Phishers Continue to Spoof WebEx

By Kaleb Kirk, Cofense Phishing Defense Center

Last month, the Cofense Phishing Defense Center (PDC) observed a new phishing trend wherein threat actors spoofed WebEx pages to harvest Office365 (O365) credentials. Since the posting of the original blog, the PDC has seen an increase in the number of similarly themed WebEx phishing attacks, yet another example of attackers leveraging the rapid shift to remote work in light of COVID-19 concerns. As many organizations and their workforce are increasingly dependent on remote working tools and solutions, reducing the attack surface (the number of different approaches a threat actor can use to enter or extract data) of such online platforms and services is becoming even more critical.

Attackers know this and are constantly looking at ways to circumvent detection by secure email gateways and position themselves between users and legitimate services. The WebEx phishing campaign is a prime example, slipping past email protection to dupe users into providing their credentials out of fear they will be unable to use the service and perform their job otherwise.  It’s therefore not a surprise the PDC has seen an increase in phishing attacks that spoof legitimate, business critical services.

While this blog focuses on a new phishing campaign imitating WebEx, this style of attack can and has taken multiple forms, mimicking many different legitimate web services. Luckily however, once an end user knows some of the telltale signs,  it’s often easy to identify what is truly legitimate and what is fake.

Figures 1-2: Email Body

Upon an initial glance, this email may appear innocuous enough. It has the look and format one would likely expect when receiving an email from Cisco. The style is professional, the layout of the email isn’t mangled or chaotic, and it appears legitimate – an intentional and easy tactic to pull off. All the threat actor required was a real WebEx email to copy from in order to duplicate the style and alter select elements for nefarious purposes. The sender address appears to come from WebEx. However, this is what is known as the “friendly” from address – while the recipient sees the displaying address, which appears to be authentic, the email headers reveal a very different story. The problem with a “friendly” sender address is that it is easily spoofed by attackers; it’s a well-known, simple trick designed to convince the recipient that an email is legitimate.

Looking beyond simple aesthetics, however, other indicators of phishing are evident. The subject line indicates there is an issue with SSL certificates that requires the user to sign in and resolve. This is referenced further in the body of the email, providing a sense of legitimacy and enticing them to open the email and read it.

The wording of the email also employs scare tactics that are prevalent in phishing attacks. The recipient is informed there is a problem that has caused their service to become deactivated and the user must log-in and authenticate by clicking the link. Verbiage like this is often used to coerce the end user into clicking on a link or attachment in haste before they have time to fully think it through – a key tactic used by threat actors in phishing campaigns.

Finally, the link itself reveals something else is fishy about this alert. Hovering over the button shows the embedded link is not, in fact, a WebEx page, but a SendGrid link, a legitimate customer communication service used by marketing professionals. SendGrid links are commonly used in phishing attacks, as they require minimal effort.

Figure 3: Phishing Page, Step 1

Upon clicking the SendGrid link, the user is redirected to a phishing page, as seen in Figure 3. The only difference between a legitimate WebEx login page and this phishing page is the URL itself, suggesting the attacker conducted some form of web scraping to create an intentionally benign looking and familiar login page for the end user. Web scraping, essentially, is the practice of using a tool to automatically copy data from a website and create a convincing copy.

Figure 4: Phishing Page, Step 2

Deception quickly falls apart when reviewing the URL, however; while designed to look like the actual URL, there actually isn’t a portion that includes ‘webex.com’. The numerous dashes, coupled with one very long word followed by ‘index.php’ is not reflective of a professional link, suggesting the phishing URL was registered to appear legitimate at first glance. While phishers commonly make a valiant effort for their pages to look legitimate, looking at the address bar generally reveals if it’s legitimate. Misspelling, similar looking words and strange top-level domains are common tricks used by attackers to guile end users for just long enough to not question it.

While the initial phishing page only requests the user’s email address, the following page then changes URLs from “index.php” to “step2.php” and asks for the user’s password- this is another indicator the site is not legitimate, as the specific internals of which php file is being invoked for this webpage would be usually be hidden to the user.

Figure 5: Final redirect to official WebEx login page

As the final stage of attack, when the user enters their credentials on the page shown in Figure 5 above, the user is then redirected to WebEx’s real sign-in page. At this point, the malicious actor now has the user’s credentials, but it is in their best interest to ensure the user is unaware that a successful credential phishing attack occurred, giving the threat actors time to make use of newly stolen log-in details. The final redirect to WebEx’s legitimate log-in page may make the end user believe there was a log-in error and they need to log-in again. A common theme in a many phishing attacks is appealing to and preying on the feeling that nothing is amiss and there is nothing to question about the experience. In the meantime, threat actors gain precious time to do damage while the end user moves on with his or her workday.

Figure 6: Open Directory

A final interesting finding about this phishing campaign is the main domain itself, which reveals an open directory. This open directory shows the files included in the phishing page: images, fonts, .css files, and more. Although finding this directory was easy, it isn’t necessary to hide it, as most end users will only go through to login rather investigating into the internals of the site. However, it must be noted no professional website allows access to its file directories in this way. If reached, it is an almost sure-fire way of immediately identifying a phish.

Network IOC IP
hXXps://cert-ssl-global-prod-webmeetings[.]com/da4njy=/idb/saml/jsp/index[.]php 137[.]135[.]110[.]140

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Staff Members’ Inbox Positive for Coronavirus Themed Phish

By Ashley Tran, Cofense Phishing Defense Center

From prime ministers, members of congress to celebrities and staff of nursing homes — many have been affected by COVID-19. And the worst part? Threat actors know this and are heavily weaponizing this pandemic, exploiting the fears and concerns of users everywhere. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign found in environments protected by Microsoft and Symantec that not only impersonates a company’s management but also suggests that a fellow employee has tested positive for the disease, urging users to read an enclosed malicious attachment posed as “guidelines” or “next steps.”

As we have seen before and noted in previous Cofense blogs and media stories, Coronavirus themed phishing attacks are running rampant and attacking users across all industries. Although the attacks vary in method, the main takeaway is the same: all users must exercise the utmost caution and restraint in the face of emotionally jarring emails.

Figures 1-3: Email Bodies

The PDC has found multiple instances of this attack and a trend among them all. As demonstrated in Figures 1-3, the email subject lines are relatively similar: “Staff Member Confirmed COVID 19 Positive ID,” followed by a random string of numbers and that day’s date. The emotion these subject lines evoke in users are also the same: fear and curiosity. Emails appearing to be a “Team Update on COVID 19” and bearing their company’s name can convince end users to believe the email was sent internally. However, the true senders are revealed via the return paths:

Maga[@]tus[.]tusdns[.]com and ungrez[@]ssd7[@]linuxpl[.]com

Admittedly these emails would appear suspicious to most, but the threat actor is relying on the emotional subject line to overcome logic and push users to read just the first line of the sender information and nothing more.

The bodies of the emails have more variety and are worded differently, but the same main point: a fellow employee has the virus, so read this guideline we’ve attached to get more details or at least learn the “next steps” to take. To top it off the email is signed by “Management.”

The true part of this attack lies within the HTML file found in the email.

Figure 4 shows that the attachment has been detected as malicious by a multitude of services, however users won’t see this when they read the email.

Figure 4: VirusTotal Analysis

Figure 5: Phishing Page

Upon opening the attachment users are presented with a generic Microsoft login page, a frequently targeted brand. The difference with this phish, however, is the threat actor has superimposed the login box over a blurred document that may appear to users as the previously mentioned “guidelines” lending an even greater sense of legitimacy.

