This Phish Uses Skype to Target Surging Remote Workers

By Harsh Patel

The Cofense Phishing Defense Center (PDC) recently unearthed a new phishing campaign spoofing Skype, the popular video calling platform that has seen a recent spike in use amid the need to keep employees connected as they work remotely. This phishing attack was found in email environments protected by Proofpoint and Microsoft 365 EOP, landing in end-users’ inboxes.

With so many people working from home, remote work software like Skype, Slack, Zoom, and WebEx are starting to become popular themes of phishing lures. We recently uncovered an interesting Skype phishing email that an end user reported to the PDC.

Figures 1 and 2: Email Body

For this attack, the threat actor created an email that looks eerily similar to a legitimate pending notification coming from Skype. The threat actor tries to spoof a convincing Skype phone number and email address in the form of 67519-81987[@]skype.[REDACTED EMAIL]. While the sender address may appear legitimate at first glance, the real sender can be found in the return-path displayed as “sent from,” which also happens to be an external compromised account. Although there are many ways to exploit a compromised account, for this phishing campaign the threat actor chose to use it to send out even more phishing campaigns masquerading as a trusted colleague or friend.

It is not uncommon to receive emails about pending notifications for various services. The threat actor anticipates users will recognize this as just that, so they take action to view the notifications. Curiosity and the sense of urgency entice many users to click the “Review” button without recognizing the obvious signs of a phishing attack.

Upon clicking ‘Review’ users will be redirected via an app.link:

hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5

Finally, to the end phishing page:

hxxps://skype-online0345[.]web[.]app

The threat actor has chosen to utilize a .app top-level domain to host their attack. This TLD is backed by Google to help app developers securely share their apps. A benefit of this top-level domain is that it requires HTTPS to connect to it, adding security on both the user’s and developer’s end, which is great…but not in this case. The inclusion of HTTPS means the addition of a lock to the address bar, which most users have been trained to trust. Because this phishing site is being hosted via Google’s .app TLD it displays this trusted icon.

Figure 3: Phishing Page

Clicking the link in the email, the user is shown an impersonation of the Skype login page. If a well-trained user inspects the URL, they will see that the URL contains the word Skype (hxxps://skype-online0345[.]web[.]app). To add even further sense of authenticity, the threat actor adds the recipient’s company logo to the login box as well as a disclaimer at the bottom warning this page is for “authorized use” of that company’s users only. The username is auto-filled due to the URL containing the base64 of the target email address, thus adding simplicity to the phishing page and leaving little room for doubt. The only thing left for the user to do is to enter his or her password, which then falls into the hands of the threat actor.

 

Network IOCs
hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5
hxxps://skype-online0345[.]web[.]app

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Masquerade as HR Departments to Steal Credentials through Fake Remote Work Enrollment Forms

By: Kian Mahdavi, Cofense Phishing Defense Center

With the escalation of COVID-19, organizations are rapidly adjusting as they move their workforce to work from home; it’s no surprise that threat actors have followed suit. Over the past few weeks, the Cofense Phishing Defense Center (PDC) has observed a notable uptick in phishing campaigns that exploit the widely used Microsoft Sway application to steal organizational credentials and to host phishing websites. Sway is a free application from Microsoft that allows employees to generate documents such as newsletters and presentations and is commonly used by professionals to conduct their regular day to day work tasks.

In a new campaign, threat actors send emails with subject lines such as ‘Employee Enrollment Required’ and ‘Remote Work Access.’

Figure 1: Email body

The sender in Figure 1 claims to come from ‘Human Resources.’ Closer inspection, however, reveals the actual sender’s address – a purchased domain address ‘chuckanderson.com’ with no association to the HR team or the organization’s official mailing address.  The attack includes carefully thought out trigger words, such as ‘expected’ and ‘selection/approval,’ language that often trips up employees who are accustomed to receiving occasional emails from their local HR team, especially during this pandemic. Should users hover over the link within the email, however, they would see ‘mimecast.com’ along with ‘office.com,’ potentially and mistakenly deeming these URL(s) as non-suspicious.

By using trusted sources such as Sway to deliver malware or steal corporate credentials, such campaigns often evade Secure Email Gateways (SEGs) thanks to the trusted domains, SSL certificates and URL(s) used within the email headers.

Figure 2: Cofense PDC Triage flagging the known malicious URL

Numerous employees across a variety of departments within the same company received and reported this email to the Cofense PDC, with each email consistently redirecting users to similar Sway URLs.  These URLs were already known by our Cofense Triage solution and were identified as malicious, providing valuable context for our PDC analysts when they commenced their investigation.

As previously discussed, as legitimate domains and URLs were used, these campaigns remained undetected for longer periods of time, likely leading to a higher number of compromised account credentials. On the other hand, malicious content hosted on purpose-built phishing sites usually gets flagged much quicker, taken down earlier, and therefore leading to a much shorter ‘time to live’ period. In short, this attack was easy to execute, required minimal skill, and remained undetected by security technologies.

Figure 3: Virus Total URL Analysis  

Upon conducting a web search using reliable threat intelligence feeds, as shown above in Figure 3, the authenticity of URLs can be verified against trusted security vendors that have recently detected the attack, flagging them as ‘malicious/phishing’. Displayed in the top right-hand side of Figure 3 is the timestamp revealing the latest known update from a security vendor.

