Phish Found in Proofpoint-Protected Environments – Week Ending June 28, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Of note is the use of macro-enabled documents using Microsoft Office document extensions dating to versions sold prior to 2007. Organizations may want to consider ways to identify and filter these files.

TYPE: Malware – Dridex

DESCRIPTION: Macro-enabled Excel documents and Dridex malware – name a more iconic pair. This phishing attack used Microsoft Excel documents to deliver Dridex to the inbox. Just like we’ve been blogging about since 2017.

TYPE: Malware – ZLoader

DESCRIPTION: Who uses XLS files anymore? Well, attackers for one. This attack uses the long outdated file type to execute macros that download ZLoader via a VBS chain. Cofense Triage customers have been detecting and remediating attacks delivering ZLoader since 2017.

TYPE: Credential Theft

DESCRIPTION: This phish leverages a trusted cloud storage service to capture login credentials from the Danish-speaking victim. This should come as no surprise, as Cofense has been seeing the use of trusted cloud services for years.

TYPE: Malware – NetWire

DESCRIPTION: Microsoft’s Office Equation Editor vulnerability (CVE-2017-11882) has been a favorite for attackers. Discovered in 2017, malicious documents are delivered via attachment or, as in this case, embedded URL to compromise victims. This example delivers the NetWire Remote Access Trojan.

TYPE: Malware – ZLoader

DESCRIPTION: Another attack using the old XLS format with macros to deliver ZLoader. This one uses an invoice theme to trick its victims into opening the attachment.

TYPE: Malware – Agent Tesla

DESCRIPTION: This invoice-themed phish includes an embedded URL to download a .7z archive. Inside the archive is the ever-popular Agent Tesla, a top threat as recently as last year.

TYPE: Credential Theft

DESCRIPTION: While we saw plenty of malware in this week’s batch, the old standard of credential phish is still around. This profile-themed phish spoofs a state agency to capture credentials that are exfiltrated using Google forms.

TYPE: Malware – Hive

DESCRIPTION: This purchase order-themed phish delivers an embedded URL to the FireBird Remote Access Trojan variant known as Hive.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

“You’re Invited!” to Phishing Links Inside .ics Calendar Attachments

By Ashley Tran, Cofense Phishing Defense Center

Every day threat actors find more and more ingenious ways to deliver phishing emails to end users. From direct attachments to using third party document hosting sites and… calendar invitations? The Cofense Phishing Defense Center (PDC) has unearthed a new phishing campaign in multiple enterprise email environments protected by Proofpoint and Microsoft that delivers .ics calendar invite attachments containing phishing links in the body. It’s assumed that the attackers believe stuffing the URL inside a calendar invite would help avoid automated analysis.

Figure 1: Email Body

The subject of this phish is “Fraud Detection from Message Center,” reeling in curious users. The sender display name is Walker, but the email address appears to be legitimate, possibly indicating a compromised account belonging to a school district. Cofense observed the use of several compromised accounts used to send this campaign. Using a compromised real account originating from Office 365 allows the email to bypass email filters that rely on DKIM/SPF.

The story in this phish is a version of a classic lure “suspicious activity on the user’s bank account.” This attachment, however, doesn’t jibe with the ruse considering it’s a calendar invite. A more fitting lure would have been something like “I attached a meeting invite; can you please attend?” Maybe this attacker flunked out of Internet bad guy school.

Figure 2 shows what the calendar invite looks like when opened. Note that it’s hosted on the legitimate Sharepoint.com site, an issue that continues to be problematic for Microsoft.

Figure 2: Calendar invite (.ics) Attachment

Upon clicking the link in the fake invitation, a relatively simple document opens with yet another link to follow, as seen in Figure 3 below:

Figure 3: Phishing Page

If the victim follows that link, they are redirected from sharepoint.com to a phishing site hosted by Google. Clicking anywhere on the document then redirects users to a bogus phishing page seen in Figure 4.

Figure 4: Phishing Page

As shown in Figure 4, the final phishing page users are directed to is hosted on:

hXXps://storage[.]googleapis[.]com/awells-putlogs-308643420/index[.]html

This is not the first time threat actors have utilized “storage[.]googleapis[.]com” to host their phish. In fact, it is becoming increasingly common thanks to its ease of use as well as the built-in SSL certificate the domain comes with which adds the “trusty” padlock to the side of its URL.