The email of the recipient is automatically appended to the username field via code in the HTML. In fact, the threat actor has painstakingly put the base64 for each of the recipient’s email addresses, which is then translated to a readable format when interacting with the phish. This snippet of code can be observed in Figure 6.

Figure 6: Email Bodies

Once a user navigates to the next page and inputs their password, the information is then sent to the compromised site:

hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423

This exchange of information can be viewed by opening developer tools on any browser and navigating to the networking tab as shown in Figure 7.

Figure 7: Phishing Page

The code found within the HTML file that hosts the phishing content employs typical malicious tactics. For example, as seen in Figure 8, the code does not look like a typical HTML code. This is because the threat actor has attempted to obfuscate their code, to make analysis as well as detection harder. However, this is nothing new for phishing campaigns that choose to utilize a HTML file. De-obfuscating the code and revealing some its methods is not difficult.

Figure 8: Obfuscated Code

To begin, the code is notably broken into different parts. Each of these parts may stand out to anyone with an eye for encoding as being Hex text and base64. These both can easily be decoded back into their original form, the true HTML code, by utilizing tools such as RapidTables and Base64 Decode.

Figure 9: De-obfuscated Code

After de-obfuscating the code, the true HTML is seen in Figure 9, revealing the threat actor has compromised, or at the very least utilized, a compromised site to host the style sheet for their phish:

hxxp://ibuykenya[.]com/vendor/doctrine/styles[.]css

Figure 10: Open Directory with Phish Resource Files

The following is the directory which the threat actor has used to store the style sheet for the phish, along with what appears to be two additional files, based on their last modified dates.

Within the code, the image seen in the background of the document can also be recovered. The image is hosted on ImgBB, yet another relatively benign image hosting site to which threat actors flock to host images for their attacks.

hxxps://i[.]ibb[.]co/dMcjCWC/image[.]png

Figure 11: Document Preview from Phish

Upon closer observation, the title of the document can be obtained. With a quick search, the image the threat actor has used to further legitimize this login page in the eyes of the user can be linked back to the legitimate document found in Figure 12.

Figure 12: Legitimate Document Utilized by Threat Actor

All these steps – the social engineering, the obfuscated code, use of official COVID health advisories and more-are designed to ensure users don’t detect the phishing attack is in progress. This phish also demonstrates the attacker’s need to employ layered techniques designed to avoid detection by email gateways, as well as the incident responder’s need for the right investigative tools to properly analyze, detect and quarantine this threat.

Network IOC  IP
hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423 150[.]60[.]156[.]116

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns. (edited) 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishes Found in Proofpoint-Protected Environments – Week Ending May 3, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically quarantined by Cofense Triage and Cofense Vision.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.   

The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint, which were detected by humans, analyzed with Triage, and quarantined by Vision.  

TYPE: Credential Theft 

DESCRIPTION: Phishing campaign spoofs the South African Revenue Service delivering embedded links to an illegitimate banking site established to steal credentials. 

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-themed phishing campaign related to N95 masks delivering embedded links leading to a website established to steal credentials.

TYPE: Credential Theft 

DESCRIPTION: Quote Request-themed phishing campaign redirecting the victim to a Microsoft OneDrive page that led to a website established to steal credentials.

TYPE: Credential Theft 

DESCRIPTION: Purchase Order-themed phishing campaign redirecting the victim to a Dropbox page that led to a website established to steal credentials.

TYPE: Credential Theft 

DESCRIPTION: Invoice-themed phishing campaign delivering embedded links that lead to a website established to steal Outlook login credentials.

TYPE: Credential Theft 

DESCRIPTION: Document-themed phishing campaign delivering an embedded link to a Microsoft SharePoint-hosted OneNote document that leads to a website established to steal Office365 credentials.

TYPE: Malware – Banload

DESCRIPTION: Finance-themed phishing campaign delivering an embedded link to a Microsoft OneDrive-hosted .zip archive containing Banload malware.

TYPE: Credential Theft 

DESCRIPTION: Finance-themed phishing campaign delivering a .htm file crafted to look like an online document and prompting for email credentials to confirm the victim is not a robot.

TYPE: Malware – QakBot

DESCRIPTION: Response-themed phishing campaign delivering embedded links to VBS scripts that download the QakBot banking trojan.

TYPE: Credential Theft 

DESCRIPTION: Information-themed phishing campaign delivering embedded links to Google-hosted pages leading the victim to a page established to steal Office365 credentials.

TYPE: Malware – NanoCore

DESCRIPTION: Document-themed phishing campaign delivering embedded links to Microsoft OneDrive-hosted pages hosting GuLoader, which downloads the NanoCore Remote Access Trojan from Google Drive.

TYPE: Credential Theft 

DESCRIPTION: Document-themed phishing campaign spoofing a construction design and build organization delivering embedded Microsoft OneNote links that lead to a website crafted to steal email credentials.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack.

We typically find 1 out of 7 employee-reported emails to be malicious.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Targeted Attack Uses Fake EE Email to Deceive Users

By Kian Mahdavi and Tej Tulachan, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has discovered a spear-phishing campaign designed to defraud corporate executives’ payment details by spoofing EE, a well-known UK-based telecommunications and internet service provider.  These spear phishing messages were reported to the Cofense PDC by end users whose email environments are protected by Microsoft 365 EOP and Symantec. This new, targeted campaign shows that while exploiting well-known telecommunications brands is nothing new, such phishing emails continue to go undetected by popular email gateways designed to protect end users, leading to possible theft of prized corporate credentials

Figure 1: Email Body

Threat actors sent a targeted email to a few executives, including one at a leading financial firm, with the subject line reading ‘View Bill – Error’ from a purchased top-level domain (moniquemoll[.]nl). These details in and of themselves may raise red flags to eagle-eyed recipients, as EE’s trademarked name isn’t included in any part of the full email address.

The malicious URL inserted within the text is:

hXXps://fly-guyz[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo

The vague email indicates ‘we’re working to get this fixed’. At no point does the email give an indication what this error is. As we read on, the second hyperlink states ‘view billing to make sure your account details are correct’ to entice the recipient to click the phishing link.

The threat actor fails to include the correct registered office address, evident towards the bottom of the email. Once the threat actor’s social engineering does the trick and the user clicks one of the links, they are redirected to a phishing page.

Noted in Figure 2 below is the trusted HTTPS protocol (also displayed as the green padlock) within the URL, giving false hope to the user that network traffic is being encrypted, ensuring all data transferred between the browser and website is secure and not being eavesdropped on.

However, the threat actor even went to the trouble of obtaining SSL certificates for the domain to further gain end users’ trust. In fact, it has become much easier for site owners, including fraudsters, to obtain these certificates.

Figures 2 and 3: First and second phishing pages

The peculiar aspect is the message in which the threat actor included: ‘You will not be charged’ to reassure recipients and trick them into providing their payment information.  The user is then automatically redirected to the legitimate EE website, as displayed below in Figure 4, to avoid suspicion. This is a common tactic to make the user believe the session timed out or their password was mistyped.

Figure 4: Legitimate Redirect Login Page

At the time of writing, the phishing page is still live and active. To further validate the analysis of the investigation, we decided to input some fake credentials, allowing us to verify the transmitted TCP requests and redirects to the fraudster’s domain at hXXps://kbimperial[.]com/data[.]php.