Figure 4: First phase of phishing page

Awaiting the user is the bait on a generic looking page, a ‘BEGIN ENROLLMENT’ button and once clicked, redirects to a document hosted on SharePoint as seen below in Figure 5.

Figure 5: Second phase of phishing page

Once employees enter their credentials and hit the ‘Submit’ button, their log-in information is sent to the threat actor – the end user is none the wiser that they have been successfully phished.

As employees have rapidly shifted to remote working, threat actors have started to look at ways they capitalize on the COVID-19 pandemic to spoof new corporate policies and legitimate collaboration tools to harvest valuable corporate credentials, a trend we anticipate will only continue to gain steam in the foreseeable future.

Indicators of Compromise:

First Hosted URL IP Address
hXXps://sway[.]office[.]com/5CgSZtOqeHrKSKYS?ref=Link 52[.]109[.]12[.]51

 

Second Hosted URL IP Address
hXXps://netorgft6234871my[.]sharepoint[.]com/:x:/r/personal/enable_payservicecenter_com/_layouts/15/WopiFrame[.]aspx 13[.]107[.]136[.]9

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

New Phishing Campaign Spoofs WebEx to Target Remote Workers

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center  (PDC) has observed a new phishing campaign that aims to harvest Cisco WebEx credentials via a security warning for the application, which Cisco’s own Secure Email Gateway fails to catch. In the midst of the COVID-19 pandemic, millions of people are working from home using a multitude of online platforms and software. Attackers, of course, know this and are exploiting trusted brands like WebEx to deliver malicious emails to users.

Targeting users of teleconferencing brands is nothing new. But with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue be an increase in remote work phishing in the months to come.

Here’s how this campaign works:

Figure 1: Email Body

For this attack, the threat actor sends an email with varying subject lines such as “Critical Update” or “Alert!” from the spoofed address “meetings[@]webex[.]com”. With the subject and mail content combined, this may gauge users’ curiosity enough to entice them click in order to take the requested action.

The email then explains there is a vulnerability the user must patch or risk allowing an unauthenticated user to install a “Docker container with high privileges on the system.” In this scenario, the threat actor has spoofed a legitimate business service and explained a problem with their software, prompting even non-technical readers to read further. The threat actor even links to a legitimate write-up for the vulnerability, found at the URL embedded into the text ‘CVE-2016-9223:

hxxps://cve[.]mitre[.]org/cgi-bin/cvename.cgi?name=CVE-2016-9223

The linked article uses the same words as the email, lending further credibility.

The only thing for a responsible user to do next is follow the instructions in the email and update their Desktop App, right?

Even if more cautious users hover over the ‘Join’ button before clicking, they could still very well believe it’s legitimate. The URL embedded behind it is:

hxxps://globalpagee-prod-webex[.]com/signin

While the legitimate Cisco WebEx URL is:

hxxps://globalpage-prod[.]webex[.]com/signin

At a first glance, both URLs look eerily similar. A closer look, however, reveals an extra ‘e’ is added to ‘globalpage.’ Likewise, instead of ‘prod.webex’, the malicious link is ‘prod-webex’.

To carry out this attack, the threat actor registered a fraudulent domain through Public Domain Registry just days before sending out the credential phishing email.

The attacker has even gone as far as obtaining a SSL certificate for their fraudulent domain to gain further trust from end users. While the official Cisco certificate is verified by HydrantID, the attacker’s certificate is through Sectigo Limited. Regardless of who verified the attacker’s certificate, the result is the same – a lock to the left of its URL that renders the email legitimate the eyes of many users.

Figure 2:  Initial Phishing Page

The phishing page to which users are redirected is identical to the legitimate Cisco WebEx login page; visually there is no difference. Behavior-wise, there is a deviation between the real site and the fraudulent page. When email addresses are typed into the real Cisco page, the entries are checked to verify if there are associated accounts. With this phishing page, however, any email formatted entry takes the recipient to the next page where they then requested to enter their password.

Figure 3: Secondary Phishing Page

Once credentials are provided, users are redirected to the official Cisco website to download WebEx, which may be enough to convince most users it is a legitimate login process to update their WebEx app.

Figure 4: Legitimate Redirect Page – Official Cisco WebEx Download Page

At the time of writing, this fraudulent domain is still live and active. In fact, when navigating to the main domain, there is an open directory showing files the threat actor has utilized with this attack.

Figure 5: Open Directory

Files of interest include ‘sign-in%3fsurl=https%[…]’ and ‘out.php’.

The file ‘sign-in%3fsurl=https%[…]’ is the phishing page itself. When users click from this directory, they are redirected to the fraudulent WebEx login (Figure 3).

Figure 6: ‘out.php’ File

The ‘out.php’ file, seen in Figure 6, is the mailer the threat actor appears to have used to send this attack to users’ inboxes. The threat actor can manually input any subject they want – in this case, they chose “Critical Update!!”, adding the HTML for the email to the box below and designating an email list to which they wish to mass send this campaign.