Once redirected here from the previous SharePoint page, users are presented with a convincing Wells Fargo banking page, as seen in Figure 4. This page asks for a variety of Wells Fargo account information including login details, PIN and various account numbers along with email credentials. At surface value, it may seem excessive to request this level of information, but under the pretense of “securing” one’s account, it may not appear to be so much.

Should users provide all the requested information, they will finally be redirected to the legitimate Wells Fargo login page to make the user believe they have successfully secured their account and nothing malicious has taken place.

And to think, all of this from a simple calendar invite. It goes to show, users and their security teams must constantly maintain phishing awareness training and remain vigilant as threat actors continue to find new ways to slip past gateways right into inboxes.

Network IOCs IPs
hXXps://mko37372112-my[.]sharepoint[.]com/:b:/g/personal/admin_mko37372112_onmicrosoft_com/ERto2NKXu6NKm1rXAVz0DcMB431N0n1QoqmcqDRXnfKocA 172[.]217[.]13[.]240
hXXps://storage[.]googleapis[.]com/awells-putlogs-308643420/index[.]html 13[.]107[.]136[.]9
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending June 21, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We are not alone in dealing with attachment issues. This week’s batch of phish contain quite a few bearing common attachments to deliver malware and steal credentials. If only there were a better way to defend ourselves.

TYPE: Malware – NanoCore

DESCRIPTION: This purchase order-themed phish delivered a .zipx attachment that was actually a RAR archive. The attackers were kind enough to instruct the recipient what software to use to access the NanoCore Remote Access Trojan within. NanoCore resurfaced in early 2018 and still reaches inboxes.

TYPE: Malware – Dridex

DESCRIPTION: A finance-themed phish uses a macro-enabled Microsoft Excel attachment to deliver the Dridex malware. Cofense was reporting on this malware back in 2015 and it still finds success despite the latest advances in perimeter technologies.

TYPE: Malware – Agent Tesla

DESCRIPTION: The delivery-themed phishing example targets organizations in Thailand promising shipping information at the embedded link. The victim will end up with a case of Agent Tesla, a keylogger (and more) that we discussed in a recent Phish Fryday podcast.

TYPE: Malware – Remcos

DESCRIPTION: This document-themed phish includes a Microsoft Word attachment that leverages a pair of Microsoft Office vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to download a DotNETLoader to install the Remcos Remote Access Trojan. Cofense has tracked the exploitation of these vulnerabilities since 2017.

TYPE: Malware – Dridex

DESCRIPTION: Pretending to be an international logisitics company with some shipment information, the attached .zip file contains a macro-enabled Microsoft Office document that displays a fake invoice while silently installing the Dridex malware.

TYPE: Malware – Ursnif

DESCRIPTION: Attackers love to leverage legitimate cloud services to make their phish more successful. This response-themed attack makes use of Firefox Send to deliver a password-protected archive containing VBScripts that will download and run the Ursnif malware.

TYPE: Malware – TrickBot

DESCRIPTION: Spoofing a state government office, this phish delivers macro-laden Microsoft Office documents via an embedded link to a SharePoint site requiring a password for access. The victim will download the TrickBot malware.

TYPE: Credential Theft

DESCRIPTION: Attackers haven’t forgotten about the Coronavirus and continue to leverage the theme to get recipients to engage. This attack delivers an HTML attachment that spoofs Adobe to steal credentials.

TYPE: Credential Theft

DESCRIPTION: Another document-themed attack delivering a web page (.htm). This one spoofs a Microsoft login page to harvest credentials.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Practice Makes Perfect

By Noah Mizell and Kyle Duncan, Cofense Phishing Defense Center

The Phishing Defense Center (PDC) has discovered two distinct phishing campaigns found in environments protected by Proofpoint that spoof Twitter by using registered fraudulent domains.

Threat actors utilize numerous attacks throughout their careers; others stick with tried-and-true attacks proven to be effective. The latter is the case in the following scenarios with these attacks coming from the same campaign based on similar tactics: registered fraudulent domains, specifically tailored sender emails, and nearly identical phishing emails and pages.

Figures 1-2: First Iteration of Attack

The subject of the phishing email is “Security alert: new or unusual login” followed by the sender email “verify[@]tlwtttierz[.]com”.  Although it is obviously not Twitter.com, it is similar to the actual name, that users may overlook due to the urgent tone.  However, users must be careful when reacting in haste, as threat actors seek to turn quick thinking against targets to steal their credentials.

