Spoofed Training Email from Phishing Simulator Company

By Max Gannon and Brad Haas, Cofense Intelligence

Cofense Intelligence has analyzed a security awareness training-themed campaign that spoofs a training reminder email from KnowBe4. Embedded links in the email direct victims to a credential phishing page targeting both Microsoft Outlook credentials and personal information. The phishing kit is hosted on compromised sites and has been used on at least 30 domains since mid-April 2020, as detailed below.

The emails used in this campaign attempt to pressure recipients into clicking the link by warning that the user only has one day left to complete a required training. They also discourage recipients from browsing directly to legitimate company training pages with the following statement: “Please note this training is not available on the employee training Portal. You need to use the link below to complete the training[.]”

Figure 1: Phishing email spoofing a KnowBe4 notification

The phishing kit used in this attack first collects Outlook credentials, then loads another page soliciting several pieces of personal information.

Figure 2: First page of the credential phishing kit

Figure 3: Second page of the credential phishing kit

As noted, the campaign’s credential phishing kit has been hosted on at least 30 other sites since mid-April 2020. The kits all used the same exfiltration methods and files as the spoofed KnowBe4 campaign, targeting Outlook credentials. Previous campaigns using this kit had a sexual harassment training theme rather than a security training theme. Those campaigns redirected to a legitimate page related to sexual harassment, shown in Figure 4, after the credentials requested in Figure 2 and Figure 3 were entered. The credential phishing kit linked in the spoofed KnowBe4 campaign has already been taken down, but it is very likely that the threat actors redirected from it to a security training-related page instead.

Figure 4: The credential phishing kit from previous campaigns redirected to this page

After additional analysis, we discovered that several of the compromised sites, many of which run WordPress, had recently been used to host a specific web shell, “CHips L MINI SHELL.” The shell has a relatively small feature set, allowing attackers to upload and edit files on a compromised site. It has already been removed from the sites in most instances. However, it was installed on some of them in a way that made it publicly visible, so cached Google search results show that it had been present, as shown in Figure 5.

Figure 5: Web shell on compromised site hosting the credential phishing kit

The indicator of compromise (IOC) table below includes the phishing kit URLs mentioned above.

Table 1: IOCs

Associated Credential Phishing URLs
hxxps://2014[.]digitree[.]co[.]kr/samhwa/lib/bid/login[.]php
hxxps://acertijos[.]com[.]ar/Blog/wp-includes/bid/login[.]php
hxxps://avellanoeuropeo[.]ufro[.]cl/wp-content/plugins/bid/login[.]php
hxxps://breckinridgecounty[.]net/[.]well-known/acme-challenge/bid/login[.]php
hxxps://docentes[.]uto[.]edu[.]bo/dmoyaa/wp-includes/bid/login[.]php
hxxps://g5lab[.]com/aspera/uploads/bid/login[.]php
hxxps://greenup[.]co[.]in/wp-includes/bid/login[.]php
hxxps://kikihalekararlari[.]com/assets/plugins/flot/bid/login[.]php
hxxps://mobiletradesman[.]co[.]uk/wp-admin/bid/login[.]php
hxxps://modoou[.]net/wp-content/bid/login[.]php
hxxps://msk[.]turbolider[.]ru/wp-includes/bid/login[.]php
hxxps://niceoldtownapartment[.]com/wp-content/plugins/fusion-core/tinymce/bid/login[.]php
hxxps://otorrinosensantafe[.]com[.]mx/[.]well-known/pki-validation/bid/login[.]php
hxxps://pandeyize[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://plazaempresarial[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://propertyask[.]com/[.]well-known/pki-validation/bid/login[.]php
hxxps://rashifal[.]com/img/bid/login[.]php
hxxps://rotularltda[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://skinnyontherunapp[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://somelit[.]org/wp-content/plugins/bid/login[.]php
hxxps://tcvsat[.]com/tcvsat-respnov19/wp-includes/IXR/bid/login[.]php
hxxps://thegsmshop[.]com/wp-includes/css/bid/login[.]php
hxxps://www[.]aajtaknews[.]in/wp-content/cache/all/bid/login[.]php
hxxps://www[.]auntynise[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://www[.]happychappybrands[.]com/wp-includes/bid/login[.]php
hxxps://www[.]healthfavour[.]com/wp-includes/css/bid/login[.]php
hxxps://www[.]mvoguesalon[.]com/bootstrap/cache/bid/login[.]php
hxxps://www[.]samicultura[.]com[.]br/includes/bid/login[.]php
hxxps://www[.]search4blog[.]com/wp-content/plugins/bid/login[.]php
hxxps://digitalprakhar[.]com/wp-content/uploads/2016/08/bid/login[.]php

Recommendations

Educating your workforce to identify these threats is key. Organizations can also stay on top of today’s dynamic threat landscape using Cofense Intelligence. Phishing causes nine out of ten data breaches. With Cofense Intelligence, you’ll get access to preemptive phishing alerts you can act on before you’re attacked.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Masquerade as HR Departments to Steal Credentials through Fake Remote Work Enrollment Forms

By: Kian Mahdavi, Cofense Phishing Defense Center

With the escalation of COVID-19, organizations are rapidly adjusting as they move their workforce to work from home; it’s no surprise that threat actors have followed suit. Over the past few weeks, the Cofense Phishing Defense Center (PDC) has observed a notable uptick in phishing campaigns that exploit the widely used Microsoft Sway application to steal organizational credentials and to host phishing websites. Sway is a free application from Microsoft that allows employees to generate documents such as newsletters and presentations and is commonly used by professionals to conduct their regular day to day work tasks.

In a new campaign, threat actors send emails with subject lines such as ‘Employee Enrollment Required’ and ‘Remote Work Access.’

Figure 1: Email body

The sender in Figure 1 claims to come from ‘Human Resources.’ Closer inspection, however, reveals the actual sender’s address – a purchased domain address ‘chuckanderson.com’ with no association to the HR team or the organization’s official mailing address.  The attack includes carefully thought out trigger words, such as ‘expected’ and ‘selection/approval,’ language that often trips up employees who are accustomed to receiving occasional emails from their local HR team, especially during this pandemic. Should users hover over the link within the email, however, they would see ‘mimecast.com’ along with ‘office.com,’ potentially and mistakenly deeming these URL(s) as non-suspicious.

By using trusted sources such as Sway to deliver malware or steal corporate credentials, such campaigns often evade Secure Email Gateways (SEGs) thanks to the trusted domains, SSL certificates and URL(s) used within the email headers.