With many organizations quickly adopting remote working policies, threat actors are poised to continue to spoof brands that facilitate virtual collaboration and communication, such as teleconferencing tools and cloud solutions.

Indicators of Compromise:

Network IOC IP
hxxps://globalpagee-prod-webex[.]com/signin 192[.]185[.]214[.]109

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolves. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

Every day, the Cofense Phishing Defense Center (PDC) analyzes phishing emails that bypassed email gateways, 75% of which are credential phish.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 37308 and received YARA rule PM_Intel_CredPhish_37308. Cofense Intelligence customers who would like to keep up with the Active Threat Reports and indicators being published, all COVID-19 campaigns are tagged with the “Pandemic” search tag.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Evade Proofpoint and Microsoft 365 ATP Protection to Capitalize on COVID-19 Fears

By: Kian Mahdavi, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has witnessed a surge in Coronavirus phishing campaigns found in environments protected by Proofpoint and Microsoft Office 365 ATP. While these Secure Email Gateways (SEGs) are designed to safeguard end users from clicking on malicious links and attachments, both failed in a new phishing attack we recently observed.

Figure 1 – Proofpoint SEG within the Email Header

Figure 2 – Extracted Information in Email Header

The extracted header information above in Figure 2 displays fragments of the email from the received path. The threat actor spoofed the domain splashmath[.]com (an online learning game for children) with a spoofed IP address of 167[.]89[.]87[.]104, which is located in the United States. For this reason, the email slipped past basic security checks, such as DKIM and SPF, shown in Figure 2. The threat actor inserted key words, such as “who” and “community” in the sender email address to manipulate the user into thinking it’s from the World Health Organization.

Upon further investigation of the email header, the originating IP address of 88[.]119[.]86[.]63 was found to be from the Lithuanian city of Kaunas, as shown below in Figure 3. The phishing email was sent to different individuals, each with the same originating IP address, indicating the likelihood of a single threat actor carrying out these attacks.

Figure 3 – Originating IP Address

The body of the email in Figure 4, as shown below, urges the user to find out if there are cases of COVID-19 in their local area by clicking on ‘Read on’. When then end-user clicks, they are led to believe that they will be directed to an updated WHO document. However, the user is actually directed to a Microsoft branded credential phish to steal their Microsoft log-in information.

The subject of the email is “HIGH-RISK: New confirmed cases in your city,” followed by the spoofed WHO email address and display name (who[.]int-community[.]spread@ splashmath[.]com), thus making it appear as if the sender is really from the World Health Organization. The sender does not contain any information addressed to the recipient, such as “Good Morning” or “Dear…”, indicating that this is a mass-email attack sent to many individuals. In addition, there is an image that would have usually loaded, however in these stressful circumstances, individuals may overlook this and would click on the “Read on” link.

Figure 4 – Email Body

Network Indicators of Compromise (IOCs):

Users are under the impression that by clicking on the ‘read on’ link, they will be redirected to:

Hosted URL IP Address
hXXp://o[.]splashmath[.]com/ls/click?upn=H2FOwAYY7ZayaWl4grkl1LazPuy6jduhWjWPwf0O2D 167[.]89[.]118[.]52
167[.]89[.]123[.]54

The users are instead forwarded to one of the following malicious redirects:

Credential Phishing Pages URLs IP Address
hXXps://heinrichgrp[.]com/who/files/af1fd55c21fdb935bd71ead7acc353d7[.]php 31[.]193[.]4[.]14
hXXps://coronasdeflores[.]cl/who 186[.]64[.]116[.]135
hXXps://www[.]frufc[.]net/who/files/61fe6624ec1fcc7cac629546fc9f25c3[.]php 87[.]117[.]220[.]232
hXXps://pharmadrugdirect[.]com/who 31[.]193[.]4[.]14
hXXps://ee-cop[.]co[.]uk/who/files/3b9f575dac9cc432873f6165c9bed507[.]php 82[.]166[.]34[.]188

A quick Google search reveals the last phishing page listed above (hXXps://ee-cop[.]co[.]uk/who/files/3b9f575dac9cc432873f6165c9bed507[.]php) was created with “WordPress” within the description (Figure 5), a potential red flag for a savvy end user.

Figure 5 – Google Search of the Phishing Page

As shown in Figure 6 below, recipients are presented with a high-quality, spoofed Microsoft login page. Upon clicking, the user’s email address is attached within the URL of the webpage; therefore, the individual’s username automatically appears in the login box. Upon logging in, the user is under the impression he or she has been authenticated into a legitimate Microsoft website. At this point, the user’s credentials are unfortunately in the hands of the threat actor.

Figure 6 – Final Phishing Page

HOW COFENSE CAN HELP

Cofense has created the Coronavirus Phishing Infocenter with examples of real Coronavirus phishing scams, an infographic illustrating 5 signs of these phish, a publicly available YARA rule, and much more.

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe. Tp remove the blind spot, get visibility of attacks with Cofense Reporter.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received Yara rule PM_Intel_CredPhish_37315 and further information about this threat in Active Threat Report (ATR) 37315.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

One, Two, Three Phish: Adversaries Target Mobile Users

By Elmer Hernandez, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has spotted a phishing attack directed at mobile users purporting to come from Three, a British telecommunications and internet service provider. The attack relies on a well-spoofed html file, enticing users to provide everything from their password and personal details to their credit card information. 