The body of the email looks like a legitimate Twitter notification. Similar font type, layout, the familiar Twitter logo showing – nothing appears to be amiss. Reading the contents of the message though, users may be surprised to see there has been a new login from a new device from Spain! Supposing the user is not connected to this location, this is likely to be cause for concern. But worry not, “Twitter” has sent a handy link to secure the account in question.

Hovering over the link “Secure my account”, it shows the redirect is:

twltt%C4%99r[.]com

However once clicked, users are sent to a URL that looks like “Twitter.com”:

twlttęr[.]com

For this attack, the threat actor uses punycode to make the final URL look like “Twitter.com”. The use of punycode has been noted as an extremely easy way to make phishing URLs look very similar to the site they are impersonating. Punycode essentially takes words that cannot be written in ASCII and puts them into an ASCII encoding that browsers will understand.

For example, the URL to which the attack directs does not actually include a letter ‘e’ ASCII would understand; it uses the hexadecimal encoding ‘C4 99’ for a character that can be seen in the first URL. When the browser gets this encoding, twltt%C4%99r, it renders the string, %C4%99, to the Polish letter ę, which just so happens to look very similar to the ‘e’ we’re used to seeing in the legitimate Twitter.com URL.

Figure 3-4: Second Iteration of Attack 

Although this second attack may appear to be the same one from Figures 1-2, it is an improvement – the threat actor made minor tweaks to enhance its believability.

The subject of the email has changed: “New login from Safari on iPhone”. Like the previous attack’s subject, this is also meant to evoke a sense of urgency. This time, however, the sender email is not the obviously wrong “verify[@]tlwtttierz[.]com” but rather a more subtle “verify[@]mobiles-twitter[.]com”.

Although this email looks like an exact copy of the last attack, the threat actor added a small yet impactful detail: at the bottom they specifically reference the recipient: “We sent this email to _____”. Most users have been told to look out for generic “Dear sir/ma’am” terms in emails. If the email is not specifically addressed to the recipient, it is likely a mass mailing, perhaps with malicious intent. For most users, personalization adds legitimacy.

Like in the last attack, the threat actor included disclaimer under this hyperlink to “help” users know this is a legitimate email from Twitter. Both emails mention the display of a padlock to mean a secure and legitimate site. This padlock only shows that the website is using an active SSL certificate to signify encrypted communications between the user and the web server.  However, contrary to widespread belief, a padlock does not equal safe. The attacker is simply trying to erase any doubts about the site.

The final change of this second attack can be seen when hovering over the “Confirm my identity” hyperlink and finding a new fraudulent domain:

mobiles-twitter[.]comThis domain appears to be more legitimate than the one from the first attack, as it contains the word “twitter”. Considering mobile[.]twitter[.]com leads to the legitimate mobile version of Twitter, this “mobiles-twitter[.]com” was more than likely supposed to be a dupe.

Perhaps this attack may have intended to typosquatt to lure victims the attacker never initially targeted. Typosquatting, or URL hijacking, relies on users making small mistakes when typing a URL, whether adding a period where there was a dash or misspelling the domain. The attacker has registered that mistakenly typed out URL, so should anyone accidentally visit it they will be subject to whatever is on that page.

Figure 5: Phishing Page

As seen in Figure 5 above, users are presented with a login page for either attack, however this one is specifically for the phish located at twlttęr[.]com. This page is made to look extremely close to the current Twitter login page that can be seen on a desktop browser. The obvious difference between this phishing attack and the legitimate Twitter login page would be the URL, with its unusual letter ‘ę’, and the atypical tab icon.

This is just the first iteration of the threat actor’s attack. The second attack has an even more dismissible body email and a URL that looks closer to a legitimate URL. Regardless, it is no secret that users should pay close attention to the URLs in their address bar.

 

Network IOCs  IPs  
hXXps://mobiles-twitter[.]com/login/ 70[.]37[.]100[.]82
hXXps://twltt%C4%99r[.]com 70[.]37[.]100[.]82
hXXps://xn--twlttr-04a[.]com/login/ 70[.]37[.]100[.]82
hXXps://t[.]co/U6DLQ2B1xC

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending June 14, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Cofense sees macro-laden attachments reaching the inbox so frequently, we did a Phish Fryday episode on the topic.