Figure 2: Cofense PDC Triage flagging the known malicious URL

Numerous employees across a variety of departments within the same company received and reported this email to the Cofense PDC, with each email consistently redirecting users to similar Sway URLs.  These URLs were already known by our Cofense Triage solution and were identified as malicious, providing valuable context for our PDC analysts when they commenced their investigation.

As previously discussed, as legitimate domains and URLs were used, these campaigns remained undetected for longer periods of time, likely leading to a higher number of compromised account credentials. On the other hand, malicious content hosted on purpose-built phishing sites usually gets flagged much quicker, taken down earlier, and therefore leading to a much shorter ‘time to live’ period. In short, this attack was easy to execute, required minimal skill, and remained undetected by security technologies.

Figure 3: Virus Total URL Analysis  

Upon conducting a web search using reliable threat intelligence feeds, as shown above in Figure 3, the authenticity of URLs can be verified against trusted security vendors that have recently detected the attack, flagging them as ‘malicious/phishing’. Displayed in the top right-hand side of Figure 3 is the timestamp revealing the latest known update from a security vendor.

Figure 4: First phase of phishing page

Awaiting the user is the bait on a generic looking page, a ‘BEGIN ENROLLMENT’ button and once clicked, redirects to a document hosted on SharePoint as seen below in Figure 5.

Figure 5: Second phase of phishing page

Once employees enter their credentials and hit the ‘Submit’ button, their log-in information is sent to the threat actor – the end user is none the wiser that they have been successfully phished.

As employees have rapidly shifted to remote working, threat actors have started to look at ways they capitalize on the COVID-19 pandemic to spoof new corporate policies and legitimate collaboration tools to harvest valuable corporate credentials, a trend we anticipate will only continue to gain steam in the foreseeable future.

Indicators of Compromise:

First Hosted URL IP Address
hXXps://sway[.]office[.]com/5CgSZtOqeHrKSKYS?ref=Link 52[.]109[.]12[.]51

 

Second Hosted URL IP Address
hXXps://netorgft6234871my[.]sharepoint[.]com/:x:/r/personal/enable_payservicecenter_com/_layouts/15/WopiFrame[.]aspx 13[.]107[.]136[.]9

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

This Employee Satisfaction Survey is Not so Satisfying… Except for the Credential Phishing Actors Behind It.

By Max Gannon, Dylan Duncan in Cofense Intelligence

Cofense Intelligence has tracked a complex credential phishing operation that evades Microsoft Office 365, Cisco Ironport and Mimecast Secure Email Gateways and has been active since at least December 2019—a very long time for an active credential phishing campaign. The use of a series of convincing tactics suggests that threat actors have taken great effort to create an air of authenticity for targeted recipients. Targeted users receive an email, supposedly from their HR departments, mandating that they complete a SurveyMonkey employee satisfaction survey. The convoluted attack chain uses trusted sources and eventually redirects to a real SurveyMonkey survey, allowing the threat actors to evade detection, and provides recipients with the end results that they expect – a real survey.

This credential phishing chain begins with an email (Figure 1) containing a link to a PDF hosted on the legitimate cloud service provider Hightail. The email itself contains multiple tactics, techniques, and procedures (TTPs) to deceive the end user. These TTPs consist of a seemingly legitimate Hightail spoofed email address ‘delivery @ spaces[.]hightailmail[.]com,’ fronting as a target’s HR department. The email creates a sense of urgency, indicating the survey is mandatory, requires action, only takes a few moments to complete, and will benefit the targeted employee.

Figure 1: Example of one original email sent to targeted recipients

After following the link to Hightail, a PDF is downloaded (Figure 2). Within the PDF, the from, subject, and message fields match the email line-for-line. The URLs for Hightail contain the recipient’s email address encoded in the URL path, and with the page hosted by the threat actor, these collected URLs could be decoded to gather the email address before they access the PDF. Hightail provides a preview of the PDF before downloading (Figure 3), which shows a faded survey and an icon that appears to lead into the survey.

Figure 2: The Hightail web page hosting a PDF that recipients are encouraged to download

Figure 3: A preview of the PDF hosted on Hightail, encouraging the user to participate in the “mandatory” survey

Once the PDF has been downloaded, a ‘Take Survey’ icon links to one of many credential phishing URLs used in this scheme. As displayed in Figure 4 below, the phishing URLs often change with each different PDF, but continue to remain consistent with the theme of an HR Department survey.

Examples include:

  • hxxps://hrsurveyportal[.]work/Start/
  • hxxps://my[.]hr-portalsurvey[.]work/

A complete list of identified URLs was used in different PDFs and is included at the end of this document in Table 2. This kind of differentiation allows the threat actors to maintain an appearance of legitimacy in their phishing URLs, while making it more difficult to defend against these attacks by shunning previously used or shared URLs.

Figure 4: PDF with an embedded link to a credential phishing website

This credential phishing campaign, and its variants, have been operating since at least December 5th, 2019. In most of these identified campaigns, the credential phishing pages were the same spoofed “Norton Secured” page, seen in Figure 5, regardless of the URL or the original target company. Older campaigns, primarily seen in December and January, mostly used appspot[.]com sub-domains rather than HR department themed domains and all led to pages like the one shown in Figure 6.

Figure 5: Spoofed login page where credentials are harvested

Figure 6: A less convincing example of a credential phishing page identified in this broader campaign.

When a recipient enters his or her information in any of the credential phishing websites, the data is sent via an HTTP POST to the URL shown in Figure 7. This is most commonly hxxps://nortonsymantecssl[.]000webhostapp[.]com/vlog/. Much like the hrsurvey[.]work URL variants designed to provide an additional sense of legitimacy, this URL also spoofs “Norton Secured”. Recipients are then immediately sent to the SurveyMonkey survey shown in Figure 8.

Figure 7: Credential phishing page source with the highlighted URL where credentials are posted and recipients are redirected.

Figure 8: The final SurveyMonkey survey

The SurveyMonkey survey shown in Figure 8 is of particular importance. First, this survey link is either legitimate and has been repurposed by threat actors, or threat actors themselves went to the effort to create it. Either way, the detail and effort involved in the survey indicates the possible intent of the threat actors to use the survey as a long-term resource across multiple short-lived credential phishing pages. Secondly, this survey leads targeted recipients to a credible conclusion—ending the attack chain in a way that would not leave recipients suspecting that anything suspicious had happened. Many credential phishing campaigns end by redirecting a user to a generic page or displaying a login error message, which can cause users to stop and consider potentially harmful activity that had occurred, leading them to warn others or report the original email. By avoiding such suspicious signposts, the threat actors can further protect their infrastructure and avoid detection.