Users are informed of a bill payment that could not be processed by their bank. They are urged to download the html file “3GUK[.]html” to edit their billing information in order to avoid service suspension. Users should always be wary of requests to download and open html/htm file attachments as opposed to being linked directly from their email client (which also, of course, is no guarantee of a legitimate email).

Figure 1 – Email Body

Spoofed Phish Page

As seen in Figures 2 and 3, The attached 3GUK[.]html file then requests login credentials, personal information and credit card details. The source code indicates this is a clone of actual Three html code, re-appropriated for malicious purposes; for instance, styling elements are pulled from actual Three websites. Additionally, all options in 3GUK[.]html direct to the legitimate relevant Three page so that, for example, if one clicks on “iPhone 11” under the Popular Phones section at the bottom, the end user is redirected to the real Three iPhone 11 page.

Figures 2 and 3 – Cloned Phishing Pages

The smoking gun is in the action attribute of the HTML form element. Figure 4 confirms that any information provided is processed by the “processing[.]php” script, located at hxxp://joaquinmeyer[.]com/wb/processing[.]php, a domain the adversary has compromised. Adversaries need only modify key sections of the cloned html code such as in Figure 4 below in order to turn benign code into a convincing phish.

Figure 4 – Malicious cloned html code

The Devil is in the Metadata

The From field, as seen in Figure 5 below, indicates “online@three[.]co[.]uk” as the apparent source of the email. The SPF check shows this was the address provided in the SMTP MAIL FROM command. We also see a SoftFail result for the originating IP 86.47.56.231; this means the domain of three.co.uk discourages, but does not explicitly rule out, this IP address as a permitted sender.

Figure 5 – SPF check

In other words, the SPF records for the domain of three[.]co[.]uk contain the ~all mechanism, which flags but ultimately lets the email through. Worried that legitimate email will be blocked by a stricter SPF policy, such as a (Hard)Fail with -all, many companies’ SPF records do not dare make an explicit statement regarding who is and is not permitted sender, potentially enabling spoofed emails.

DNS PTR record resolves the originating IP 86.47.56.231 to mail[.]moultondesign[.]com. Although an apparent subdomain of moultondesign[.]com, there is no evident relation between the two. There is no corresponding DNS A record, as confirmed by a Wireshark capture, as seen in Figure 6. The supposed parent domain is hosted by Namesco Ireland at 195.7.226.154, unlike the malicious IP address which is part the ADSL Pool of Irish provider EIR, suggesting a residential use.

Figure 6 – Missing DNS A Record

The email also contains a spoofed Message-ID (Figure 7). Although these do not need to conform to any particular structure, they often contain a timestamp. In this case, the digits on the left of the dot seem to follow the format YYYYMMDDhhhhss, amounting to 2020 February 5th 16:34:08; the digits to the right of the dot could or could not have any significance. Finally, the presence of Three’s Fully Qualified Domain Name adds a further element of credibility that might deceive more tech-savvy users.

Figure 7 – Message-ID

IOCs:

Malicious URLs:
hxxp://joaquinmeyer[.]com/wb/processing[.]php
mail[.]moultondesign[.]com

Associated IPs:
65.60.11.250
86.47.56.231

 

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense Reporter.

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 37144.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

This Employee Satisfaction Survey is Not so Satisfying… Except for the Credential Phishing Actors Behind It.

By Max Gannon, Dylan Duncan in Cofense Intelligence

Cofense Intelligence has tracked a complex credential phishing operation that evades Microsoft Office 365, Cisco Ironport and Mimecast Secure Email Gateways and has been active since at least December 2019—a very long time for an active credential phishing campaign. The use of a series of convincing tactics suggests that threat actors have taken great effort to create an air of authenticity for targeted recipients. Targeted users receive an email, supposedly from their HR departments, mandating that they complete a SurveyMonkey employee satisfaction survey. The convoluted attack chain uses trusted sources and eventually redirects to a real SurveyMonkey survey, allowing the threat actors to evade detection, and provides recipients with the end results that they expect – a real survey.

This credential phishing chain begins with an email (Figure 1) containing a link to a PDF hosted on the legitimate cloud service provider Hightail. The email itself contains multiple tactics, techniques, and procedures (TTPs) to deceive the end user. These TTPs consist of a seemingly legitimate Hightail spoofed email address ‘delivery @ spaces[.]hightailmail[.]com,’ fronting as a target’s HR department. The email creates a sense of urgency, indicating the survey is mandatory, requires action, only takes a few moments to complete, and will benefit the targeted employee.

Figure 1: Example of one original email sent to targeted recipients

After following the link to Hightail, a PDF is downloaded (Figure 2). Within the PDF, the from, subject, and message fields match the email line-for-line. The URLs for Hightail contain the recipient’s email address encoded in the URL path, and with the page hosted by the threat actor, these collected URLs could be decoded to gather the email address before they access the PDF. Hightail provides a preview of the PDF before downloading (Figure 3), which shows a faded survey and an icon that appears to lead into the survey.