TYPE: Malware – NanoCore

DESCRIPTION: This phish spoofs an international lifestyle company to deliver a macro-laden Microsoft Publisher file. Once enabled, the macros download a series of HTA scripts to unpack enclosed .NET libraries which then unpack and run the NanoCore Remote Access Trojan. The use of Publisher files in phishing attacks is not new, as Cofense reported on its use in the Necurs botnet back in 2018.

TYPE: Credential Theft

DESCRIPTION: This French phish – poisson? – pretends to be a number of missed calls. The link leads to a web form designed to steal credentials. Attackers leverage the simplicity of many voicemail notification emails, as Cofense has been reporting for over a year.

TYPE: Malware – Ursnif

DESCRIPTION: This Italian-language phish uses a tactic that is successful far too often – Microsoft Office documents (in this case Excel) that contain malicious macros. This sample delivered the Ursnif data stealer. Ursnif is hardly a newcomer to the phishing threat landscape, as Cofense has been reporting on it for years.

TYPE: Credential Theft

DESCRIPTION: Got documents? This phishing attempt claims to deliver an important PDF file but leads to a website designed to steal Office 365 credentials. Once these credentials are provided, the victim is redirected to a document hosted on Google Drive.

TYPE: Reconnaisance

DESCRIPTION: Information gathering is often a prelude to a cyberattack and this phish used a layered approach to perform reconnaissance on the target. Using an embedded URL, the victim is lured into downloading an archive containing a VBScript (.vbs). This script then attempts to download a PowerShell script that will gather information about the infected endpoint and environment.

TYPE: Credential Theft

DESCRIPTION: With a smorgasbord of foreign language-themed attacks in this week’s catch, this Swedish phish delivers an embedded URL that leads the victim to a Microsoft OneNote-hosted page designed to steal Office 365 credentials. Once provided, the victim is redirected to a document hosted on docdroid. Attackers leveraging Microsoft infrastructure to host malicious OneNote documents is nothing new.

TYPE: Credential Theft

DESCRIPTION: Here’s another example of voicemail spoofing. This one leads to a website designed to steal Office 365 credentials and then direct the victim to office.com. Simple. Effective.

TYPE: Malware – Trickbot

DESCRIPTION: While many of us like to enjoy a cup of java in the morning, this phishing attack uses Java shortcut files – .jnlp – that pull down a Java Archive (.jar) which then downloads and runs the Trickbot trojan. Hardly something you’d like to wake up to.

TYPE: Credential Theft

DESCRIPTION: This Coronavirus-themed phish promises a survey designed to steal corporate credentials. The malicious survey is hosted on Microsoft infrastructure – SharePoint – and exfiltrates the credentials using the legitimate SubmitSurveyData Microsoft URL. Survey phish is hardly a new tactic.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Zoom Phish Zooming Through Inboxes Amid Pandemic

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that acts as a Zoom video conference invitation to obtain Microsoft credentials from users.

As noted in numerous other articles posted by Cofense, it is no secret this pandemic has changed the threat landscape. From emails to employees regarding safety guidelines to the latest news from the WHO or CDC on Coronavirus cases in the area- threat actors have done it all to make the most of this situation, especially targeting remote workers. Within that group of remote workers there are users who are unfamiliar with teleconferencing and the emails that come with using the service. Some users may not have the best home office set up and work on monitors that barely afford them a proper view, making it difficult to look over these emails closely. The attack covered below is specifically aimed toward those users.

Figure 1– Email Bodies

For this attack, users are informed of an invite to a video conference from what appears to be “Zoom Video Communications” which is followed by either as noted in Figures 1-2. For now, this all appears to be in order, however looking more closely at the senders, there are barely noticeable typos- communcations missing an ‘i’, confrence missing an ‘e’. While this may seem like just an innocuous mistake, it’s in fact a carefully crafted scheme.

Mere hours before sending this email, the threat actors registered the domains zoomcommuncations.com and zoomvideoconfrence.com, as noted in s 3-4.

Figure 2-3: Email Body

When visiting either domain, it may appear to be a German site speaking on different Lasik treatments and surgery options. However, this is merely a cover for its true purpose of helping send malicious emails while impersonating teleconferencing giant Zoom.

The email itself is reminiscent of a legitimate Zoom communication- the blue Zoom logo, a vague mention of a video conference for users to join and a link for them to review said invitation; it’s inconspicuous enough and mostly free of the grammatical mistakes phish often contain.