This campaign presented a convincing impersonation of an HR department delivering a mandatory survey to its employees. The final destination of the chain was a survey hosted on SurveyMonkey—leading recipients to believe that nothing was wrong. The choice of the campaign endpoint—a survey hosted on a well-known legitimate site, rather than an obvious error message or redirect—indicates a level of attention above and beyond what is usually exhibited by credential phishing adversaries. Additionally, custom domains were used to host the credential phishing infrastructure rather than compromised domains, as is often the case with simple credential phishing. Cofense Intelligence assesses that this campaign was carefully designed with long term capability and minimal detection in mind. This has no doubt allowed for the repeated success of this campaign—also quite unusual when it comes to credential phishing.

Hightail Hosted PDF URLs
hxxp://spaces[.]hightail[.]com/receive/gmaTEP8hhh/
hxxp://spaces[.]hightail[.]com/receive/GvXjcQjRac/
hxxp://spaces[.]hightail[.]com/receive/gWGl9E9QrM/
hxxp://spaces[.]hightail[.]com/receive/hiasiM3Bc4/
hxxp://spaces[.]hightail[.]com/receive/Huh5Kd9ngs/
hxxp://spaces[.]hightail[.]com/receive/N2hZnCrDRr/
hxxp://spaces[.]hightail[.]com/receive/NewA1DfvtL/
hxxp://spaces[.]hightail[.]com/receive/pvHwWmHUxB/
hxxp://spaces[.]hightail[.]com/receive/rlTbN1a1sV/
hxxp://spaces[.]hightail[.]com/receive/wgmOI2E6VF/
hxxp://spaces[.]hightail[.]com/receive/yGDAtZ2Cld/
Credential Phishing Pages URLs
hxxps://hrsurvey[.]work/Home/
hxxps://hrsurvey[.]work/hr/
hxxps://hrsurveyportal[.]work/begin/
hxxps://hrsurveyportal[.]work/secure/
hxxps://hrsurveyportal[.]work/Start/
hxxps://my[.]hr-portalsurvey[.]work/
hxxps://my[.]hrsurveyportal[.]work/
hxxps://my[.]worksurvey[.]work/
hxxps://secure[.]hrsurveyportal[.]work/
hxxps://mwz1552alry[.]appspot[.]com/
Redirect URLs
hxxps://csosun[.]org/administrator/manifests/login[.]php
hxxps://nortonsymantecssl[.]000webhostapp[.]com/vlog/
Hosted Survey URL
hxxps://www[.]surveymonkey[.]com/r/2MHSTQ8
Downloaded PDF Files MD5 Hash
Employee Satisfaction Survey.pdf d61822e79a797356598b6296af360f3e
Employee Satisfaction Survey.pdf b760297ada010198d40f585206e2c769
Description Indicator
Cofense Intelligence ATR ID 36729
Cofense Triage Yara RULE PM_Intel_CredPhish_36729

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 36729.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Going Phishing in the African Banking Sector

By Elmer Hernandez, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has uncovered a phishing campaign aimed at customers of African financial services group ABSA. Mimicking ABSA’s online banking portal, the adversaries attempt to steal users’ online banking credentials to gain access to their bank accounts.

The phishing email presents the end user with a couple of lines of text informing him/her of pending transfers from another bank that need authorization. The user must download and open the htm attachment “IBPAYDOC.htm” in order to connect to the online portal. The email does not present any indication of an attempt to imitate a legitimate ABSA communication, completely relying instead on the user’s misplaced curiosity.

Figure 1 (Email Body)

Phishing Portal

Upon opening the htm file, the user is directed to a fake ABSA online banking portal at hxxps://www[.]ahmadnawaz[.]org/ched/tnop[.]php, which is almost identical to the legitimate ABSA portal, as seen in Figures 2 and 3. The user is prompted to provide an “access account” number, PIN and user number that are then posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail1[.]php.

Figure 2 – Legitimate ABSA Portal

Figure 3 – Copycat ABSA Portal

Adversaries have hijacked the ahmadnawaz[.]org domain on which the fraudulent ABSA portal is hosted, belonging to Pakistani education activist Ahmed Nawaz, and created the “/ched” directory to store their php files and subdirectories as seen in Figure 4.

Figure 4 – Index of /ched

Next, the recipient is asked to provide a password in hxxps://www[.]ahmadnawaz[.]org/ched/pass[.]php. This request should tip off users for three reasons. First, ABSA never asks for entire passwords. Second, and in contradictory fashion, instructions for ABSA’s usual password requirements can be found on the right-hand side of the page. Although the password guidelines only require specific characters, the adversaries seem to have kept these in an attempt to make their fake portal look as genuine as possible. Finally, the user’s SurePhrase, part of ABSA’s SureCheck service, is missing. Upon entering their password, it is posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail2[.]php.

Figure 5 – Fake password login page

The user is then directed to hxxps://www[.]ahmadnawaz[.]org/ched/profile[.]php, where a 60- second timer is displayed. Once it reaches zero, the user is instructed to provide a phone number and a code from the ABSA app. Verification messages are normally sent to the ABSA banking app. In this case, however, no such code is sent because the user is not accessing ABSA’s legitimate portal. The threat actors likely rely on curious or frustrated users who decide, nonetheless, to proceed with the login process despite not receiving a verification request, allowing them to steal additional personal information from the end user. The phone number and app code are then posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail3[.]php.

Figure 6 – Timer in profile .php

Figure 7 – Verification Request

Finally, when and if the user provides the last two pieces of information – the phone number and app passcode – the next stop is hxxps://www[.]ahmadnawaz[.]org/ched/finish[.]php, where the aforementioned timer will run out and restart indefinitely. Figure 8 shows the complete HTTPS traffic.

