expecting DMARC to do more than it really can.

Want to learn more about the DMARC protocol? Take a look at https://dmarc.org for the juicy details.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Uncomfortable Truth #5 about Phishing Defense

Last in a 5-part series. 

In this blog series we’ve explored the Uncomfortable Truths about phishing defense that relate to the problem of over-relying on technology to keep us safe. We’ve also seen how empowered users can give Security Operations teams desperately needed visibility into phishing threats. This leads us to our fifth and final Uncomfortable Truth:  

Most organizations are unable to effectively respond to phishing attacks.  

Before you get offended and say “Hey, that doesn’t apply to me, our SOC is awesome,” stick with me on this. The reasons for ineffective phishing incident response are many and varied, but in my experience, tend to fall into one of two buckets: 

  1. Not enough time 
  2. Not enough experience/understanding

Not enough time  

This is already well understood. SOC teams are perpetually spinning multiple plates, trying to make sense of the stream of data they are presented with from an abundance of tools. This problem can be compounded when users are empowered and enabled to report suspicious emails. The CofenseTM Phishing Defense Center (PDC) sees differing reporting volumes across the customers who use us for phishing email analysis. While reported mail volumes differ, they tend to fall within common low and high watermarks – equivalent to around 10% and 35% of users reporting at least one email per month.  

For every 1,000 users, that’s the SOC having to consume and analyze between 100 and 350 reported emails per month. The PDC also observes that 1 in 7 of the emails reported to us contain malicious content. Therefore, 6 out of 7 are false positives, or noise. The largely unstructured nature of these reported emails and the sheer volume of noise can make analysis a thankless task that gets de-focused in favour of other more immediate priorities.  

Not enough experience/understanding 

Effective phishing email analysis is much harder than many people imagine. One of the biggest issues that organizations face is the risk of false-negative results, post-analysis. These false negatives occur when a reported phishing email is considered to be benign, and is returned to the reporting user with a message that says, “Thanks for reporting, this email was found to be safe.” The subsequent click delivers a missed payload and compromise occurs.  

To remain razor sharp in your analysis skills, you have to maintain an understanding of the constantly evolving threat landscape and threat actor TTPs. All too often, I see organizations relying on an already overburdened service desk to perform initial, or complete, analysis of reported phishing emails. Without adequate skills, they rely on tools such as VirusTotal to tell them whether something is bad or not. However, as useful as these tools are for information and context, they should never be considered a source of absolute truth.   

Effective phishing analysis and response 

Simply sending a file or URL to a sandbox or checking online threat analysis tools and databases is not good enough. SOC teams and threat analysts must be able to consume reports of suspicious emails from users and turn them into actionable intelligence quickly.  

This means they must be able to prioritize what is being reported to cut through the noise of false-positives, such as legitimate marketing or internal emails, and automatically be able to understand risk based on: the attributes of the email content and any attachments; the status of the user reporting the email (are they high-risk employees with access to sensitive information or processes); the reputation of the user (have they demonstrated an ability to identify and report suspicious emails in the past – essential to help prioritize zero-day threats); and use information from third-party threat analysis tools to help build a fuller picture  

Once a threat is analyzed and understood, SOC teams need to be able to quickly hunt for the threat within all user mailboxes and quarantine it when found. In addition, they must be able to communicate IOCs to other teams, such as those responsible for proxies, mail gateways, and endpoint security tools, to take further defensive or mitigating actions. Finally, they must close the loop by providing timely feedback to users to encourage further reporting behavior, thus supporting awareness activities. 

The Cofense Phishing Defense Center can help.  

For organizations who still struggle to devote the time to phishing email analysis, but who recognize the need to regain visibility of threats that bypass perimeter controls, the Cofense Phishing Defense Center can help. Operating 24×7, the PDC is staffed by experienced phishing threat analysts to handle all elements of analysis of reported emails.   

Supported by Cofense Research and Intelligence teams, the PDC is able to utilize as needed an array of proprietary, open source, and commercial threat analysis tools. Benefitting from a global perspective of threats across all PDC customers, our analysts are able to maintain the most up to date understanding of evolving phishing threat actor tactics, along with techniques for capturing all IOCs, even when automated approaches fail.  

Once threats have been identified, actionable intelligence is passed to customer teams. By utilizing the PDC, organizations can focus their resource-constrained SOC teams on mitigation and proactive protection, versus phishing email analysis. Learn more about the Cofense Phishing Defense Center here. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.