Hovering over the “Review Invitation” the link shown is:

hxxps://r[.]smore[.]com/c?u=pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44=REDACTED[@]company[.]com

For this attack, the threat actor used a redirector link from Smore, a newsletter creation and distribution website. This is not the first time threat actors have used a legitimate online service’s personal redirect links to pilot users to malicious sites. In this case, this redirect link, once clicked, navigates users to:

hxxp://www[.]pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44

Which then redirects to the final page:

hxxps://logonmicrosftonlinezoomconference[.]azureedge[.]net/

For this attack, the threat actor has utilized Microsoft’s Azure is used to host the phishing domain, but this is not a new tactic. Threat actors flock to these domain hosting services due to some of the perks it offers. For this service, a free SSL certificate comes with any website hosted through it which adds a padlock next to the URL in the address bar, most people incorrectly assumes this indicates a site is legitimate. Another benefit of Azure is the customization option for the subdomain, allowing a URL to mimic or at least appear as a legitimate URL for the service attacks are attempting to impersonate. In this case, the subdomain is “logonmicrosftonlinezoomconference”, with all the keywords most users would expect to see in a Zoom email that goes to a Microsoft login page: “logon microsoft” and “zoom conference”. With both a padlock in the address bar along with relevant names displayed, this attack becomes less noticeable to most users.

Figure 4: Phishing Page

Figure 5 shows the phishing page users are presented with should they make it this far. The page is a generic Microsoft phish with an accompanying URL which, once again, seems to legitimize the phish to users.

The request is simple: “Sign in to Zoom with your Microsoft 365 account.” At face value, this seems like a completely reasonable use of credentials. And since Zoom allows for users to login in via SSO and most companies have linked Microsoft credentials to the platform, some users may even be familiar with Microsoft helping to access their Zoom account.

Meanwhile, with the user’s email appended in the URL, it in turn pre-populates the username field with that information, leaving only the password left for the user to provide.

Network IOC  IP 
hxxps://r[.]smore[.]com/c?u=pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44?e5=REDACTED[@]company.com 52[.]27[.]29[.]106
hXXp://www[.]pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44 209[.]159[.]154[.]74
13[.]107[.]246[.]10
hXXps://logonmicrosftonlinezoomconference[.]azureedge[.]net/ 13[.]107[.]246[.]10
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending June 7, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs) and were reported by humans.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We continue to see various cloud hosting services used to harvest credentials.

TYPE: Credential Theft

DESCRIPTION: Email spoofs a global bank to deliver attached .ics files. When the .ics is opened, the calendar event contains a link to a .pdf file hosted on SharePoint. The .pdf file also spoofs the bank and contains a link to a phishing page, hosted on googleapis and designed to steal banking credentials.

TYPE: Credential Theft

DESCRIPTION: Coronavirus-themed emails target credentials via an embedded link. The link is a phishing URL that spoofs a DocuSign login page targeting credentials for Office 365, Gmail, Yahoo, and other email platforms. This is only the latest example of DocuSign phish Cofense has found.

TYPE: Malware – Reconnaissance Tool

DESCRIPTION: Finance-themed emails spoof an engineering firm to deliver a reconnaissance tool. The malware is embedded in an Office macro-laden spreadsheet, downloaded via an attached HTML file. For the past few years, Cofense has tracked the dominance of Office macros in the phishing landscape.

TYPE: Malware – Cobian RAT

DESCRIPTION: Purchase order-themed emails deliver Cobian RAT, via an embedded OneDrive URL. Cofense has analyzed the use of RATs numerous times since 2014.

TYPE: Credential Theft

DESCRIPTION: Purchase order-themed emails spoof Dropbox and deliver a .pdf file via an embedded URL. The .pdf provides a link to a phishing website targeting Office 365 credentials. Cofense has warned about Dropbox links since 2014.

TYPE: Malware – Ursnif

DESCRIPTION: Finance-themed emails deliver Ursnif via attached Office macros. It’s another example of attackers using creative techniques and seemingly benign file types to bypass security controls.

TYPE: Credential Theft

DESCRIPTION: Coronavirus-themed emails spoof both the CDC and WHO and deliver credential phishing via embedded links. The page uses a “verify your email” window title and includes an image that looks to be from the WHO web page. Cofense has compiled a database of numerous Coronavirus phish.

TYPE: Malware – Pyrogenic Stealer

DESCRIPTION: Finance-themed emails spoof a leading bank and deliver Pyrogenic Stealer via embedded URLs. Cofense has reported extensively on the use of stealer malware.