Figure 8 – HTTPS Traffic Overview

IOCs:

Malicious URLs

hxxps://www[.]ahmadnawaz[.]org/ched/tnop[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail1[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/pass[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail2[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/profile[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail3[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/finish[.]php

 

Associated IPs:

74[.]63[.]242[.]34

 

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Emotet Modifies Command & Control URI Structure and Brings Back Link-based Emails

By Noah Mizell, Cofense Phishing Defense Center

Emotet has been busy wrapping up the year with some minor tweaks to their client code and the reintroduction of some tactics that have worked well for them in the past. The botnet that began its life as a banking trojan in 2014 has proven to be a formidable threat to organizations around the world and shows no signs of stopping. Before we look at their recent changes, let’s begin with a quick review of some of the notable updates we have observed this year:

  • January 13, 2019 – The Emotet botnet reemerges from vacation to begin its first campaign of the year.
  • January 28, 2019 – Experimentation with Qakbot as a payload.
  • March 14, 2019 – The client code is changed to utilize a wordlist to generate random paths when checking into the Command & Control (C2) and now uses the POST method instead of GET. The use of JavaScript attachments is noted as well.
  • April 9, 2019 – The botnet operators begin using the emails that were stolen starting in the last part of their 2018 campaign. The use of stolen content provides the ability to create spear-phishing like emails on a scale never seen before.
  • May 31, 2019 – Emotet goes on summer vacation shutting down a large part of its infrastructure.
  • Sep 3, 2019 – C2 begins to come back online.
  • Sep 16, 2019 – Spamming operations resume. Link and PDF attachment based emails are very limited. The vast majority of their campaigns are macro document-based. Heavy use of the reply-chain (stolen email) tactic is observed.
  • Large deployments of TrickBot and Dreambot are used as secondary infections throughout the year.
  • The term “Triple Threat” is created to note the high incidence of Emotet -> TrickBot -> Ryuk infections seen in the wild, leading to massive ransomware payments and a great deal of lost time and money for many government and private organizations.

Starting on November 27th, we noticed a change in the way the Emotet client code was checking into the C2 servers. Gone are the random paths utilizing the word list (figure 1) that was seen in the past.

Figure 1: URI structure introduced in early 2019

Figure 2: The new URI structure seen as of Nov. 27

The clients are now adding a path that, at first glance, appears to be a random string with a minimum length of four characters.  A slightly deeper investigation into this traffic shows the path is actually the key from the key/value pair in the posted form data.  This change is odd, as it does not actually alter the check-in data in any meaningful way and appears instead to be more cosmetic in nature. This leads us to believe that it may have been a rudimentary attempt at identifying researchers who are running emulation code alone, as their check-in structure would not have dynamically changed when the code base was updated.

Figure 3: Example Emotet delivery email

Another noted change was the reintroduction of link-based email templates. We have seen Emotet emails use links with great success in the past. For unknown reasons, the threat actors did not seem to use them when coming back from summer vacation. In all likelihood, they are using them now to maximize their victim count before breaking again for the winter holidays.

We have included a listing of some of the URLs seen on the first day back further below.  Heavy distribution of TrickBot has also been seen in recent campaigns as a secondary infection and may be a money grab to fund their holidays.

Figure 4: Example Emotet delivery email

As with past campaigns, we have also seen an uptick in the use of shipping company themed emails to coincide with the holiday season, a recurring theme for the actors around this time of year. One change to the email templates that appears to be a new lure is an “Open Enrollment 2020” theme to entice users who have not yet decided on their insurance program for the upcoming calendar year.

The Emotet actors are masters at creating email templates that exploit a user’s emotional response, and this is a prime example.

Cofense’s research teams – Cofense Labs, Cofense Intelligence and the Cofense Phishing Defense Center – actively monitor the Emotet botnet to identify phishing threats that may impact customers and to provide security operations with the latest campaign data.

 

HOW COFENSE CAN HELP

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense Center are reported by end users and bypassed technical controls that were in place to protect them.

Cofense PhishMe offers a simulation template, “Order Confirmation – Emotet/Geodo,” to educate users on the phishing tactic described in this blog. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 34580.

Quickly turn user reported emails into actionable intelligence with Cofense Triage and reduce exposure time by rapidly quarantining threats with Cofense Vision.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

hXXp://3mbapparel[.]com/ce8p4mw/Scan/23sr2r3h-227136449-4100-o7f3aukln-5ek9w7yx/

hXXp://abbasghanbari[.]com/cgi-bin/m2gx-j9l-2674/

hXXp://abis[.]abis-dom[.]ru/wp-content/multifunctional-zone/external-portal/XKnI9c95VXtO-2koeL1odjG8e45/

hXXp://adrianoogushi[.]com[.]br/blogs/available-resource/test-forum/CO37HIcUG-4KiqqruHlj9/

hXXp://agramarket[.]com/wp-admin/554841538461/9igxpru22w-3404-624501945-dtenc-cvona7/

hXXp://agramarket[.]com/wp-admin/images/Document/

hXXp://aijiuli[.]com/wp-content/common-3644746801311-F61eGi6VrRfSERpV/guarded-722116w-9jx99j5uyog/2b51q65tivz3f97-3vw70xy142675/

hXXp://alfaem[.]by/wp-includes/wcevu12a6j/ui13miem-1842496-647941-b1maguvyl7-0wm1/

hXXp://allgamers[.]ir/wp-content/6270900376591-TrHEgUBtm-sector/verified-portal/3rw-x42z0/

hXXp://aminulnakla[.]com/test/5mpub-u9jdh-1356/

hXXp://amoutleather[.]com/a/multifunctional_9313571_Y9mwVe/additional_forum/EAvHHxYA2_z07m8sM36w72/

hXXp://anantasquare[.]com/wp-content/Documentation/1yzenuu55v/zdx0oqd5mp-79785-92241-lqk84aode-i65yma2m1/

hXXp://andishkademedia[.]com/wp-includes/8vcppv-4l1-885316/

hXXp://anhjenda[.]net/wp-content/vmpyh5c3pi/

hXXp://anjumpackages[.]com/nrri/private_44709616882_WQZDa1KAyj/corporate_V6tkmPmj_jRcx2PfQ/on3_1v7649ys6t1/

hXXp://aquimero[.]net/wp-includes/8gdm6-y4kj-461/

hXXp://archinnovatedesigns[.]com/wp-includes/464728-V0rjOQkXZi4SSiW-disk/580333-3VP9JZcfWI6-cloud/028eeth-vu553tyw/

hXXp://arielcarter[.]com/j7foqo2/DOC/iqrh6hczo0cw/

hXXp://arttoliveby[.]com/yyrye/private_86192_eZoBMjbfcDvuPq/test_cloud/ws3uh67ha1tup_5128t108/

hXXp://auliskicamp[.]in/wp-admin/common_resource/verified_vZUVdO8ppY_CWfMSl2yMCEH/bgJEju1jvH_3iNK6o4Ii4G/

hXXp://awooddashacabka[.]com/yt46/open-box/individual-area/yNmy5HQif-8o8tG738h2/

hXXp://babdigital[.]com[.]br/wp-content/esp/6v5nej75l/

hXXp://bakeacake[.]com/wp-admin/available-disk/security-warehouse/z1XGaZ-NemjMNrc3a/

hXXp://bassigarments[.]com/wp-content/personal-592742204-WBrGGz/4469690-7SOBhN7gbB7s-area/b90h417-wtxsw/