Figure 2: The Hightail web page hosting a PDF that recipients are encouraged to download

Figure 3: A preview of the PDF hosted on Hightail, encouraging the user to participate in the “mandatory” survey

Once the PDF has been downloaded, a ‘Take Survey’ icon links to one of many credential phishing URLs used in this scheme. As displayed in Figure 4 below, the phishing URLs often change with each different PDF, but continue to remain consistent with the theme of an HR Department survey.

Examples include:

  • hxxps://hrsurveyportal[.]work/Start/
  • hxxps://my[.]hr-portalsurvey[.]work/

A complete list of identified URLs was used in different PDFs and is included at the end of this document in Table 2. This kind of differentiation allows the threat actors to maintain an appearance of legitimacy in their phishing URLs, while making it more difficult to defend against these attacks by shunning previously used or shared URLs.

Figure 4: PDF with an embedded link to a credential phishing website

This credential phishing campaign, and its variants, have been operating since at least December 5th, 2019. In most of these identified campaigns, the credential phishing pages were the same spoofed “Norton Secured” page, seen in Figure 5, regardless of the URL or the original target company. Older campaigns, primarily seen in December and January, mostly used appspot[.]com sub-domains rather than HR department themed domains and all led to pages like the one shown in Figure 6.

Figure 5: Spoofed login page where credentials are harvested

Figure 6: A less convincing example of a credential phishing page identified in this broader campaign.

When a recipient enters his or her information in any of the credential phishing websites, the data is sent via an HTTP POST to the URL shown in Figure 7. This is most commonly hxxps://nortonsymantecssl[.]000webhostapp[.]com/vlog/. Much like the hrsurvey[.]work URL variants designed to provide an additional sense of legitimacy, this URL also spoofs “Norton Secured”. Recipients are then immediately sent to the SurveyMonkey survey shown in Figure 8.

Figure 7: Credential phishing page source with the highlighted URL where credentials are posted and recipients are redirected.

Figure 8: The final SurveyMonkey survey

The SurveyMonkey survey shown in Figure 8 is of particular importance. First, this survey link is either legitimate and has been repurposed by threat actors, or threat actors themselves went to the effort to create it. Either way, the detail and effort involved in the survey indicates the possible intent of the threat actors to use the survey as a long-term resource across multiple short-lived credential phishing pages. Secondly, this survey leads targeted recipients to a credible conclusion—ending the attack chain in a way that would not leave recipients suspecting that anything suspicious had happened. Many credential phishing campaigns end by redirecting a user to a generic page or displaying a login error message, which can cause users to stop and consider potentially harmful activity that had occurred, leading them to warn others or report the original email. By avoiding such suspicious signposts, the threat actors can further protect their infrastructure and avoid detection.

This campaign presented a convincing impersonation of an HR department delivering a mandatory survey to its employees. The final destination of the chain was a survey hosted on SurveyMonkey—leading recipients to believe that nothing was wrong. The choice of the campaign endpoint—a survey hosted on a well-known legitimate site, rather than an obvious error message or redirect—indicates a level of attention above and beyond what is usually exhibited by credential phishing adversaries. Additionally, custom domains were used to host the credential phishing infrastructure rather than compromised domains, as is often the case with simple credential phishing. Cofense Intelligence assesses that this campaign was carefully designed with long term capability and minimal detection in mind. This has no doubt allowed for the repeated success of this campaign—also quite unusual when it comes to credential phishing.

Hightail Hosted PDF URLs
hxxp://spaces[.]hightail[.]com/receive/gmaTEP8hhh/
hxxp://spaces[.]hightail[.]com/receive/GvXjcQjRac/
hxxp://spaces[.]hightail[.]com/receive/gWGl9E9QrM/
hxxp://spaces[.]hightail[.]com/receive/hiasiM3Bc4/
hxxp://spaces[.]hightail[.]com/receive/Huh5Kd9ngs/
hxxp://spaces[.]hightail[.]com/receive/N2hZnCrDRr/
hxxp://spaces[.]hightail[.]com/receive/NewA1DfvtL/
hxxp://spaces[.]hightail[.]com/receive/pvHwWmHUxB/
hxxp://spaces[.]hightail[.]com/receive/rlTbN1a1sV/
hxxp://spaces[.]hightail[.]com/receive/wgmOI2E6VF/
hxxp://spaces[.]hightail[.]com/receive/yGDAtZ2Cld/
Credential Phishing Pages URLs
hxxps://hrsurvey[.]work/Home/
hxxps://hrsurvey[.]work/hr/
hxxps://hrsurveyportal[.]work/begin/
hxxps://hrsurveyportal[.]work/secure/
hxxps://hrsurveyportal[.]work/Start/
hxxps://my[.]hr-portalsurvey[.]work/
hxxps://my[.]hrsurveyportal[.]work/
hxxps://my[.]worksurvey[.]work/
hxxps://secure[.]hrsurveyportal[.]work/
hxxps://mwz1552alry[.]appspot[.]com/
Redirect URLs
hxxps://csosun[.]org/administrator/manifests/login[.]php
hxxps://nortonsymantecssl[.]000webhostapp[.]com/vlog/
Hosted Survey URL
hxxps://www[.]surveymonkey[.]com/r/2MHSTQ8
Downloaded PDF Files MD5 Hash
Employee Satisfaction Survey.pdf d61822e79a797356598b6296af360f3e
Employee Satisfaction Survey.pdf b760297ada010198d40f585206e2c769
Description Indicator
Cofense Intelligence ATR ID 36729
Cofense Triage Yara RULE PM_Intel_CredPhish_36729

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 36729.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Innovate to Exploit COVID-19, Delivering OpenOffice .ODP Attachments on a Shoestring Budget

By Tonia Dudley, Cofense Security Solutions

Have you ever paid an invoice delivered in PowerPoint file, similar to Figure 1 below? No? Me neither. An accounts reconciliation aging report? Don’t those typically get sent as a .PDF file so your auditor can ensure you haven’t “adjusted” the report?