Figure 5: TCP Retransmission Packets

Indicators of Compromise:

Network IOC IP
hXXps://fly-guyz[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo/
hXXps://kbimperial[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo/logins
hXXps://kbimperial[.]com/data[.]php?
104[.]31[.]82[.]7
104[.]31[.]83[.]7
35[.]208[.]71[.]62

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

This Phish Uses Skype to Target Surging Remote Workers

By Harsh Patel

The Cofense Phishing Defense Center (PDC) recently unearthed a new phishing campaign spoofing Skype, the popular video calling platform that has seen a recent spike in use amid the need to keep employees connected as they work remotely. This phishing attack was found in email environments protected by Proofpoint and Microsoft 365 EOP, landing in end-users’ inboxes.

With so many people working from home, remote work software like Skype, Slack, Zoom, and WebEx are starting to become popular themes of phishing lures. We recently uncovered an interesting Skype phishing email that an end user reported to the PDC.

Figures 1 and 2: Email Body

For this attack, the threat actor created an email that looks eerily similar to a legitimate pending notification coming from Skype. The threat actor tries to spoof a convincing Skype phone number and email address in the form of 67519-81987[@]skype.[REDACTED EMAIL]. While the sender address may appear legitimate at first glance, the real sender can be found in the return-path displayed as “sent from,” which also happens to be an external compromised account. Although there are many ways to exploit a compromised account, for this phishing campaign the threat actor chose to use it to send out even more phishing campaigns masquerading as a trusted colleague or friend.

It is not uncommon to receive emails about pending notifications for various services. The threat actor anticipates users will recognize this as just that, so they take action to view the notifications. Curiosity and the sense of urgency entice many users to click the “Review” button without recognizing the obvious signs of a phishing attack.

Upon clicking ‘Review’ users will be redirected via an app.link:

hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5

Finally, to the end phishing page:

hxxps://skype-online0345[.]web[.]app

The threat actor has chosen to utilize a .app top-level domain to host their attack. This TLD is backed by Google to help app developers securely share their apps. A benefit of this top-level domain is that it requires HTTPS to connect to it, adding security on both the user’s and developer’s end, which is great…but not in this case. The inclusion of HTTPS means the addition of a lock to the address bar, which most users have been trained to trust. Because this phishing site is being hosted via Google’s .app TLD it displays this trusted icon.

Figure 3: Phishing Page

Clicking the link in the email, the user is shown an impersonation of the Skype login page. If a well-trained user inspects the URL, they will see that the URL contains the word Skype (hxxps://skype-online0345[.]web[.]app). To add even further sense of authenticity, the threat actor adds the recipient’s company logo to the login box as well as a disclaimer at the bottom warning this page is for “authorized use” of that company’s users only. The username is auto-filled due to the URL containing the base64 of the target email address, thus adding simplicity to the phishing page and leaving little room for doubt. The only thing left for the user to do is to enter his or her password, which then falls into the hands of the threat actor.

 

Network IOCs
hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5
hxxps://skype-online0345[.]web[.]app

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Available Today: The Cofense Intelligence Q1 2020 Phishing Review

By Mollie MacDougall, Cofense Intelligence

Today, Cofense Intelligence released its Q1 2020 Phishing Review. This report highlights key phishing trends uncovered by Cofense Intelligence analysts, who spend every day analyzing current phishing campaigns and producing actionable phishing intelligence. This intelligence keeps our customers proactively defended against emerging phishing tactics, techniques and procedures (TTPs). Our analysts focus on campaigns that reach enterprise user inboxes, and report on the TTPs designed to evade secure email gateways (SEGs) and other network defense technology.

Report Highlights

The first quarter of 2020 began with a continued seasonal lull in malware volume and ended with a drastic spike in the quarter’s last six weeks, as the COVID-19 virus evolved from emerging crisis to global pandemic. While Emotet volume overall was lower than expected, phishing campaigns leveraging COVID-19 and remote work themes surged in March 2020.

Figure 1: Credential phishing campaign that leveraged COVID-19

While the widespread use of ransomware has not returned to its peak, Cofense Intelligence analyzed targeted ransomware campaigns using themes that leveraged the global pandemic. Ransomware operators have also upped the ante on several campaigns, combining ransomware infection with a data breach and releasing sensitive data if ransom is not paid. This strategy has garnered a great deal of attention in recent headlines, as it further extorts organizations who are prepared to recover from ransomware campaigns and otherwise would not pay off their attackers.

Several campaigns discovered by Cofense Intelligence last quarter used trusted sources to evade perimeter defenses. Organizations rely on trusted platforms and services to conduct efficient business operations, and threat actors are eager to abuse these trusted services to compromise users. Cofense Intelligence has analyzed multiple campaigns that have used trusted sources as a part of the infection chain. These sources include, but are not limited to, cloud services, customer/employee engagement surveys, and third-party connections.

Read our Q1 2020 Phishing Review for more detailed trends identified by Cofense Intelligence and to see our phishing predictions for the  months ahead. Spoiler alert: phishing campaigns are likely to increasingly focus on the upcoming United States general election as well as the global pandemic and the work and lifestyle shifts it has precipitated. We also assess that ransomware campaigns will very likely continue to increase. Finally, we predict that Emotet will again resume phishing campaigns in Q2.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Masquerade as HR Departments to Steal Credentials through Fake Remote Work Enrollment Forms

By: Kian Mahdavi, Cofense Phishing Defense Center

With the escalation of COVID-19, organizations are rapidly adjusting as they move their workforce to work from home; it’s no surprise that threat actors have followed suit. Over the past few weeks, the Cofense Phishing Defense Center (PDC) has observed a notable uptick in phishing campaigns that exploit the widely used Microsoft Sway application to steal organizational credentials and to host phishing websites. Sway is a free application from Microsoft that allows employees to generate documents such as newsletters and presentations and is commonly used by professionals to conduct their regular day to day work tasks.

In a new campaign, threat actors send emails with subject lines such as ‘Employee Enrollment Required’ and ‘Remote Work Access.’

Figure 1: Email body

The sender in Figure 1 claims to come from ‘Human Resources.’ Closer inspection, however, reveals the actual sender’s address – a purchased domain address ‘chuckanderson.com’ with no association to the HR team or the organization’s official mailing address.  The attack includes carefully thought out trigger words, such as ‘expected’ and ‘selection/approval,’ language that often trips up employees who are accustomed to receiving occasional emails from their local HR team, especially during this pandemic. Should users hover over the link within the email, however, they would see ‘mimecast.com’ along with ‘office.com,’ potentially and mistakenly deeming these URL(s) as non-suspicious.

By using trusted sources such as Sway to deliver malware or steal corporate credentials, such campaigns often evade Secure Email Gateways (SEGs) thanks to the trusted domains, SSL certificates and URL(s) used within the email headers.

Figure 2: Cofense PDC Triage flagging the known malicious URL

Numerous employees across a variety of departments within the same company received and reported this email to the Cofense PDC, with each email consistently redirecting users to similar Sway URLs.  These URLs were already known by our Cofense Triage solution and were identified as malicious, providing valuable context for our PDC analysts when they commenced their investigation.

As previously discussed, as legitimate domains and URLs were used, these campaigns remained undetected for longer periods of time, likely leading to a higher number of compromised account credentials. On the other hand, malicious content hosted on purpose-built phishing sites usually gets flagged much quicker, taken down earlier, and therefore leading to a much shorter ‘time to live’ period. In short, this attack was easy to execute, required minimal skill, and remained undetected by security technologies.

