Using Windows 10? It’s Becoming a Phishing Target

CISO Summary

Cofense IntelligenceTM has recently seen a complex phishing campaign that delivers a simple payload, FormGrabber keylogger malware. The targets are Windows 10 operating systems running Windows Anti-malware Scan Interface (AMSI). The phishing emails deliver a Microsoft Excel Worksheet containing a MS Word macro that initiates infection.

What’s notable: threat actors are hitting Windows 10 instead of Windows 7, a more common target. Expect to see greater abuse heaped on the newer version as more businesses adopt it. No one aspect of this campaign is novel, but the attackers easily assembled a complex infection chain using multiple obfuscation and evasion techniques—another sign of how quickly criminals innovate when motivated.

 Full Details

Cofense Intelligence recently observed a campaign where threat actors targeted Windows 10 operating systems and used a complex multi-stage campaign to deliver the relatively simple FormGrabber keylogger. The emails utilized a Microsoft Office Excel Worksheet with an Office Word macro to initiate the infection. If macros were enabled, this macro would execute a PowerShell script that compiled embedded C# code content into a .NET dll. The .NET dll was loaded as a PowerShell module that then downloaded and executed the FormGrabber keylogger. The code used in the PowerShell module specifically targets Windows 10 computers which have the Windows Anti-malware Scan Interface (AMSI) installed.

Initiation

Each email identified within this campaign had two attachments: the first was a Microsoft Office Excel Worksheet, the second was an RTF document. This RTF document contained five embedded copies of the same Excel Worksheet, as shown in Figure 1.

Figure 1: Copies of the same embedded Worksheet object

When the document is opened, the victim is prompted five times (once for each of the embedded worksheets) to enable macros. After all the prompts have been responded to, the RTF document will be opened. The method used to embed the worksheet objects into the RTF document requires that the worksheet objects be displayed in some form or fashion. In most cases, threat actors will carefully attempt to hide the object to avoid tipping off victims. As shown in Figure 2, in this case the threat actors simply let the default primary worksheet display in the footer section of the document.

Figure 2: The image displayed in the footer of the RTF document

Here the threat actors repurposed a legitimate example worksheet from Carnegie Mellon University to hide malicious content. The file size and macro run by the attached and embedded Excel worksheets are different, however the end result and final payload location are the same, indicating that the two attachments were likely used for redundancy.

Worksheets

Automated systems often examine the macros in documents in an attempt to determine their intentions. Even if the macro is encoded or obfuscated, modern anti-virus should be capable of reversing the changes or at least detecting key malicious components without running the macro. The macros in these worksheets used a simple technique that may have allowed the threat actors to avoid some automated defenses, crafting a macro that decoded content stored in a cell on a seemingly empty page of the worksheet, as shown in Figure 3. Note that the macro (one line of which appears at the top of the image) references cell “J106” on sheet “RPNLU.” All cells in sheet “RPNLU” appear to be empty and the default page view has cell “J106” out of view, ensuring that even if manually opened, the only obvious discrepancy between the original legitimate worksheet and the malicious one is the addition of the sheet “RPNLU.”

Figure 3: Disguised data used by macro (top of image)

Once decrypted, this macro then launches a PowerShell process which contains another subsection of encrypted data, as shown in Figure 4.

Figure 4: Second stage of the PowerShell script

This PowerShell command takes the encrypted content and decrypts it into C# code, which is then compiled into a .NET dll and loaded as a PowerShell module.

Bypassing

The compilation and multiple layers of encryption involved in this process are all used to “bypass” AMSI. AMSI is a Windows 10 exclusive feature intended to help detect and prevent scripts and “fileless threats.” In order to “bypass” AMSI, the threat actors avoid downloading files and perform other obviously malicious activity in the code that runs in the PowerShell console. Instead they focus only on disabling AMSI by adjusting where it looks for malicious content. The code used for this is similar and almost identical in some places to the proof of concept described in this blog post. Once AMSI is properly disabled, the threat actors then load in the C# code including the explicitly malicious code compiled in a .NET dll as a PowerShell module. A relevant portion of this code can be seen in Figure 5.

Figure 5: A modified version of the original POC code to bypass AMSI

Results and a Look Ahead

Threat actors used a complex infection chain that specifically targeted a key component of Windows 10 operating systems, rather than the more common Windows 7-focused malware, to deliver FormGrabber keylogger. As more businesses switch to the Windows 10 operating system, threat actors, like the ones seen here, can be expected to switch their targets to Windows 10 as well. Although none of the techniques used in this campaign were particularly novel, the fact that it utilized multiple obfuscation and evasion techniques and was so easily assembled from already created work indicates how quickly and significantly threat actors can improve, given the proper impetus. As is usually the case when it comes to vulnerabilities in key components, a patch to prevent this method of AMSI bypass exists. However, businesses first need to be aware of the problem. Knowledge of the evolving threat landscape and the different ways that it can affect a company are key to promoting a secure environment. To improve your security posture, take preventative action by patching systems and training employees to recognize and prevent the first stage in an infection chain.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

The Zombie Phish Is Back with a Vengeance

Keep a close on your inboxes—the Zombie Phish is back and it’s hitting hard.

Last October, on the eve of Halloween, the CofenseTM Phishing Defense CenterTM reported on a new phishing threat dubbed the Zombie Phish. This phish spreads much like a traditional worm. Once a mailbox’s credentials have been compromised, the bot will reply to long-dead emails (hence, Zombie) in the inbox of the infected account, sending a generic phishing email intended to harvest more victims for the Zombie hoard.