Figure 1: Phishing email with fake invoice delivered via an .ODP file, appearing as a .PPT file

We recently uncovered a new, previously unseen tactic used by threat actors eager to capitalize on organizations’ concerns around COVID-19. The threat actors use an OpenOffice file format as an .ODP file, recognized by Microsoft as .PPT file, thus leading unsuspecting users to easily recognize the PowerPoint icon.

But let’s go back to the emails that included this file type. Would you receive an email to process an invoice that used a PowerPoint file for this transaction? It’s no wonder a well-trained user was able to spot this email as suspicious and reported the message to the Cofense Phishing Defense Center.

As we continue to monitor suspicious emails related to COVID-19, both seen in the wild and reported by our customers, we noticed a few interesting tactics used in the email (Figure 2 below) that leverages the OpenOffice format to trick unsuspecting employees into opening the document. The email message is fairly basic and contains some simple phishing indicators. The salutation is generic and an incomplete sentence – “Good morning.” Is this how you punctuate this salutation? Speaking of punctuation – they also used a period after “signing” their name “Donna.” at the end of the email.

When digging into the header information, it was, however, surprising that this email was flagged as “Received-SPF: Fail”. Organizations have spent a great deal of time setting up and configuring DMARC, DKIM and SPF, and the message is delivered to the inbox? We’ll give this organization the benefit of doubt and assume they’re still finetuning and configuring that control.

Yet the most interesting part of this phishing email is the attachment itself – we had never seen an .ODP file type in a phishing email before.

Figure 2: Phishing email delivering an .ODP file masquerading as a COVID-19 preparation guide

In an effort to ensure our customers can detect this new tactic, we wrote a YARA rule to look for any OpenOffice file type. This new search took us back to late January to find the use of the .ODP filetype. It also bubbled up another OpenOffice file type of .ODT, displaying the MS Word icon to the user. In each of these files, the use case for the threat actor was to merely deliver the link to direct to the malicious website.

HOW COFENSE CAN HELP

Yara Rule: PM_LABS_OpenOffice_ImpressFiles

For more information and resources about COVID-19 related phish and malware, visit our Infocenter: https://cofense.com/solutions/topic/coronavirus-infocenter/

Every day, the Cofense Phishing Defense Center analyzes phishing emails that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Going Phishing in the African Banking Sector

By Elmer Hernandez, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has uncovered a phishing campaign aimed at customers of African financial services group ABSA. Mimicking ABSA’s online banking portal, the adversaries attempt to steal users’ online banking credentials to gain access to their bank accounts.

The phishing email presents the end user with a couple of lines of text informing him/her of pending transfers from another bank that need authorization. The user must download and open the htm attachment “IBPAYDOC.htm” in order to connect to the online portal. The email does not present any indication of an attempt to imitate a legitimate ABSA communication, completely relying instead on the user’s misplaced curiosity.

Figure 1 (Email Body)

Phishing Portal

Upon opening the htm file, the user is directed to a fake ABSA online banking portal at hxxps://www[.]ahmadnawaz[.]org/ched/tnop[.]php, which is almost identical to the legitimate ABSA portal, as seen in Figures 2 and 3. The user is prompted to provide an “access account” number, PIN and user number that are then posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail1[.]php.

Figure 2 – Legitimate ABSA Portal

Figure 3 – Copycat ABSA Portal

Adversaries have hijacked the ahmadnawaz[.]org domain on which the fraudulent ABSA portal is hosted, belonging to Pakistani education activist Ahmed Nawaz, and created the “/ched” directory to store their php files and subdirectories as seen in Figure 4.

Figure 4 – Index of /ched

Next, the recipient is asked to provide a password in hxxps://www[.]ahmadnawaz[.]org/ched/pass[.]php. This request should tip off users for three reasons. First, ABSA never asks for entire passwords. Second, and in contradictory fashion, instructions for ABSA’s usual password requirements can be found on the right-hand side of the page. Although the password guidelines only require specific characters, the adversaries seem to have kept these in an attempt to make their fake portal look as genuine as possible. Finally, the user’s SurePhrase, part of ABSA’s SureCheck service, is missing. Upon entering their password, it is posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail2[.]php.