TYPE: Credential Theft

DESCRIPTION: Document-themed emails spoof Microsoft to deliver credential phishing via .html documents. The documents are either attached or downloaded via embedded URLs to target Office 365/Microsoft credentials.

TYPE: Malware – Reconnaissance Tool

DESCRIPTION: Human resources-themed emails deliver a Reconnaissance Tool. The malware is embedded in an Office macro laden spreadsheet which is downloaded via an attached HTML file. Before downloading, recipients must first pass an “are you human” test.

TYPE: Malware – Agent Tesla

DESCRIPTION: Inquiry-themed emails spoof an auto manufacturer to deliver GuLoader via an embedded link. GuLoader downloads, decrypts, and runs an encrypted Agent Tesla Keylogger binary. Cofense noted last year how Agent Tesla has become a top threat.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishes Found in Proofpoint-Protected Environments – Week Ending May 31, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We have observed a number of attacks leveraging password protections on attachments and their macros, a tactic that has been successful for years.

TYPE: Malware – Remote Manipulator System

DESCRIPTION: Software update-themed emails spoof a travel company to deliver a .txt file containing a URL which recipients are encouraged to visit. The URL downloads a malicious Remote Manipulator System sample. Cofense analyzed RMS almost a year ago.

TYPE: Credential Theft

DESCRIPTION: Spoofing the videoconferencing platform Zoom, this phish delivers an attached html file that holds a phishing link. The victim is led to a phishing page spoofing Microsoft Outlook designed to steal credentials. Phishing attacks are taking advantage of the uptick in Remote Work to trick victims into clicking.

TYPE: Malware – Ursnif

DESCRIPTION: Finance-themed campaign delivers an attached, malicious Microsoft Excel file. Within the file, password-protected macros deliver Ursnif to the victim’s computer. Cofense published an analysis of Ursnif back in 2017.

TYPE: Credential Theft

DESCRIPTION: Finance-themed emails deliver attached .xlsx files containing links to a SharePoint page hosting another .xlsx file with a link leading to a credential phishing page with a “Office 365 Buisness” banner at the top and has categories for creds to O365, Outlook, AOL, Gmail, Yahoo, and “other mail”.

TYPE: Malware – Valak

DESCRIPTION: Response-themed emails deliver attached password-protected archives containing Office macros, which we have been reporting on since 2011. The Office macros download a binary which drops the first stage of a Valak malware downloader infection. Valak then downloads a plugin manager binary.

TYPE: Malware – NetWire

DESCRIPTION: Request-themed emails spoof well-known vendors to deliver an attached .xlsb file with password-protected Office macros which download GuLoader. GuLoader then downloads the NetWire Remote Access Trojan.

TYPE: Credential Theft

DESCRIPTION: This Coronavirus-themed phish spoofs Microsoft Outlook promising an upgrade to gain access to a “Covid-19 employee tracker”. The link leads to a credential phishing site which exfiltrates stolen credentials to a legitimate URL. Attackers continue to leverage the COVID-19 pandemic to lure victims.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishers Cast a Wider Net in the African Banking Sector

By Elmer Hernandez, Cofense Phishing Defense Center (PDC)

The Cofense Phishing Defence Center (PDC) has uncovered a wide-ranging attempt to compromise credentials from five different African financial institutions. Posing as tax collection authorities, adversaries seek to collect account numbers, user IDs, PINs and cell phone numbers from unsuspecting customers.

One such email, which was found in environments protected by Proofpoint and Microsoft, alleges to come from the South African Revenue Service’s (SARS) eFiling service. It claims a tax return deposit of R12,560.5 (South African Rands), approximately $700 USD, has been made to the user’s account and urges them to click on their financial institution in order to claim it. The real sender of the email, however, appears to be a personal Gmail address that may have been created or compromised by the adversaries.

Figure 1 – (Partial) Email Body

As seen in Figure 2, it is erroneously assigned a score of zero in Proofpoint’s “phishscore” metric.

Figure 2 – Proofpoint Header

Dragging and Dropping a Net

Each of the images embedded in the email corresponds to a different bank. Clicking on any of these will take the user to a spoofed login portal corresponding to the selected bank. The spoofed banks include ABSA, Capitec, First National Bank (FNB), Nedbank and Standard Bank, all of which are based in South Africa. The lookalike sites are located at 81[.]0[.]226[.]156 and hosted by Czech hosting provider Nethost. It should be noted that, at the time of analysis, only the site for Standard Bank was unavailable. Figures below -6 show the phishing portals imitating each bank.