Figure 3: Virus Total URL Analysis  

Upon conducting a web search using reliable threat intelligence feeds, as shown above in Figure 3, the authenticity of URLs can be verified against trusted security vendors that have recently detected the attack, flagging them as ‘malicious/phishing’. Displayed in the top right-hand side of Figure 3 is the timestamp revealing the latest known update from a security vendor.

Figure 4: First phase of phishing page

Awaiting the user is the bait on a generic looking page, a ‘BEGIN ENROLLMENT’ button and once clicked, redirects to a document hosted on SharePoint as seen below in Figure 5.

Figure 5: Second phase of phishing page

Once employees enter their credentials and hit the ‘Submit’ button, their log-in information is sent to the threat actor – the end user is none the wiser that they have been successfully phished.

As employees have rapidly shifted to remote working, threat actors have started to look at ways they capitalize on the COVID-19 pandemic to spoof new corporate policies and legitimate collaboration tools to harvest valuable corporate credentials, a trend we anticipate will only continue to gain steam in the foreseeable future.

Indicators of Compromise:

First Hosted URL IP Address
hXXps://sway[.]office[.]com/5CgSZtOqeHrKSKYS?ref=Link 52[.]109[.]12[.]51

 

Second Hosted URL IP Address
hXXps://netorgft6234871my[.]sharepoint[.]com/:x:/r/personal/enable_payservicecenter_com/_layouts/15/WopiFrame[.]aspx 13[.]107[.]136[.]9

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

New Phishing Campaign Spoofs WebEx to Target Remote Workers

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center  (PDC) has observed a new phishing campaign that aims to harvest Cisco WebEx credentials via a security warning for the application, which Cisco’s own Secure Email Gateway fails to catch. In the midst of the COVID-19 pandemic, millions of people are working from home using a multitude of online platforms and software. Attackers, of course, know this and are exploiting trusted brands like WebEx to deliver malicious emails to users.

Targeting users of teleconferencing brands is nothing new. But with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue be an increase in remote work phishing in the months to come.

Here’s how this campaign works:

Figure 1: Email Body

For this attack, the threat actor sends an email with varying subject lines such as “Critical Update” or “Alert!” from the spoofed address “meetings[@]webex[.]com”. With the subject and mail content combined, this may gauge users’ curiosity enough to entice them click in order to take the requested action.

The email then explains there is a vulnerability the user must patch or risk allowing an unauthenticated user to install a “Docker container with high privileges on the system.” In this scenario, the threat actor has spoofed a legitimate business service and explained a problem with their software, prompting even non-technical readers to read further. The threat actor even links to a legitimate write-up for the vulnerability, found at the URL embedded into the text ‘CVE-2016-9223:

hxxps://cve[.]mitre[.]org/cgi-bin/cvename.cgi?name=CVE-2016-9223

The linked article uses the same words as the email, lending further credibility.

The only thing for a responsible user to do next is follow the instructions in the email and update their Desktop App, right?

Even if more cautious users hover over the ‘Join’ button before clicking, they could still very well believe it’s legitimate. The URL embedded behind it is:

hxxps://globalpagee-prod-webex[.]com/signin

While the legitimate Cisco WebEx URL is:

hxxps://globalpage-prod[.]webex[.]com/signin

At a first glance, both URLs look eerily similar. A closer look, however, reveals an extra ‘e’ is added to ‘globalpage.’ Likewise, instead of ‘prod.webex’, the malicious link is ‘prod-webex’.

To carry out this attack, the threat actor registered a fraudulent domain through Public Domain Registry just days before sending out the credential phishing email.

The attacker has even gone as far as obtaining a SSL certificate for their fraudulent domain to gain further trust from end users. While the official Cisco certificate is verified by HydrantID, the attacker’s certificate is through Sectigo Limited. Regardless of who verified the attacker’s certificate, the result is the same – a lock to the left of its URL that renders the email legitimate the eyes of many users.

Figure 2:  Initial Phishing Page

The phishing page to which users are redirected is identical to the legitimate Cisco WebEx login page; visually there is no difference. Behavior-wise, there is a deviation between the real site and the fraudulent page. When email addresses are typed into the real Cisco page, the entries are checked to verify if there are associated accounts. With this phishing page, however, any email formatted entry takes the recipient to the next page where they then requested to enter their password.

Figure 3: Secondary Phishing Page

Once credentials are provided, users are redirected to the official Cisco website to download WebEx, which may be enough to convince most users it is a legitimate login process to update their WebEx app.

Figure 4: Legitimate Redirect Page – Official Cisco WebEx Download Page

At the time of writing, this fraudulent domain is still live and active. In fact, when navigating to the main domain, there is an open directory showing files the threat actor has utilized with this attack.

Figure 5: Open Directory

Files of interest include ‘sign-in%3fsurl=https%[…]’ and ‘out.php’.

The file ‘sign-in%3fsurl=https%[…]’ is the phishing page itself. When users click from this directory, they are redirected to the fraudulent WebEx login (Figure 3).

Figure 6: ‘out.php’ File

The ‘out.php’ file, seen in Figure 6, is the mailer the threat actor appears to have used to send this attack to users’ inboxes. The threat actor can manually input any subject they want – in this case, they chose “Critical Update!!”, adding the HTML for the email to the box below and designating an email list to which they wish to mass send this campaign.

With many organizations quickly adopting remote working policies, threat actors are poised to continue to spoof brands that facilitate virtual collaboration and communication, such as teleconferencing tools and cloud solutions.

Indicators of Compromise:

Network IOC IP
hxxps://globalpagee-prod-webex[.]com/signin 192[.]185[.]214[.]109

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolves. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

Every day, the Cofense Phishing Defense Center (PDC) analyzes phishing emails that bypassed email gateways, 75% of which are credential phish.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 37308 and received YARA rule PM_Intel_CredPhish_37308. Cofense Intelligence customers who would like to keep up with the Active Threat Reports and indicators being published, all COVID-19 campaigns are tagged with the “Pandemic” search tag.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Coronavirus-Themed Phish Continue to Surge

By Max Gannon

Since our reporting on Coronavirus-themed phishing campaigns began, Cofense Intelligence has seen them surge, along with associated malware families. As more enterprises and government entities mandate remote work, threat actors stand to gain from using “work from home” or “Coronavirus” themed phishing emails. We recently explored this in a Flash Alert and Strategic Analysis that Cofense Intelligence customers received, highlighting the impersonation of trusted brands like Google Drive in complex campaigns and offering mitigation steps.

Primary Observed Trends

Over the past month, Cofense Intelligence has identified the following trends prevalent in COVID-19 themed phishing campaigns. Credential phishing campaigns have been the most common, though we have seen several malware families delivered as well.

Most Common Delivery Mechanisms:

  • Attached spreadsheet or Word document delivering a second-stage malware executable
  • Attached archived executable
  • Embedded URLs delivering ransomware
  • Office macros
  • CVE-2017-11882
      • Auto-IT Dropper (which exploits CVE-2017-1882)

 

Malware Delivered:

·       Agent Tesla Keylogger ·       Ave_Maria Stealer ·       Black RAT ·       FormGrabber
·       Hakbit Ransomware ·       Hawkeye Keylogger ·       KPOT Stealer ·       Lime RAT
·       Loki Bot ·       NanoCore ·       Nemty Ransomware ·       Pony
·       Remcos RAT ·       SalityBot ·       TrickBot

 

Commonly Spoofed Organization Types:

  • World Health Organization
  • Centers for Disease Control
  • Other global/regional health organizations
  • Health related non-profits/medical associations
  • Federal, State and Local Departments of Health/Ministries of Health
  • Transportation companies
  • Shipping companies

Many COVID-19 phishing templates have been more convincing than your average phish. In one example, seen in Figure 1 below, threat actors hosted the logo of the spoofed organization on Google Drive and added an additional threat at the end of the email: a whopping $1,000 fine if the supposedly attached forms to approve travel outside of the home are not filled out by the recipient. The attachment delivers the information stealer KPOT via a VBS script to AutoIT dropper. The dropper uses legitimate Windows utilities to disguise its actions.