hXXp://batdongsanhathanh[.]net/wp-admin/open-resource/568A8V-ILYyxINK-profile/jdux7bsdp-twyu179678t1/

hXXp://beiramarsushi[.]com[.]br/1g3ld9f/closed_n941_aUn1fAfrvX8Bhu/test_warehouse/6N1JhlV_M8oi1aM9Gyw/

hXXp://best-fences[.]ru/css/4ey-6v7y0-5856/

hXXp://betaoptimexfreze[.]com/bebkat/Reporting/9zooeodt/x827ofzp-289202990-87262-q99cri9-xr06/

hXXp://bgctexas[.]com/quietnightcompany/xb1k2g9/personal_zone/test_WlYEqat2Ie_OgiyQ9W40qCyP/bw54a4lhlrx_9636w4uu0xsxt1/

hXXp://bilgigazetesi[.]net/a6lwm1m/open_sector/special_forum/Ej4oMEQf3AN_Gudt5tx97J/

hXXp://bimattien[.]com/wp-admin/eTrac/ld6u234c3/ga438o-5744266-474284-eejhd-5ctewz/

hXXp://blicher[.]info/wp-includes/KPrV/

hXXp://blog[.]inkentikaburlu[.]com/70jjm53klo/sites/2yd7bvuh-505209-64670737-fr4vs-t7zp3cjl0/

hXXp://blog[.]sawanadruki[.]pl/wp-content/uilb8dz6_hwpeyvx_sector/security_warehouse/0gKrzfjYpvFO_3yLM891Meliz/

hXXp://blogkolorsillas[.]kolorsillas[.]com/wordpress/xnq1k-rkkl-803/

hXXp://bluemedgroup[.]com/wp-admin/mnfd8_nbij_436575782_UQEO1IVCs4LqadTV/security_profile/XODmvThQGR7_H7vrzccMec5/

hXXp://bmrvengineering[.]com/wp-admin/FILE/

hXXp://bookitcarrental[.]com/wordpress/INC/iddp2ggtm/eccvup8c-3843-818470-69yg4b28wh-w1kxriyo/

hXXp://bupaari[.]com[.]pk/RoyalAdventureClub[.]com/eTrac/ncevpoamvlp0/

hXXp://buyrealdocumentonline[.]com/wp/Documentation/d7mz-688402499-7314933257-fkwggnu-t4ybrvaf7/

hXXp://cabosanlorenzo[.]com/wp-load/protected-resource/verifiable-tk2c-3kfk3g9iz/ebub24rmzo8-9u88717yx935/

hXXp://cacimbanoronha[.]com[.]br/wp-content/Scan/

hXXp://caotruongthanh[.]com/wp-admin/qeku-4ys4-83891/

hXXp://carolscloud[.]com/media/public/

hXXp://carolzerbini[.]com[.]br/6ttp7t0/Overview/qoawf12j0jbp/

hXXp://carvalhopagnoncelli[.]com[.]br/lvqhz/Overview/0rrnguk8z/lg4qyh7-338411-43458560-pp7dts1ba-3msz/

hXXp://cas[.]biscast[.]edu[.]ph/updates/personal_sector/verifiable_warehouse/D3buvGg_1yyMJGrM6gp/

hXXp://casaquintaletcetal[.]com[.]br/e6viur/04383245_xZw1ZKxX_41063_29gQlRhcVl5eGs/additional_area/4004h_s035tt6461/

hXXp://casinovegas[.]in/cgi-bin/protected_module/additional_warehouse/NzQU7EbxmY_mLobpJqHn8Lh8/

hXXp://catchraccoons[.]com/wp-admin/open_9135304_x3VG052S9vjEZN/external_warehouse/AgnasV_o0M4JIrNt67j/

hXXp://caughtonthestreet[.]com/sh5bne/available_sector/test_mhc3xk01u_if5a3isqhztj4/fwpqcd9admvnur_yuu17s15/

hXXp://cetpro[.]harvar[.]edu[.]pe/dup-installer/2i5i_r76gl3x5v6vge_disk/individual_profile/NrWPp5_3Hj0zszymw/

hXXp://championretrievers[.]com/wp-admin/paclm/mdjx-81327-4043-zujiz-uoi7hp59w4/

hXXp://charger-battery[.]co[.]uk/chargerimages/Reporting/

hXXp://chatnwax[.]com/dir/RRETX2MC9ZE7/syc01o4x/

hXXp://cheappigeontraps[.]com/wp-admin/personal-resource/guarded-gueidxaiga-544/a4hko1sshe-6530yx62/

hXXp://cheapraccoontraps[.]com/wp-admin/parts_service/zn6iszxroew/0vqf-97169-6342681145-z9iyge-xws5/

hXXp://cherrypointanimalhospital[.]com/new/parts_service/po53iyxo22m/

hXXp://chintamuktwelfare[.]com/wuvke31kdk/open-array/open-space/j2hg7S-Mseglc5d/

hXXp://chongthamhoanglinh[.]com/cgi-bin/Reporting/

hXXp://chooseyourtable[.]sapian[.]co[.]in/wp-includes/x3qc-azmz9-340871/

hXXp://clurit[.]com/matematika/images/content/open-array/additional-portal/open-array/additional-portal/3qZqx-tb7HH2KcNhHi82/

hXXp://collegebolo[.]in/wp-content/OCT/i91smxgw72t/iayid-933690-003423-pxhqzu7z4-e9fxqjnvn/

hXXp://collegiatevideoscout[.]com/piq88y/multifunctional-zone/verifiable-portal/vzwsusvfoq2kbmt-y496uwt7xz68uy/

hXXp://compworldinc[.]com/browse/4ni6zf2fq/

hXXp://contestshub[.]xyz/wp-content/evfch-p40-368725/

hXXp://cosmeticsurgeoninkolkata[.]in/wp-content/multifunctional-zone/security-space/oG7v7CkLAl-jz0rugqbjvi73/

hXXp://cosmicconsultancy[.]in/custom-icons/Reporting/

hXXp://cp[.]3rdeyehosting[.]com/wp-includes/esp/

hXXp://crazyroger[.]com/cgi-bin/1710496674006_01bd6Zeef0mCJ_disk/external_forum/4dwy_zxz36x4/

hXXp://creatitif[.]com/wp-admin/Reporting/

hXXp://croptool[.]com/theblackjackmob/Documentation/

hXXp://crownedbynature[.]com/jtaa6jtb/LLC/

hXXp://csa[.]cries[.]ro/ckjca7/11206-JdwhXBh41Cj8irAC-resource/individual-warehouse/ay7fc9ll3dnke7e-4yw99s2t6w/