Figure 3 – ABSA

Figure 4 – Capitec

Figure 5 – FNB

Figure 6 – Nedbank

All spoofed portals were created using Webnode, a website building service known for its friendly drag and drop features. Despite this ease of use, adversaries have kept things rather simple, as all portals are basic forms with a few or no images. The portals ask for a variety of personal information, including account numbers, passwords, PINs and even cell phone numbers.

Adversaries can access all entries directly from the form itself. They can also receive notifications to an email address of their choosing every time a submission is made; the Gmail account used to send the phishing email may also be where adversaries are notified of each and every new victim. Webnode also allows the export of form submission data in xml and csv formats.

Webnode therefore is an optimal way to store and retrieve stolen user data. There is no need for additional infrastructure, nor to compromise any third parties. As in the case of the Standard Bank portal, the risk of discovery and subsequent closure of spoofed sites means adversaries can lose access to any unretrieved information. However, this risk seems to be offset by the ease with which replacement spoofed sites can be created.

IOCs:

Malicious URLs:

  • hxxps://absa9[.]webnode[.]com
  • hxxps://capitec-za[.]webnode[.]com
  • hxxps://first-national-bnk[.]webnode[.]com
  • hxxps://nedbank-za0[.]webnode[.]com
  • hxxps://standardbnk[.]webnode[.]com

Associated IPs:

  • 81[.]0[.]226[.]156

 

How Cofense Can Help:

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence™. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 38237 and a YARA rule.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishes Found in Proofpoint-Protected Environments – Week Ending May 24, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically quarantined by Cofense Triage and Cofense Vision.  

Cofense solutions enable organizations to identify, analyze, and quarantine phishing email threats in minutes.   

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week’s examples see the continued use of macro-laden Microsoft Office documents, which have been a top delivery mechanism of malware for years.

TYPE: Malware – QakBot

DESCRIPTION: Response-themed emails deliver embedded URLs to VBS scripts to download the QakBot banking trojan. Because the phishing email is a reply to a legitimate chain, these attack URLs are often skipped by URL protection methods.

TYPE: Malware – Pyrogenic

DESCRIPTION: Finance-themed emails deliver embedded URLs to JAR files to download the Pyrogenic Stealer. Though obfuscated, the stealer’s code is rather straight forward, and yet frequently avoids detection.

TYPE: Credential Theft 

DESCRIPTION: Finance-themed emails a management company to deliver embedded OneNote links. The OneNote page contains different versions with links pages crafted to steal credentials. Hosted OneNote notebooks are becoming more popular in phishing attacks.

TYPE: Malware – FormGrabber

DESCRIPTION: Order-themed emails spoofing a vendor delivers the FormGrabber malware via a CVE-2017-0199 to CVE-2017-11882 download chain. This phishing campaign is included in Cofense’s free COVID-19 YARA Rules.

TYPE: Malware – NanoCore

DESCRIPTION: Finance-themed emails deliver an embedded DropBox link to a 7z archive containing the GuLoader executable. Once clicked, the GuLoader downloads and executes NanoCore RAT from Microsoft OneDrive.

TYPE: Credential Theft 

DESCRIPTION: Document-themed emails deliver embedded Google Cloud Storage (GCS) links. The links harvest email login credentials and exfiltrate to a non-GCS location.

TYPE: Credential Theft

DESCRIPTION: Coronavirus-themed emails spoof the United Kingdom government and HRMC to deliver embedded URL shorteners from tinyurl and is[.]gd. The URL shorteners redirect to a phishing URL that uses disc[.]us and appears to allow you to ‘claim your tax refund’. The phishing URL harvests personal information, credit card and issuer details.

TYPE: Malware – TrickBot

DESCRIPTION: Coronavirus-themed emails deliver an attached Excel spreadsheet which exploits CVE-2017-11882 and includes an Office Macro, both of which are used to drop and run a VBS script. This script then downloads and runs TrickBot.

TYPE: Credential Theft

DESCRIPTION: Voicemail Notice-themed emails deliver an embedded link to a credential phishing landing page that is spoofed to look like a Microsoft Outlook sign in page.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations invest in phishing awareness training for employees and provide a tool to report phishing emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.