Figure 5 – Fake password login page

The user is then directed to hxxps://www[.]ahmadnawaz[.]org/ched/profile[.]php, where a 60- second timer is displayed. Once it reaches zero, the user is instructed to provide a phone number and a code from the ABSA app. Verification messages are normally sent to the ABSA banking app. In this case, however, no such code is sent because the user is not accessing ABSA’s legitimate portal. The threat actors likely rely on curious or frustrated users who decide, nonetheless, to proceed with the login process despite not receiving a verification request, allowing them to steal additional personal information from the end user. The phone number and app code are then posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail3[.]php.

Figure 6 – Timer in profile .php

Figure 7 – Verification Request

Finally, when and if the user provides the last two pieces of information – the phone number and app passcode – the next stop is hxxps://www[.]ahmadnawaz[.]org/ched/finish[.]php, where the aforementioned timer will run out and restart indefinitely. Figure 8 shows the complete HTTPS traffic.

Figure 8 – HTTPS Traffic Overview

IOCs:

Malicious URLs

hxxps://www[.]ahmadnawaz[.]org/ched/tnop[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail1[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/pass[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail2[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/profile[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail3[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/finish[.]php

 

Associated IPs:

74[.]63[.]242[.]34

 

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Utilizing YouTube Redirects to Deliver Malicious Content

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) recently observed an increase in phishing attempts that deliver phishing pages via YouTube redirects.

Threat actors often use social media websites as redirectors to malicious pages. Most organizations allow the use of platforms such as YouTube, LinkedIn, and Facebook and whitelist the domains, allowing for potentially malicious redirects to open without any fuss. In this case, anyone who clicks on the phish is taken to a phony login page designed to steal credentials.

Figure 1: Email Header

The phishing email originates from a newly registered fraud domain sharepointonline-po.com. This domain was registered on February 19, 2020 through Namecheap.

The threat actor in this scenario has posed as SharePoint, indicating that a new file has been uploaded to the company’s SharePoint site. Although the email may appear illegitimate to a trained eye, a curious or unsuspecting end user may click the button expecting to see a legitimate file.

The link embedded in the email is: hXXps://www[.]youtube[.]com/redirect?v=6l7J1i1OkKs&q=http%3A%2F%2FCompanyname[.]sharepointonline-ert[.]pw

Users are redirected to YouTube that then redirects to companyname[.]sharepointonline-ert[.]pw, which in turn goes to the final landing page of the phish located at:

hXXps://firebasestorage[.]googleapis[.]com/v0/b/sharepointonline-fc311.appspot[.]com/o/Sharepoint2019427c31ba-0238-4747-bfd3-13369aa06b4d427c31ba-0238-4747-bfd3-13369aa06b4d427c31bb%2Findex[.]html

So far, all phishing links from this campaign utilize some variation on sharepointonline-ert[.]pw, specifically sharepointonline-xxx followed by a variation of 3 letters with the top-level domain always being .pw. Each of these fraud domains are quickly registered with Namecheap and used for this campaign, which suggests the possibility of bot automation. The SharePoint redirection domains collected so far include:

sharepointonline-eer[.]pw
sharepointonline-sed[.]pw
sharepointonline-ert[.]pw
sharepointonline-eyt[.]pw

With this trend of 3 letter variations in mind, the use of redirects means there’s at least 17,576 possible combinations of this domain. However, with some clever use of regular expressions, domains following this pattern can be blocked as well as the attack that follows.

Following both the YouTube and fraudulent SharePoint redirects, users are then taken to a Google Cloud page that is configured with the final page of this phish. Because the page is hosted on a legitimate Google site, googleapis.com, its certificate is verified by what appears to be Google itself, thus furthering the illusion of a legitimate page. Use of this legitimate website allows the threat actor to sneak by any Secure Email Gateways (SEGs) or other security controls.

Figure 3: Phishing Page

Once end users click on the link, they are presented with a typical Microsoft branded login page. Nothing appears amiss–in fact, it is almost a perfect replica. The main differences are: the box surrounding the login is black instead of white; the small detail of the banner at the bottom has different information than Microsoft’s actual login; and the copyright year is showing as 2019.

The recipient email address is appended within the URL, thus automatically populating the login box with the account name. Once users provide their password, it is sent to the threat actor.

Network IOCs
hXXps://www[.]youtube[.]com/redirect?v=6l7J1i1OkKs&q=http%3A%2F%2FCompany[.]sharepointonline-ert[.]pw%23john.smith@company.Com&=company=company&redir_token=-N5bmOAEmF36DCYcYY25tfVENgB8MTU4MjIwMTEyOEAxNTgyMTE0NzI4
hXXps://firebasestorage[.]googleapis[.]com/v0/b/sharepointonline-fc311.appspot[.]com/o/Sharepoint2019427c31ba-0238-4747-bfd3-13369aa06b4d427c31ba-0238-4747-bfd3-13369aa06b4d427c31bb%2Findex[.]html

 

HOW COFENSE CAN HELP

Every day, the Cofense Phishing Defense Center (PDC) analyzes phishing emails that bypassed email gateways, 75% of which are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe. To remove the blind spot, get visibility of attacks with Cofense Reporter.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 36586.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Capitalize on Global Concern About Coronavirus in New Phishing Campaigns

By Kyle Duncan and Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign found in an environment protected by Ironport that aims to strike alarm and manipulate end users into clicking on a Microsoft-branded credential phish that prays on concerns surrounding the coronavirus.