hXXp://csrngo[.]in/alfacgiapi/15vu8s-c85u1-9139/

hXXp://daisybucketdesigns[.]com/pocketframes/images/aci32rk/eTrac/5w4kiwqito3r/

hXXp://dalao5188[.]top/wp-content/open-sector/test-forum/f0pqn-5328/

hXXp://dastsaz[.]shop/wordpress/private_array/verifiable_forum/BpajlMaeH_297iwG6jj7pGc/

hXXp://datrienterprise[.]com/wp-content/eTrac/7qzoqzrkjyuc/

hXXp://demo[.]bragma[.]com/site/pt48-pk3089b-682065491-ZkL2pS9yz/open-warehouse/LXWiJKrI-62Hui1o9a/

hXXp://demo[.]podamibenepal[.]com/superior/t2c-jpip6-22/

hXXp://demo[.]tanralili[.]com/apehhpf/INC/

hXXp://designers-platform[.]com/binzbc/FILE/a69zlr8/

hXXp://dev[.]consolidationexpress[.]co[.]uk/wp-admin/closed_sector/924553_1wSxAW2z_portal/2EI6ej9js5j_15M1p7xI9Gov/

hXXp://diamondbreeze[.]com/wp-content/docs/ig220w-64348062-050708-0o2ix-nk0skuh0/

hXXp://diecinuevebn[.]com/cgi-bin/protected-disk/verified-forum/ah7hwmjvvuuy84mx-t467s/

hXXp://diegojmachado[.]com/cgi-bin/open_sector/CLp2Etz_eUR1Q6uDDBgHkI_area/bDuOHXDda_cgI6sNcjl1gK/

hXXp://dishekimieroluzun[.]com/wp-content/DOC/

hXXp://dreammotokolkata[.]com/cqye/iaft92-6lplx-826/

hXXp://drsudhirhebbar[.]com/minds/private-sector/open-portal/rb2vj1kuwjbb-swuys/

hXXp://dubit[.]pl/site2/pxre-ns-297/

hXXp://dumann[.]com[.]br/z3gy5lb/sites/7bg1i8n2/jvsjhn3j-868085891-343651-sgosfko-20u4kmz2cb/

hXXp://elitexpressdiplomats[.]com/cgi-bin/available-array/guarded-5UJi7-pIM1v1g3Q6k6/whf6zxh-txsts2/

hXXp://empowerlearning[.]online/wp-admin/ruh006-rgkj-590/

hXXp://especialistassm[.]com[.]mx/inoxl28kgldf/docs/l5rbj6g/iibea-032709148-341719111-6r6auusna-6j9m/

hXXp://euonymus[.]info/twxppk/Document/7uo0t4osm95p/

hXXp://evokativit[.]com/TEST777/YHErlTl/

hXXp://evolvedself[.]com/dir/azpdj41_sugzd3yhwwsy_3709679_Rvta29FrYib/special_QDPYSSWZ1L_PJAv0ICNK1P/2Edulb_98mGeuzy3ty2Lz/

hXXp://extend[.]stijlgenoten-interactief[.]nl/test/Pages/w6014u-84395-6469-hthslxcbne-8vj2et4/

hXXp://finndonfinance[.]com/wp-content/Document/wjswrn1s/qgltg-85747767-49820504-2gz892-ydp6o4o4e/

hXXp://fooladshahr[.]simamanzar[.]ir/dup-installer/closed_box/interior_portal/0f6j5b5bga_06zs0/

hXXp://fozet[.]in/wp-content/eTrac/hb6yb86ei36/yrqsf32-172576671-4195092231-c97ty6f-5cu2q8hj8/

hXXp://freestyle[.]hk/picture_library/eTrac/s9shv2eo/

hXXp://frezydermusa[.]com/wp-content/parts_service/fisq814goap0/fhyl68-5565-326796-rr55j9spg-ug9mfyg/

hXXp://galeriariera[.]cat/assets/lm/g9zkvryjwq-0524005005-0333576-k58dqx5-326yx/

hXXp://gameonline11[.]com/wordpress/pqOAPS/

hXXp://gargchaat[.]com/phpmailo/lm/538skcfoe/7vps0iy-66657310-44075-q2gbc4-2vhp2c/

hXXp://gayweddingsarasota[.]com/cgi-bin/esp/68f6yd4ehwdr/

hXXp://gayweddingtampabay[.]com/cgi-bin/private-2828581710383-rNH3ETP8sT2ggXrt/additional-forum/DEsne0OE5vz-KmmglLMf/

hXXp://geekmonks[.]com/cgi-bin/common_sector/special_forum/9cfuf_ts9y4twzx0709/

hXXp://germxit[.]mu/calendar/4rxl-2932-78/

hXXp://gestto[.]com[.]br/wp-lindge/Scan/

hXXp://getabat[.]in/wp-content/closed_module/test_88i6oai_sjwnuscqjjl/abgyQKwZhv6i_inKjGl8hG98/

hXXp://globalstudymaterial[.]com/pdf/available-zone/individual-warehouse/vWOq8gdCRu0-ra1nf24iHayat/

hXXp://goldinnaija[.]com/wp-admin/sites/xaz6-030261-0911995608-sm9u-99rd1/

hXXp://gomaui[.]co/wp-includes/personal-resource/test-area/a9kj-wsuyvw59t/

hXXp://grace2hk[.]com/b6vg89hb/common_sector/security_forum/4tx_uu501xxxs/

hXXp://grahaksatria[.]com/towed/private_box/additional_forum/x1T0kdo_q89uLjatbqJ8/

hXXp://greatercanaan[.]org/wp-admin/Document/kqfz63hy/

hXXp://grocery2door[.]com/nkpk/97_dwi59_03276182_sJsjrqR/corporate_warehouse/13wrnaGqqET_lIy0l5eJsNdIc/

hXXp://groovy-server[.]com/masjid/backend/web/assets/rhhl/

hXXp://group8[.]metropolitanculture[.]net/wp-admin/multifunctional-sector/verifiable-cloud/l0q-4vww/

hXXp://haoyun33[.]com/wordpress/browse/9kmt2hi/

hXXp://hasung[.]vn/wp-includes/1bvxk7fvre5_lnci6bcnim_resource/special_forum/5BZ0CZ_p4052N871e/

hXXp://hfn-inc[.]com/mail/available-box/security-PgUqz6ktI-GY00tgjAgbFSr5/zy5escaf56fzw5y-y78s2tzu60v7z4/

hXXp://homecarehvac[.]com/wp-includes/open_resource/guarded_profile/eshftvv0ht_61x297v2/