Figure 1: Coronavirus-Themed Email Delivers Complex Chain

Phishing Threat Landscape Future Changes

Coronavirus themes have predictably grown in popularity and will almost certainly continue to do so. These phishing campaigns are also likely going to adapt over time to incorporate related work from home, teleconference or videoconference invites or notices, government refund, unemployment filing, and online ordering themes. Some threat actors have already begun to do this, as shown in Figure 2, where threat actors used a “Work Remotely Enrollment (Action Required)” subject, spoofing internal Human Resources to deliver links to credential phishing pages hosted on Microsoft SharePoint. Additional  Coronavirus phishing email examples that evade email gateways are available on the Cofense Coronavirus Phishing Information Center. This center is continually updated with campaigns identified by Cofense Intelligence, and the related IOCs are sent to our customers daily.

Figure 2: Example Email with Coronavirus “Work From Home” Related Theme

If COVID-19 continues to affect business operations, it is likely this will affect the phishing threat landscape more broadly. While many organizations continue to maintain some operations, there are likely to be some longer-term shifts in normal business communications.  For example, an email about an office party or an in-person meeting is more likely to make employees suspicious than it would have previously.

These kinds of changes will also likely extend to our personal lives as well in the “stay home” era. An email about new concert tickets or in-store sales will likely raise a red flag. Simply causing individuals to pause for a few extra seconds because something seems suspicious may not seem particularly monumental. However, when users briefly break out of their ordinary mindsets, they gain the opportunity to report a link rather than click a link—a key component of effective phishing reporting programs. Although, as noted above, threat actors will almost certainly adapt as well in their phishing templates.

As Coronavirus continues to affect everyone, there will likely be a significant shift in the phishing threat landscape for the most common malware and phishing themes, even excluding specifically Coronavirus-related themes. Although there has been a massive shift to remote work, some organizations have minimal remote operations infrastructure. In order to operate, they have no choice but to allow some users to connect to infrastructure with a lowered accepted standard of security. Organizational responses to suspicious network or user behavior may also be complicated due to these changes. Previously, such incidents of suspicious network or user behavior could be dealt with by physically quarantining the computer and quickly supplying a replacement as incident response teams investigate the issue. Currently, this may not be possible if the only way the employee can contact work-related support is via their potentially compromised computer. More laborious responses may delay investigations and mitigations.

These kinds of scenarios are what makes it ever more important for organizations to ensure phishing prevention is as much a focus as post-compromise detection. Incident response and mitigation will certainly be more difficult as long as workforces need to remain dispersed.

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Coronavirus Redefines the Phishing Threat Landscape

By Aaron Riley

Cofense Intelligence has seen a stark increase in phishing email campaigns relating to the COVID-19 pandemic that spoof trusted health services to deliver credential phishing or malware. Credential phishing makes up the majority of the campaigns analyzed, with the minority ranging from simple to complex delivery chain and malware samples. With some companies quickly adopting work-from-home (WFH) policies, threat actors are poised to take advantage of the newly created security gaps by playing on pandemic fears. The potential impact of these phishing campaigns, along with the current economic uncertainty, can be devastating to an organization.

As soon as threat actors began weaponizing this crisis in phishing emails, Cofense Intelligence published a Flash Alert reporting that the Centers for Disease Control and Prevention (CDC) and World Health Organization (WHO) were spoofed in a Coronavirus-themed phishing campaign to deliver the Agent Tesla keylogger. Since that alert, we have seen an increase in phishing campaigns that spoof organizations in aviation and other transportation industries.

Coronavirus-themed campaigns that deliver malware are starting to evolve in complexity as well. For example, the Agent Tesla keylogger campaign mentioned above was delivered via an email attachment, which would have been blocked by sandbox analysis. In comparison, the most recent campaign used a Microsoft Office Word document with the CVE-2017-11882 exploit, which delivered an AutoIT dropper that placed five different malware family samples onto the endpoint: Remcos RAT, Black RAT, Ave_Maria Stealer, Lime RAT, and Sality Bot. All five of these payloads are designed to steal information and provide persistent control to a threat operator, and only one needs to be successful in its attempts to compromise the machine.

Most organizations are not set up to have all employees work from home. As these organizations attempt to quickly develop their WFH business requirements, they might overlook security. An organization’s most reliable and hardened security features are typically within its physical facility and do not extend much beyond that domain. These security features include, but are not limited to, Network Access Control (NAC), content filtering, Data Loss Prevention (DLP), eavesdropping / Machine In The Middle (MITM) prevention, and update/patch management. With some of these security features effectively “bypassed” for the attacker in a WFH situation, organizations face an increased risk that a phishing campaign will impact them. A malicious incident or event could go unnoticed by overburdened IT administration and security teams for longer than normal periods.

Most of the newly created risk can be mitigated. Network Access Control can be done with a software agent on each endpoint attempting to connect to the organization. The agent communicates to an authoritative entity to prove the machine has the organization’s trusted certificate to connect to the internal network, is up to date with antivirus definitions, and is fully patched to the organization’s requirements. Mandatory network tunneling for the endpoint can mitigate the lack of content filtering, network DLP, and MITM security measures. A Virtual Private Network (VPN) connection to the enterprise network, which forces the network traffic through its egress and ingress points, will help cover the risk created by WFH employees—as long as employees do not reintroduce the vulnerability by turning off the VPN. These measures are effective but require resources and time to implement, which some organizations might find challenging while rapidly rolling out WFH.

Organizations need to educate their employees about the risk of Coronavirus-themed phishing attacks and, at the same time, ensure that employees do not dismiss legitimate information. Creating phishing simulation templates around the Coronavirus theme is not advised. Doing so could cause undue panic or add unnecessary noise. Instead, organizations should describe what to look for in Coronavirus phishing attempts and then explain how legitimate information will be communicated.

Cofense Intelligence anticipates the volume of Coronavirus-themed phishing campaigns will continue to increase in the near future and will target specific industry sectors such as healthcare, energy, and public services. These campaigns will make increased use of malware and will spoof a larger number of legitimate businesses. Security teams will need to act quickly to determine new WFH risks and the proper mitigations. Clear, concise communication and education, coupled with secure technology and the right implementation strategies, is the best way to secure the target base of these phishing attacks.

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolves. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

For Cofense Intelligence customers who would like to keep up with the Active Threat Reports and indicators being published, all COVID-19 campaigns are tagged with the “Pandemic” search tag.

Cofense Intelligence customers can also search up to date reports in ThreatHQ using the “Search Tags” field in the Search Form.

Indicators of Compromise
To view the full list of IOCs, click on the menu below to expand further.