New Phishing Attacks Use PDF Docs to Slither Past the Gateway

By Deron Dasilva and Milo Salvia

Last week, the CofenseTM Phishing Defense CenterTM saw a new barrage of phishing attacks hiding in legitimate PDF documents, a ruse to bypass the email gateway and reach a victim’s mailbox. The attacks masquerade as a trusted entity, duping victims into opening what appears to be a trusted link, which in turn leads to a fake Microsoft login page. Once there, victims are tricked into providing their corporate login credentials.

Got a Blockchain Wallet? Be Alert for These Phishing Emails

By Tej Tulachan and Milo Salvia

The CofenseTM Phishing Defense Center™ has seen a fresh wave of attacks targeting Blockchain wallet users. The attacks aim to steal all the information needed to hijack unsuspecting victims’ wallets and syphon off their hard-earned crypto gains. In the past week, we have detected more than 180 of these malicious emails, all reported by customers’ users.

Here’s how the phishing emails work.

Red Flag #1: ‘You Have Been Chosen.’

In the message below, we can see that the victim has been “selected to receive” a $50 dollar amount of  Stellar (XLM), an up and coming crypto currency. Better yet, they will be automatically eligible to receive future giveaways. Wow! This common attack method works because, well, who doesn’t like free money?

Fig 1. Email Body

Red Flag #2: The Dreaded Embedded Link

If we take a deeper look into the message body, we can see that there is an embedded hyperlink <hxxps://mysccess[.]lpages[.]co/blockchain/> From this, we can instantly tell something is not right. We can also see that the website linked to is NOT the official Blockchain wallet login page “https://login.blockchain.com/#/login”

You have been chosen to receive $50 in Stellar XLM as a valued Blockchain Wallet user.

To claim your free Stellar XLM, log in to your wallet and verify your identity. It only takes a few minutes. Once your identity is verified your XLM will be on its way to your wallet.

Better yet, you will also be automatically eligible to receive future giveaways.

     GET STARTED.<hxxps://mysccess[.]lpages[.]co/blockchain/>

Fig 2. Email Body in Plain Text

Red Flag #3: Indicator of Compromised Mailbox

From the email headers we can see that the threat source originates from the domain ame.gob.ec. This domain belongs to an Ecuadorian municipal government body. We also note that the email headers do not appear to be spoofed in any way apart from the “Nickname field” has been change to “Blockchain.” This would indicate that the mailbox used to send the phishing campaign has itself been compromised.

From: Blockchain <__________@ame.gob.ec>

Subject: Your airdrop of $50 is ready

Thread-Topic: Your airdrop of $50 is ready

Thread-Index: ozUHxyzm9QIDwDzmfizGH/nj/m+1AA==

Importance: high

X-Priority: 1

Date: Tue, 7 May 2019 12:03:45 +0000

Message-ID: <1224264524.394597.1557230625931.JavaMail.zimbra@ame.gob.ec>

Content-Language: fr-FR

 

Fig 3. Email Headers

Phishing Page: The main phishing page is a simple imitation of the https://login.blockchain.com/#/login page, but it contains the ability to steal all the information needed for an attacker to fully compromise your bitcoin wallet: wallet ID, passcode, and email address. Once the details are filled in, it will redirect to the legitimate blockchain site.

 

Fig 4. Phishing Page

Fig 5. Legitimate page

Right through the Gateway!

During our analysis, we noticed that the phishing email passed right through two different email security solutions: Forcepoint and Microsoft Anti-Spam and Anti-Malware solution in Office 365.

Conclusion: Again, we’ve detected 180+ of these emails in the past week alone. In recent headlines, hackers stole bitcoin worth $41 million from Binance, one of the world’s largest cryptocurrency exchanges, using a number of techniques including phishing emails. The attack was the latest in a string of thefts from cryptocurrency exchanges around the world. Be sure to educate users about phishing threats in general and Bitcoin wallet phishing in particular!

Learn more about the Cofense Phishing Defense Center. See how we analyze user-reported emails to provide actionable threat intelligence.

IOC’s

hxxps://mysccess[.]lpages[.]co/blockchain/

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

The Cofense Phishing Defense Center Sees Threats That Most Don’t

The CofenseTM Phishing Defense CenterTM analyzes suspicious emails reported by customers’ users and alerts their security teams when they need to take action. Because we live and breathe phishing analysis and response, and because we operate 24/7/365, we have visibility into threats most teams can’t see.

Here’s a Real Example Involving Compromised Email Accounts

A few months back, an organization exploring our services did a proof-of-concept trial, during which we analyzed emails its users found suspicious and reported for inspection. Soon enough, we saw emails sent from compromised email accounts within the organization.

In fact, they utilized a technique known as the Zombie Phish, so called because it revives a dormant email conversation the user had had to disarm the user and lure him into clicking. We provided the indicators of compromise to the customer’s point of contact, plus included a link to a Cofense blog about the Zombie Phish.

We Found Over 2000 Malicious Emails—in Just 3 Days

A couple of weeks passed uneventfully. Then, we saw a new batch of reported emails from compromised accounts, followed the next day by a spike in similar messages. In a 3-day period, we found 2053 malicious emails sent through 77 internal accounts. Subject lines varied, but every one of these emails contained a link to “Display Message,” which redirected to a login page spoofing the customer’s actual page. It asked users to enter the password for their company account.

The techniques in these emails seemed to be part of a global phishing campaign targeting UK organizations. The target’s email address was encoded in the link. When someone clicked, the login page displayed the organization’s logo. The links’ behavior varied, sometimes redirecting to a fake site instead of the spoofed login page, other times displaying a message that the URL was unavailable.

The team in the Cofense Phishing Defense Center was glad to be of assistance. Learn more about our phishing defense services.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.