hXXp://indusautotec[.]com/n8l7suy/open-xNFfQ20VO-FjqtokyzbQ6HGF/security-jdEM-dDzAJO2Ccnx/G3P8qq-MmI2GLf3JdK/

hXXp://jgx[.]xhk[.]mybluehost[.]me/scarcelli/multifunctional_098152347732_CYNEZ9DFQ/guarded_space/2qq1r_29xuz/

hXXp://jurness2shop[.]com/cgi-bin/private_disk/individual_ufyGUNB_QRlHjxmYMMbuaY/30lpuw22llwzm_vx60vx4s/

hXXp://kallinsgate[.]com/cw6vmaj/common-2561851-hLdPAOsBNVrNeE/open-space/5irmsa8-8x82zv7t2zw2x/

hXXp://kanntours[.]com/wp-security/Overview/yprr0k8-808004671-920995225-dc1d7q7-trbbwtd/

hXXp://kayzer[.]yenfikir[.]com/quadra[.]goldeyestheme[.]com/lm/

hXXp://kelurahanraya[.]ulvitravel[.]com/tmp/eTrac/wpag9c-3294986-0565941971-rbtkv0yr0p-rs604o/

hXXp://kpu[.]dinkeskabminsel[.]com/wp-admin/available_229278636_TO7LG1kXBWax3/847166_Zm9B3oXaP_portal/ZcAtrKAnB_nJGzswNc/

hXXp://kyrmedia[.]com/whnh/closed_zone/test_warehouse/o1yvycunyw222_tz6z71svs35/

hXXp://lalletera[.]cat/bootstrap/closed-array/test-warehouse/9y3rm68-7251/

hXXp://lastminuteminicab[.]com/l56mcv/Scan/qrg67fldazss/cd38ot-8952552-5429276851-63g720il-z2uwrr/

hXXp://lindamarstontherapy[.]com/psqlud/common_1810413_gc4qCpSFYbBM/additional_forum/4kmyjjijspz85_tt20x6w/

hXXp://liveleshow[.]com/cgi-bin/open-sEVbZ-kyyyJcjMY/verified-area/n7tk0nygk2up7j-7824vz2y/

hXXp://lsperennial[.]com/tnnfxu/545533028378/ofzt2ll4a-4754801-8569215-64d2t-rbtsi5ylgq/

hXXp://masspaths[.]org/transcyclist/open-array/69537295-LwrlRuR-portal/riy-u5984475/

hXXp://mistyvillage[.]com/inoxl28kgldf/open-sector/individual-forum/TC1AThq8D-H4iKcw9erMc8a7/

hXXp://monoclepetes[.]com/disneyworldclassroom/browse/

hXXp://mosaiclabel[.]com/4f9xnykaf/common-box/corporate-a30njr6-34dhllfehbjex6/14rm3hr6k358-x32zy5/

hXXp://myclarkcounty[.]com/wp-includes/open-resource/open-forum/o6a3exwvzfo-4wwxx8uts7/

hXXp://myfamilyresearch[.]org/dir/paclm/

hXXp://nisanurkayseri[.]com/fhiq04sgna7/a683w-an3x-4946/

hXXp://norikkon[.]com/administrator/16542-fBTLcdbEyJr-sector/VFCLsV-bAwgBBBeBqaJ-forum/fft2z7gdyzqee-8z80w6z68vs/

hXXp://nunes[.]ca/s59nlj/DOC/

hXXp://pascalterjanian[.]com/logs/multifunctional-2519534-Fs87CEgtQY82H6/verifiable-forum/2iFKNGyl-Ksmyn3gyI/

hXXp://plaestudio[.]com/wp-admin/multifunctional-zone/verified-space/zftkjoaw-xzuwtu1228/

hXXp://pmnmusic[.]com/backup-1540795171-wp-includes/Document/

hXXp://productorad10[.]cl/cdn-cgi/lm/6bwolkvw/

hXXp://radigio[.]com/qcloid/Pages/aveebb8ri/

hXXp://rememberingcelia[.]com/cgi-bin/private-box/additional-cloud/WoMAYyGYPic-ejGtLw5zKk9132/

hXXp://richardciccarone[.]com/watixl/Pages/iwq2bcuhtc/fpl5dh7-1085-7485017905-7upoox-mmwh5rr/

hXXp://rkpd[.]ulvitravel[.]com/cgi-bin/s0pgy-yg3-606/

hXXp://rozziebikes[.]com/tshirts/7XOEME6DSPI/l6bpob8m-8104-0278018-y6o222jln-fsxji7gy9l/

hXXp://safiryapi[.]net/mainto/private-zone/9977527-TGAtxV-space/noliIDq-ffuwzjN5H8zj/

hXXp://sakuralabs[.]com/4gubn/personal-zone/interior-forum/rye8idbdwx6uiw9-vtw0y35413/

hXXp://scottproink[.]com/wp-includes/LLC/3nm06yz1og/

hXXp://sigepromo[.]com/fonts/multifunctional-sector/security-kojbhnhsfxht47-4qgj/xznv8-35sz95t0t7/

hXXp://sofiarebecca[.]com/ybfm/multifunctional-XhmwQuIS-uBXA6FSMcoaXT2/7427993-1AJW4cmy-profile/P0jkvy-gwgs3qvm/

hXXp://southeasternamateurchampionships[.]com/0ng1en8p/common-57GaJ-JU2y57Cw9wWp/test-area/1CP3gWMySaac-iixIpxfJ216/

hXXp://southernlights[.]org/wp-includes/attachments/13iqe8n/

hXXp://stlaurentpro[.]com/25bd/Overview/qnrlmvj/

hXXp://stluketupelo[.]net/sermon/Document/

hXXp://technosolarenergy[.]com/wpk0/esp/xcggf7f/l41sd6-372903-111521309-pe7nqblm-rnbcyph7/

hXXp://thebeaversinstitute[.]org/m6zxne/open_sector/verifiable_grIwVfcE_JNkyS1ABG7O/JOr8Y2_c0N5pfizn8tqv/

hXXp://thecityglobal[.]com/creative/DOC/tmi48tldo/8fcpm52kxc-1823-224157721-0k5g3-2ntwz3u/

hXXp://theconsciouslivingguide[.]com/w63gh/NQOOE7ZE6E/

hXXp://theordeal[.]org/2hqr15/71028031_i0jDg_array/verified_profile/M17xNfJi_afcjbJ9y2/

hXXp://tinystudiocollective[.]com/tvtepc/parts_service/c5hlpnbm/04yte-92982998-989677-xuln504d-wj8wr99a0r/

hXXp://trinituscollective[.]com/wp-admin/DOC/3k2yxczqa-017872-15130767-6fcy299dtf-5p8y1zk/