36802, 36908, 36937, 36938, 36939, 36940, 36941, 36942, 36943, 36957, 37146, 37148, 37149, 37151, 37152, 37226, 37227, 37228, 37230

PM_Intel_Nemty_37230
PM_Intel_AgentTesla_37227
PM_Intel_AgentTesla_37226
PM_Intel_TrickBot_37151
PM_Intel_AgentTesla_37152
PM_Intel_Loki_37149
PM_Intel_Hawkeye_37148
PM_Intel_Hawkeye_37146
PM_Intel_AgentTesla_36802
PM_Intel_CredPhish_36943
PM_Intel_CredPhish_36942
PM_Intel_CredPhish_36940
PM_Intel_CredPhish_36939
PM_Intel_CredPhish_36938
PM_Intel_CredPhish_36937
PM_Intel_CredPhish_36941
PM_Intel_BlackRAT_36957
PM_Intel_Loki_36908

hxxp://euromopy[.]tech/etty/black/download/fre[.]php
hxxps://drive[.]google[.]com/uc?export=download&id=1V8530tZ-SNHELlaVL4BMQpJrRU2DBPSL
hxxps://gocycle[.]com[.]au/cdcgov/files/
hxxps://urbanandruraldesign[.]com[.]au/cdcgov/files/
hxxps://healing-yui223[.]com/cd[.]php
hxxps://onthefx[.]com/cd[.]php
hxxps://www[.]schooluniformtrading[.]com[.]au/cdcgov/files/
hxxp://my[.]pcloud[.]com/publink/show?code=XZO5BWkZjc6l5EBCtnkTYqw2DHqzEBT4LAay
hxxps://takemorilaw[.]com/wp-content/micro-update-1-2/
hxxp://www[.]dogogiaphat[.]com/ecdc[.]php
hxxps://www[.]scholarcave[.]com/owa/owa[.]php
hxxps://jetluxinc396[.]sharepoint[.]com/:b:/g/ERt-r1ZM6PRGhKdxb6bfZSIBcOX2b0y8snN4fg8f7z22rA
hxxps://southhillspros[.]com/citrix/Ward/broward[.]php
hxxps://southhillspros[.]com/Rovince/Jelink[.]html
hxxps://southhillspros[.]com/citrix/Ward/broward[.]htm
hxxps://wusameetings[.]tk/boding/Jelink[.]html
hxxps://noithatgoocchoav[.]com/cd[.]php
hxxps://www[.]brightparcel[.]com/corona/owa[.]php
hxxps://toyswithpizzazz[.]com[.]au/service/coronavirus/
hxxps://notmsg[.]smvm[.]xyz/
hxxp://sevgikresi[.]net/logof[.]gif
hxxp://datalinksol[.]com/logo[.]gif
hxxp://autocarsalonmobil[.]com/wp-content/uploads/Internetsonline[.]txt
hxxp://nlcfoundation[.]org/images/xs[.]jpg
hxxps://pastebin[.]com/raw/vnPLhhBH
hxxp://snsoft[.]host-ed[.]me/images/logos[.]gif
hxxp://edirneli[.]net/tr/logo[.]gif
hxxp://185[.]244[.]30[.]4:6669
hxxp://68[.]168[.]222[.]206/logos[.]gif
hxxp://babystophouse[.]com/images/logo[.]gif
hxxp://glamfromeast[.]com/image/logo[.]gif
hxxp://bit[.]ly/2TpOpNS
hxxp://natufarma[.]net/imagens/logof[.]gif
hxxp://mabdesign[.]unlugar[.]com/button[.]gif
hxxp://gardapalace[.]it/logo[.]gif
hxxp://hidroservbistrita[.]ro/images/logo[.]gif
hxxp://krupoonsak[.]com/logo[.]gif
hxxp://emrahkucukkapdan[.]com/img/button[.]gif
hxxp://onlinepreneur[.]id/license/love[.]exe
hxxp://onlinepreneur[.]id/manager/brain[.]exe
hxxps://site-inspection[.]com/[.]well-known/acme-challenge/w[.]php/9SG2m697HN
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=6350FGwOB6MQS5d7ZcXy
hxxps://114[.]8[.]133[.]71:449/red5/
hxxps://181[.]129[.]104[.]139:449/red5/
hxxps://51[.]89[.]73[.]158:443/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=lcasCwk4Qjbk8sBCAE8g
hxxps://194[.]5[.]250[.]150:443/red5/
hxxps://186[.]71[.]150[.]23:449/red5/
hxxps://107[.]172[.]191[.]12:443/lib698/
hxxps://46[.]17[.]107[.]65:443/lib698/
hxxps://64[.]44[.]51[.]113:447/red5/
hxxps://181[.]112[.]157[.]42:449/red5/
hxxps://212[.]80[.]217[.]220:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=WjL3jrVFwBBnlQp3xn8K
hxxps://185[.]14[.]31[.]252:443/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=PzKFqjTUgsVxfN2OL347
hxxps://46[.]4[.]167[.]250:447/lib698/
hxxps://172[.]245[.]156[.]138:443/lib698/
hxxps://180[.]180[.]216[.]177:449/lib698/
hxxps://203[.]176[.]135[.]102:8082/red5/
hxxps://146[.]185[.]253[.]122:447/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=hNRuyY0glKhPxpDGkhRh
hxxps://146[.]185[.]253[.]178:443/lib698/
hxxps://181[.]140[.]173[.]186:449/red5/
hxxps://36[.]89[.]85[.]103:449/red5/
hxxps://51[.]254[.]164[.]244:443/red5/
hxxps://194[.]5[.]250[.]150:443/lib698/
hxxps://185[.]244[.]39[.]65:447/red5/
hxxps://172[.]245[.]157[.]135:443/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=Yagk0Foy3wjdzOq6nQcP
hxxps://5[.]2[.]79[.]66:443/lib698/
hxxps://193[.]37[.]213[.]128:443/red5/
hxxps://185[.]99[.]2[.]221:443/lib698/
hxxps://146[.]185[.]253[.]179:447/red5/
hxxps://96[.]9[.]73[.]73:80/lib698/
hxxps://121[.]100[.]19[.]18:449/red5/
hxxps://185[.]99[.]2[.]140:447/lib698/
hxxps://195[.]123[.]239[.]67:443/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=bpj5AXSdClkWLG84Xv02
hxxps://185[.]62[.]188[.]159:443/lib698/
hxxps://181[.]140[.]173[.]186:449/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=xhyi95QEt2sH7ZGSl5FV
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=rOE8Tr0FuFXfSSUaDO6M
hxxps://146[.]185[.]253[.]122:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=rtvUCSO49CMSm2QTlDcH
hxxps://85[.]204[.]116[.]253:443/lib698/
hxxps://46[.]174[.]235[.]36:449/lib698/
hxxps://119[.]252[.]165[.]75:449/red5/
hxxps://146[.]185[.]253[.]176:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=YJZHjkZ5qSUBheGScz5O
hxxps://178[.]156[.]202[.]157:447/red5/
hxxps://194[.]5[.]250[.]69:443/lib698/
hxxps://146[.]185[.]253[.]178:443/red5/
hxxps://36[.]89[.]85[.]103:449/lib698/
hxxps://185[.]203[.]118[.]37:443/red5/
hxxps://119[.]252[.]165[.]75:449/lib698/
hxxps://4cao4pyxbarkxf4n[.]onion:448/red5/
hxxps://185[.]142[.]99[.]89:443/red5/
hxxps://180[.]180[.]216[.]177:449/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=GmZr9Sd6TdL9g237BJFd
hxxps://195[.]123[.]239[.]29:447/red5/
hxxps://104[.]168[.]96[.]122:447/red5/
hxxps://46[.]4[.]167[.]250:447/red5/
hxxps://46[.]174[.]235[.]36:449/red5/
hxxps://185[.]14[.]31[.]98:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=MXtg3z4uEXlCKNSMW10E
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1547738007155673&id=pTCpS2vUujsK8z3zXJ0L
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=nZLf5Zn5ckDvobxOozo2
hxxps://5[.]255[.]96[.]187:447/red5/
hxxps://190[.]119[.]180[.]226:8082/red5/
hxxps://185[.]99[.]2[.]221:443/red5/
hxxps://5[.]182[.]210[.]226:443/red5/
hxxps://192[.]210[.]226[.]106:443/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=1eufomiZKmEvZe8AXaZK
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=SgRoybJA35wuTbDNCEs7
hxxps://5[.]2[.]76[.]29:447/red5/
hxxps://96[.]9[.]77[.]142:80/red5/
hxxps://194[.]5[.]250[.]69:443/red5/
hxxps://85[.]143[.]221[.]183:447/lib698/
hxxps://96[.]9[.]73[.]73:80/red5/
hxxps://195[.]123[.]239[.]67:443/red5/
hxxps://202[.]29[.]215[.]114:449/red5/
hxxps://45[.]135[.]164[.]193:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=HJb3L1X7FaO9MFRM2xJW
hxxps://146[.]185[.]253[.]18:447/lib698/
hxxps://45[.]135[.]164[.]193:447/red5/
hxxps://103[.]94[.]122[.]254:8082/red5/
hxxps://186[.]232[.]91[.]240:449/lib698/
hxxps://96[.]9[.]77[.]142:80/lib698/
hxxps://64[.]44[.]51[.]124:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=UqKF7TJ4pK6nu55Nq5SR
hxxps://51[.]254[.]164[.]244:443/lib698/
hxxps://51[.]89[.]73[.]158:443/red5/
hxxps://23[.]94[.]185[.]27:446/response/rcrd[.]php?s=1584097681876834