The email appears to be from The Centers for Disease Control and the message is that the coronavirus has officially become airborne and there have been confirmed cases of the disease in your location. The email goes on to say that the only way to minimize risk of infection is by avoiding high-risk areas that are listed on a page they have personally hyperlinked to you – the recipient. The email is NOT from the CDC and the link to possible safe havens is actually malicious.

Since news of the coronavirus hit national headlines, many threat actors have played on its infamy to target unsuspecting users. While there are numerous phishing campaigns raving about the latest safety measures, all claiming to be reputable health organizations or doctors, this email differs in its methods, weaponizing fear to panic users into clicking malicious links.

Figure 1: Email Header

The following are snippets of the header information for the email. Looking at the first stop on the received path we see that the email originated from the domain veloxserv.net with an IP address of 193[.]105[.]188[.]10. This obviously has nothing to do with the Centers for Disease Control, as this is an IP located within the United Kingdom. However, the sender is issuing a HELO command which tells the email server to treat this email as if it were originating from the domain “cdc.gov”.

Figure 2: Email Body

The subject of the email is “COVID-19 – Now Airborne, Increased Community Transmission” followed by a spoofed display name, CDC INFO, and from address, CDC-Covid19@cdc.gov, thus making it appear as if the sender is really the CDC. Despite odd capitalization on some words in the email, it is a rather good forgery which, when combined with the high stress situation it presents, may cause most users to overlook those details and click the link immediately.

Users are led to believe they are clicking a link to:
hxxps://www[.]cdc[.]gov/COVID-19/newcases/feb26/your-city[.]html

However, embedded behind that link is the following malicious redirect:
hxxp://healing-yui223[.]com/cd[.]php

Which in turn goes to the final landing page of the phish located at:
hxxps://www[.]schooluniformtrading[.]com[.]au/cdcgov/files/

Upon further research, there were two additional compromised sites set up with this same phishing kit.

Additional redirecting URLs found were:
hxxps://onthefx[.]com/cd[.]php

Additional phishing pages:
hxxps://urbanandruraldesign[.]com[.]au/cdcgov/files
hxxps://gocycle[.]com[.]au/cdcgov/files/

In each of these three unique attacks, the URLs used to redirect the victim to the credential phishing site are of Japanese origin. All use the file cd.php, which forces the redirection to the phish. The phishing pages themselves have the same Top-Level Domain, .com.au, and each has a SSL certificate. These clues point to a single threat actor carrying out these attacks. Further observation may soon reveal the actor’s identity or at least a general attack vector that can be monitored for and blocked by network firewalls.

Figure 3: Phishing Page

Users will be presented with a generic looking Microsoft login page upon clicking the link.

The recipient email address is appended within the URL, thus automatically populating the login box with their account name. The only thing for the user to provide now is their password. Upon doing so, the user is sent to the threat actor.

Once users enter their credentials, they are redirected to a legitimate website of the CDC:

hxxps://www[.]cdc[.]gov/coronavirus/2019-ncov/php/preparing-communities[.]html

Indicators of Compromise:

Network IOC IP
hxxps://healing-yui223.com/cd[.]php 150[.]95[.]52[.]104
hxxps://www.schooluniformtrading[.]com[.]au/cdcgov/files/ 118[.]127[.]3[.]247
hxxps://onthefx[.]com/cd[.]php 153[.]120[.]181[.]196
hxxps://urbanandruraldesign[.]com[.]au/cdcgov/files 112[.]140[.]180[.]26
hxxps://gocycle[.]com[.]au/cdcgov/files/ 13[.]239[.]26[.]132

 

Spoofed World Health Organization Delivers Agent Tesla Keylogger

In addition to the spoofed CDC message discovered by the Cofense Phishing Defense Center, Cofense Intelligence also recently identified a phishing campaign spoofing the World Health Organization (WHO) to deliver the Agent Tesla keylogger. The phishing campaign is designed to invoke fear and curiosity of the intended recipient with the subject “Attention: List Of Companies Affected With Coronavirus March 02, 2020.”

The attachment accompanying the phishing email spoofing the WHO is labeled ‘SAFETY PRECAUTIONS’ and has a .exe extension. The icon of this executable is that of a Microsoft Office Excel file, intending to fool the end user into believing that the attachment is indeed an Excel document, listing the infected companies. The attachment is in fact an .exe, delivering a sample of Agent Tesla keylogger. The email body can be seen below.

Figure 4: The phishing email spoofing the World Health Organization

 

Filename MD5 Hash
SAFETY PRECAUTIONS.rar 05adf4a08f16776ee0b1c271713a7880
SAFETY PRECAUTIONS.exe ef07feae7c00a550f97ed4824862c459

Table 1: Agent Tesla Keylogger Attachments

 

Agent Tesla C2s
Postmaster[@]mallinckrodt[.]xyz
brentpaul403[@]yandex[.]ru

Table 2: Agent Tesla Keylogger Command and Control (C2) Locations

 

YARA Rules
PM_Intel_AgentTesla_36802

 

Given the levels of concern associated with the COVID-19 outbreak, such phishing themes will almost certainly increase, delivering a broader array of malware families.

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.