hXXp://turbinetoyz[.]com/inc/available_sector/open_cloud/7gDaxLdZntQO_f54w1mdqt/

hXXp://vektra-grude[.]com/components/sites/xyj3oy2f/

hXXp://wolvesinstitute[.]org/wp-admin/INC/muosryq6917p/uozxo9-82202-738575-fbm4hisdv-0q5dy3ciz/

hXXp://www[.]africanswoo[.]com/wp-includes/IOG/

hXXp://www[.]bonfireholidays[.]in/efqog/Documentation/

hXXp://www[.]demarplus[.]com/19sn7/Overview/

hXXp://www[.]southwayhomes[.]co[.]uk/wp-admin/lm/5x8c1xywx2h/

hXXp://xhd[.]qhv[.]mybluehost[.]me/Maidentiffany/a4wnq/INC/be5oryde748n/877iw8k2-5677720-10188-kjqm-al3ax20hth/

hXXp://xn--3jsp48bswaq48h[.]com/binzbc/protected_disk/WsgEuoVh6_GLg1uIsNZxocly_tdagf_sb0hy87m9gi/jWdMxTd9_a73ophNx/

hXXp://yourdirectory[.]website/Mccracken/eTrac/rpiglgay-1418052884-1524951880-uuys-0fxj/

hXXps://bipinvideolab[.]com/wp-admin/51917864823222027/b0n0hcp4sl83/

hXXps://crossworldltd[.]com/wp-includes/48p5-o3ih-71/

hXXps://flexwebsolution[.]com/assets/multifunctional_disk/external_forum/7aa8z9os32iqygd_3gp4h/

hXXps://gurukool[.]tech/assets/t85vawx7s2xbi3q-1mvazihmr-module/interior-forum/gEwMX8-s0pLx8jJMLhGN/

hXXps://keshavalur[.]com/css/WRssOm/

hXXps://makmursuksesmandiri[.]com/wp-content/e3tpt3cph1wncut-ika4etq8sml6-sector/interior-htMCj-UR5CVYGd/bnb5oaopu0ptx-0wyytzw7u5/

hXXps://misterglobe[.]org/generall/Overview/i9y202-334800485-67760472-jj04w2e19-xppp1/

hXXps://mountainstory[.]pk/qoaij52hfs1d/common_FOQqDSi_Q50ORC3MzecY/guarded_9ode8j8xa3q9fa_3a14tqqj/x1e_418t92/

hXXps://murraysautoworks[.]com/contact/6VE37Q01O/50v2q5af8tv/y27daizl9-678276-439755027-2i7xojwpjd-ryyu/

hXXps://nhakhoachoban[.]vn/wp-includes/paclm/

hXXps://power-charger[.]co[.]uk/faq/Reporting/g30g4b8wvh/0w5c-2857976-135390-1dg1e-bjus2/

hXXps://risefoundations[.]in/rise/8448397_cee81q_jftx3_eseQqSx/corporate_pfmWWf_7uk8kfJTJvUrTR/OvdwZPUQy_ntycKI1ipM2/

hXXps://sharefoundation[.]in/wp-admin/multifunctional_module/test_cloud/oJuKHM3ik_Mee0ttbGc/

hXXps://summit2018[.]techsauce[.]co/startup/sYHAteT/

hXXps://timestampindia[.]com/citech/Document/

hXXps://twincitiesfrugalmom[.]com/wp-admin/eTrac/9porgmi/ul99a0-5568735694-75056-vt6wk395a-yymz6f/

hXXps://www[.]jadegardenmm[.]com/engl/docs/h85me2-45331562-6525577-0c62dwu3hl-mk47l/

hXXps://www[.]u4web[.]com/bnkddo/open_disk/guarded_kzfciuyy_v4gqdp/1dOq8z5_ILk0gJmw/

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Phishing Campaign Uses Captcha to Bypass Email Gateway

By Fabio Rodrigues

Phishing threat actors are using Captcha methods to bypass automated URL analysis. By using Captcha techniques to prove human presence, the phish prevents the secure email gateway (SEG), in this case Mimecast’s gateway, from scanning the URL thereby enabling the threat to get through. Here’s how it works.

Email Body
The phishing email is sent from a compromised account at @avis.ne.jp as if it originated from a voip2mail service. The email alerts the recipient to a new voicemail message. The message is crafted in a simple format, with a preview of the voicemail to entice the recipient to click on the button to listen to the full message.

Figure 1: Email Body

This button is in fact an embedded hyperlink that will redirect the recipient to a page that contains a Captcha code to prove the victim is a human and not an automated analysis tool or, as Google puts it, “a robot.” It’s at this point that the SEG validation would fail. The SEG cannot proceed to and scan the malicious page, only the Captcha code site. This webpage doesn’t contain any malicious items, thus leading the SEG to mark it as safe and allow the user through.

Figure 2: Captcha Page

Once the human verification process is complete, the recipient is redirected to the real phishing page. In this example, it imitates the Microsoft account selector and login page. When unwitting victims login, their credentials are captured.

Figure 3: Phishing Page

As we can see, both the Captcha application page and the main phishing page are hosted on MSFT infrastructure. Both pages are legitimate Microsoft top level domains, so when checking these against domain reputation databases we receive a false negative and the pages come back as safe. SEGs frequently check URLS against reputation databases as part of a layered defense.

Table 1: Network IOCs

hxxp://t[.]mid[.]accor-mail[.]com/r/?id=
hxxps://osnm[.]azurewebsites[.]net/?b=
hxxps://phospate02[.]blob[.]core[.]windows[.]net/vric/112-vml[.]html?sp=r&st=2019-09-03T19:01:36Z&se=2019-09-28T03:01:36Z&spr=hxxps&sv=2018-03-28&sig=q4OWNkGXIlBtE99JknDZ047J94uFFCc%2BoNaZmtHOt2k%3D&sr=
52[.]239[.]224[.]36
66[.]117[.]16[.]17
52[.]173[.]84[.]157

 

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a phishing simulation template, “New Voice Message,” to educate users on the attack described in this blog.

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Phishing Attacks Use PDF Docs to Slither Past the Gateway

By Deron Dasilva and Milo Salvia

Last week, the CofenseTM Phishing Defense CenterTM saw a new barrage of phishing attacks hiding in legitimate PDF documents, a ruse to bypass the email gateway and reach a victim’s mailbox. The attacks masquerade as a trusted entity, duping victims into opening what appears to be a trusted link, which in turn leads to a fake Microsoft login page. Once there, victims are tricked into providing their corporate login credentials.