hxxps://46[.]17[.]107[.]65:443/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=YNsg198eIe2CENiLH2Q6
hxxps://103[.]94[.]122[.]254:8082/lib698/
hxxps://85[.]204[.]116[.]253:443/red5/
hxxps://185[.]62[.]188[.]159:443/red5/
hxxps://217[.]12[.]209[.]200:443/red5/
hxxps://192[.]210[.]226[.]106:443/red5/
hxxps://146[.]185[.]219[.]63:443/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=uOggu83wFMsZgJy2gYXR
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=KTjaFGA6rzAIRhzYpxsn
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=7aybmyzTyxjVkmAgca3q
hxxps://181[.]129[.]134[.]18:449/lib698/
hxxps://103[.]84[.]238[.]3:80/red5/
hxxps://36[.]89[.]106[.]69:80/red5/
hxxps://64[.]44[.]51[.]113:447/lib698/
hxxps://5[.]255[.]96[.]187:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=f2hUQzGxBwEot8ExHJ1m
hxxps://185[.]20[.]185[.]76:443/red5/
hxxps://198[.]23[.]252[.]127:447/lib698/
hxxps://185[.]216[.]35[.]10/3/L2KSUN[.]php
hxxps://146[.]185[.]253[.]18:447/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=Vs9fOJw0UArIH5NRL2Fi
hxxps://172[.]245[.]156[.]138:443/red5/
hxxps://114[.]8[.]133[.]71:449/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=LcVEiKUW9394wikl1RmW
hxxps://170[.]238[.]117[.]187:8082/lib698/
hxxps://185[.]14[.]31[.]97:443/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=YCZPUzOj6gGO3b0oxZXp
hxxps://193[.]111[.]62[.]50:447/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=eVMWyxkROwNbwzrByPGK
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=qVO7FmnWdv3CqlwU53XE
hxxps://5[.]182[.]210[.]226:443/lib698/
hxxps://195[.]123[.]239[.]29:447/lib698/
hxxps://202[.]29[.]215[.]114:449/lib698/
hxxps://181[.]196[.]207[.]202:449/red5/
hxxps://188[.]120[.]242[.]75:447/lib698/
hxxps://85[.]143[.]221[.]183:447/red5/
hxxps://121[.]100[.]19[.]18:449/lib698/
hxxps://186[.]232[.]91[.]240:449/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=gKmNNEREiPRIKGQp2dmg
hxxps://170[.]238[.]117[.]187:8082/red5/
hxxps://46[.]4[.]167[.]242:447/red5/
hxxps://62[.]109[.]11[.]248:447/lib698/
hxxps://190[.]214[.]13[.]2:449/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=tN8O8VDbWyHtPRydtWy0
hxxps://198[.]15[.]82[.]162:443/red5/
hxxps://170[.]84[.]78[.]224:449/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=NlWlLA26RToHt8mTsgOI
hxxps://198[.]23[.]252[.]127:447/red5/
hxxps://185[.]99[.]2[.]140:447/red5/
hxxps://200[.]21[.]51[.]38:449/lib698/
hxxps://104[.]168[.]96[.]122:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=eMimeUZPy76ZHmG1apBW
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=nN2EWQAMeD3cg32aDQtJ
hxxps://188[.]209[.]52[.]162:443/red5/
hxxps://181[.]112[.]157[.]42:449/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=j3x1pd2ADExKICKojgcV
hxxps://186[.]71[.]150[.]23:449/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=IqS9Lp3Qs0uILRwyvocO
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=8ldKgFEC3ev2pLmqqKYu
hxxps://31[.]131[.]21[.]168:447/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=qAfHjNJAMHs8TCAv8VAY
hxxp://142[.]93[.]22[.]0:80/
hxxps://200[.]21[.]51[.]38:449/red5/
hxxps://5[.]255[.]96[.]186:447/red5/
hxxps://200[.]127[.]121[.]99:449/red5/
hxxps://5[.]2[.]79[.]66:443/red5/
hxxps://185[.]99[.]2[.]137:443/lib698/
hxxps://51[.]254[.]164[.]245:443/red5/
hxxps://185[.]99[.]2[.]137:443/red5/
hxxps://64[.]44[.]51[.]124:447/red5/
hxxps://177[.]74[.]232[.]124:80/red5/
hxxps://200[.]127[.]121[.]99:449/lib698/
hxxps://171[.]100[.]142[.]238:449/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=juhyLxqVBnei6qmSsjZ7
hxxps://178[.]156[.]202[.]157:447/lib698/
hxxps://172[.]245[.]157[.]135:443/lib698/
hxxps://185[.]99[.]2[.]115:443/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=HMucklYySnPDh9NWPo2h
hxxps://217[.]12[.]209[.]200:443/lib698/
hxxps://185[.]244[.]39[.]65:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=gjBKrgh9ZivFEv6OnkVg
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=QKf1HHY4dLUK3t2czTR3
hxxps://31[.]131[.]21[.]168:447/lib698/
hxxps://103[.]84[.]238[.]3:80/lib698/
hxxps://177[.]74[.]232[.]124:80/lib698/
hxxps://203[.]176[.]135[.]102:8082/lib698/
hxxps://181[.]129[.]104[.]139:449/lib698/
hxxps://131[.]161[.]253[.]190:449/lib698/
hxxps://188[.]120[.]242[.]75:447/red5/
hxxps://181[.]196[.]207[.]202:449/lib698/
hxxps://62[.]109[.]11[.]248:447/red5/
hxxps://36[.]89[.]106[.]69:80/lib698/
hxxps://198[.]15[.]82[.]162:443/lib698/
hxxps://181[.]113[.]28[.]146:449/lib698/
hxxps://185[.]14[.]31[.]98:447/red5/
hxxps://185[.]142[.]99[.]89:443/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=93vdwyq6sh9oBUrUmnzS
hxxps://107[.]172[.]191[.]12:443/red5/
hxxps://185[.]203[.]118[.]37:443/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=IJgYwiMilRq9dmvYXx5O
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=oViUuJw2ydNIx3h3QEYd
hxxps://46[.]4[.]167[.]242:447/lib698/
hxxps://5[.]2[.]76[.]29:447/lib698/
hxxps://146[.]185[.]219[.]63:443/lib698/
hxxps://190[.]100[.]16[.]210:8082/lib698/
hxxps://23[.]94[.]185[.]27:446/response/rcrd[.]php?s=1547738007155673
hxxps://4cao4pyxbarkxf4n[.]onion:448/lib698/
hxxps://112[.]78[.]164[.]34:8082/lib698/
hxxps://185[.]99[.]2[.]115:443/lib698/
hxxps://45[.]148[.]120[.]153:443/lib698/
hxxps://193[.]37[.]213[.]128:443/lib698/
hxxps://45[.]148[.]120[.]153:443/red5/
hxxps://190[.]214[.]13[.]2:449/lib698/
hxxps://185[.]20[.]185[.]76:443/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=d4wYKmoNAL4jbXsWnwNP
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=uCQHZmGWTLLlfhfR94Wj
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=kpmcigmW4tIXJAliL5SP
hxxps://5[.]255[.]96[.]186:447/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=9kgyvNnUnLXBHKxfhR76
hxxps://131[.]161[.]253[.]190:449/red5/
hxxps://185[.]14[.]31[.]97:443/lib698/
hxxps://188[.]209[.]52[.]162:443/lib698/
hxxps://185[.]14[.]31[.]252:443/lib698/
hxxps://212[.]80[.]217[.]220:447/red5/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=hhHR67XuY9k7vxRMdwoh
hxxps://193[.]111[.]62[.]50:447/lib698/
hxxps://170[.]84[.]78[.]224:449/lib698/
hxxps://112[.]78[.]164[.]34:8082/red5/
hxxps://181[.]129[.]134[.]18:449/red5/
hxxps://146[.]185[.]253[.]179:447/lib698/
hxxps://190[.]100[.]16[.]210:8082/red5/
hxxps://146[.]185[.]253[.]176:447/red5/
hxxps://190[.]119[.]180[.]226:8082/lib698/
hxxps://171[.]100[.]142[.]238:449/lib698/
hxxps://181[.]113[.]28[.]146:449/red5/
hxxps://51[.]254[.]164[.]245:443/lib698/
hxxps://23[.]94[.]185[.]27:446/response[.]php?s=1584097681876834&id=O6D4aGfNwIxDT5OfEo9d
hxxp://uzoclouds[.]eu/dutchz/dutchz[.]exe
hxxp://bibpap[.]com/1g7/pin[.]php
hxxp://posqit[.]net/TT/50590113[.]exe
hxxp://bitly[.]ws/83FN
hxxp://nemty[.]top/public/pay[.]php
hxxp://nemty10[.]biz/public/gate[.]php
hxxps://marsdefenseandscience[.]com/reports[.]zip
hxxp://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad[.]onion/public/pay[.]php

euromopy[.]tech
wusameetings[.]tk
emrahkucukkapdan[.]com
gardapalace[.]it
snsoft[.]host-ed[.]me
cornerload[.]dynu[.]net
seasonsnonaco[.]ddnsking[.]com
datalinksol[.]com
nlcfoundation[.]org
sevgikresi[.]net
autocarsalonmobil[.]com
seasons444[.]ddns[.]net
krupoonsak[.]com
natufarma[.]net
edirneli[.]net
mabdesign[.]unlugar[.]com
babystophouse[.]com
glamfromeast[.]com
hidroservbistrita[.]ro
onlinepreneur[.]id
onlinepreneur[.]id
site-inspection[.]com
uzoclouds[.]eu
bibpap[.]com
posqit[.]net
zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad[.]onion
nemty10[.]biz
marsdefenseandscience[.]com
nemty[.]top

45[.]64[.]97[.]178

185[.]216[.]35[.]10

ef07feae7c00a550f97ed4824862c459
05adf4a08f16776ee0b1c271713a7880
29e8800ebaa43e3c9a8b9c8a2fcf0689
970bc68378526981f7b470b014e4a61d
648a2da84b857520830981af55bbd4f2
e36b292de6db73e78f77ea2fed092848
dca53f253066ff1736d9735e0e4f861b
ecdcf6e29f917239ecd9f3c4cd4bd4b4
4ad1b0398bc3a371a82923383de2d0a4
54fb481530500d781d0aa282e8524016
0c6fa100c0fd612d9f55a87017989621
457d4329b66efcbd6bcba521502df6a8
6053a2d672f9f9bd5cd0725d4b106493
c1ab6a9a559d54c071eb110235f77fe2
be950f0aaa6654c30532168a3f82d4e6
33498c2e5ce532fdbcabfc2caa882e04
ca0951249ef447ca0443ebf519b7ec7e
24cabc6a0a02674fc6a1e778cd265ecc
d6557715b015a2ff634e4ffd5d53ffba
2858a05f4ec255cb383db26019720959
4e9aa334811b6a4fa6542483a34fc9c5
caf133755a01fea99b323e3fa1965705
c6f8278ee29471ce84b4f6bb148161de
1f7ff50f672288616ef80220ab41cddc
ef991e614208324eecb10831f0b6990d
93109ef58dc7fa86e2cb186e8d8cfc8a
8f9c95b359a574f16801184b095a027d
ba0b4e05e3b26e26f2e0793b9190ba2c
f4d2bdeeb7c5c3eac0afe845b988b31a
a39694b7311fc2d0991d6f7aa4d22460
d9822e032bb6f0d39aba533ba5b50dca
ba6a13ad9f673e365580b389a7297611
64574f1a3b4d554322279a238c7943f1
8aa849595f1065dce6488dcff4caa043
34b9244ead7f1d1d4a94e04a05d8f474
222d2f0dcae9889174e500fea7655b9a
811e21aadc64bbbedaa2d616bd258f58
4ed0cbc8dc2c3208bf760976d854b276
1cd9c1348db93cd674066f566740d697
3a7d8ab97cc7cacdc6b613632f79ae36
777250fb412071ab4b655883de6b888b
fa1ed07a84d0f6db0560edffc0f5cd0c
cc24481d8673278c9ca9a427aebfaf30
a98c28d9666e6050b2c76d0062342078
62ded00158221fd7b3e678b9d9edbd7b
ecf4c248beb954f59901bba955646c19
64574f1a3b4d554322279a238c7943f1
62025fefd240ac80326db825903da90e
2f1ac455d1c6e2a3f3e0d1137b047696
a5a2a55b29d20a684b09e40d4480029d
022e42a2ad49f8428f34435b595c7216
08dd5ee67ee69ddfa11cb55562baef58
e7351df51633435293ddc09de7fdc57c
1179a7989031fc4b6331505b388dcb12
378bbb172ccae5e28549a003e4e84bce
07d718b0b7f2bbe0ea001c76aca82b7d
f221f92d7f8ccb7133f58ae1a3f4257c
501318d315ba07554f92ff13ebb075c2
b57d2c252746baff47e12b4021a75ba4

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.