End of Support for Windows 7 Means Beginning of Upgrade-Themed Phishing Campaigns

By Kaleb Kirk, Cofense Phishing Defense Center  

Over the last few years, businesses have been getting serious about updating their corporate desktop images. For quite some time, Windows 7 has been the predominant operating system (OS) for many workplaces and environmentsWindows 10 was released in 2015yet many companies are just now making the transition. With that comes the pains of upgrading end users machines. Standardizing a corporate desktop image is arduous with complicated edge cases that must be considered for all the hardware variants. The job is further complicated when thirdparty software has yet to officially support a new OS. This explains why enterprises wait, sometimes for years, before taking the plunge. Unfortunately, these delays give the bad guys time to refine exploitation techniques on older operating systems lacking the latest architecture.  

The phishing lure below preys on the victim’s anxiety about losing productivity while their computer is upgraded. Comically, the attacker uses a colorful list of benefits the end user receives to get them to take the baitWill we see an uptick in this phishing lure? It will depend on the success rate of this theme. Time will tell.   

Figure 1-2: Email Body

The subject references a Windows upgrade, but there is also something else manipulative: the inclusion of the “RE:” before the rest of the subject. Internal email about company meetings, news and IT upgrades are common. Prefixing the “RE:” may instill a sense of urgency by leading the user to believe they have missed a prior communication about the upgrade.

We look at phishing emails that bypass commercial gateways all day, every day. Most of them are hastily slapped together. This lure needs improvement, but it’s not completely awful. We give this threat actor two gold stars for the table with made-up laptops, fake serial numbers, building, etc. It applies a good sense-of-urgency ploy using the highlighted “Today,” and the body doesn’t have obvious grammar or spelling errors. Again, not completely awful.

How can this attacker upgrade this lure from a C- to a B+? This email would be more believable if the sender were more generic. “Helpdesk,” for example. We obfuscated the From: line of the compromised account  “Genadiy” which was not from the intended victim’s company domain, and certainly not from their IT department. The intended victim unfortunately doesn’t have a clean way to easily know the true underlying URL because it’s annoyingly masked by Proofpoint’s URL Defense (which, ironically, would not have defended the user because, once clicked, the phishing page loaded instantly).

Figure 3: Credential Phishing Page

Figure 3, above, shows the loaded credential phishing page. This page gets a D- for lack of effort. They wasted a valid SSL certificate on a terrible version of an OWA login page.

This phish closes out cleanly by redirecting the intended victim to a Microsoft page about the discontinued support of Windows 7 (but still leaves the target worried about their OS upgrade).

Figure 4: Final Redirect

Attackers have been using the “time to upgrade your out-of-date software” ploy for years. With Windows 7 ending official support, it won’t be surprising if we see a flurry of better versions of this phish in the future. Hopefully your vigilant users know that “Genadiy” (from a company that isn’t yours) doesn’t upgrade an operating system “Today,” and via email. Cheers.

Network IOC IP
hXXps://app[.]getresponse[.]com/site2/ken23456789765?u=w3DxF&webforms_id=hlvzr 104[.]160[.]64[.]9
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Message Quarantine Campaign with Overlying Potential

By Dylan Main, Cofense Phishing Defense Center 

Message quarantine phish are back, this time with a new tactic utilizing the targeted company’s homepage as part of the attack. The Cofense Phishing Defense Center (PDC) has identified this campaign which attempts to steal employee credentials by posing as a message quarantine email. Using an overlay tactic to disguise itself, this attack is an example of how threat actors are using more advanced techniques to make these malicious emails appear as though they are from a trusted source. 

Figure 1: Phishing Email

This campaign attempts to imitate the technical support team of the employee’s company and makes it appear as though the company’s email security service has quarantined three messages, blocking them from entering the inbox. It claims these messages failed to process and need to be reviewed in order to confirm validity. It even states that two of these were considered valid and are being held for deletion. This could potentially lead the employee to believe that the messages could be important to the company and entice the employee to review the held emails. Another social engineering technique the threat actor uses to lure the employee into interacting with the email is giving the messages urgency, asking the recipient to review them or they will be deleted after three days. Potential loss of important documents or emails could make the employee more inclined to interact with this email.

Figure 2: Phishing Email 

As seen in Figure 2, hovering over “Review Messages Now” shows the malicious URL. However, upon interacting with the link, the user will be directed to a phishing page unique to the employees’ company. Here is where this campaign uses advanced mechanics to make it appear even more legitimate. 

Figure 3: Cofense Phishing Page 

After interacting with the email, the employee will then be redirected to what appears to be a login screen on the company website (Fig 3). However, further analysis has determined that the page shown is actually the company’s website home page with a fake login panel covering it. This gives the employee a greater comfort level, by displaying to  a familiar page. It is also possible to interact with this page by moving outside of the overlay, showing that it is the actual page they have seen and used before. The overlay itself is attempting to prompt the user to sign in to access the company account. The entered credentials are then sent to the threat actor, giving them access to the target’s company account. 

Figure 4: Microsoft Phishing Page

Based on the analysis performed by the PDC, it was determined that each link, while still going to the same base domain, uses specific parameters to determine which web page pull, then overlays the fake login panel on top. Depending on what company the threat actor is targeting, the link will populate the address of the original recipient of the email. Figures 3 and 4 are examples provided by entering an address, in this case Cofense or Microsoft.  After the equal sign, the link will look at the domain of that address and pull the homepage. This campaign shows that threat actors can and will use any resource available to compromise business accounts.  

HOW COFENSE CAN HELP 

Cofense Resources 

Cofense PhishMeTM offers a simulation template named Email Quarantine Report – Alternate. 

Network IOC IP   
hxxp://google[.]com@ashousingcompany[.]com/www/?email=  104[.]27[.]158[.]208 
hxxp://traximgarage[.]com/www/webmail-std/appsuite/1ogin/mai1/  185[.]68[.]16[.]137 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

MFA Bypass Phish Caught: OAuth2 Grants Access to User Data Without a Password

By Elmer Hernandez, Cofense Phishing Defense Center (PDC)

The Cofense Phishing Defense Center (PDC) uncovered a phishing tactic that leverages the OAuth2 framework and OpenID Connect (OIDC) protocol to access user data. The phish is not a typical credential harvester, and even if it was, Multi-Factor Authentication (MFA) wouldn’t have helped. Instead, it attempts to trick users into granting permissions to a rogue application. This is not the first time the tactic has been observed, but it’s a stark reminder that phishing isn’t going to be solved by Multi-Factor Authentication.

Using the lure of a Q1 bonus, the email is crafted to appear to be a normal invite to a SharePoint hosted file. The prospect of receiving an increase to their salary is an effective lure that can lead users to fall prey.

Figure 1 – Email Body

After clicking on the link, users are taken to the legitimate Microsoft Office 365 login page at https://login.microsoftonline.com (Figure 2). However, if one inspects the URL in its entirety, which average users are unlikely to do, a more sinister purpose is revealed.

Figure 2 – O365 Login Page

Anatomy of a URL

First, a quick primer: applications that want to access Office 365 data on behalf of a user do so through Microsoft Graph authorizations. However, they must first obtain an access token from the Microsoft Identity Platform. This is where OAuth2 and OIDC come in. The latter is used to authenticate the user who will be granting the access, and if authentication is successful, the former authorizes (delegates) access for the application. All of this is done without exposing any credentials to the application.

Figure 3 – Entire URL

The response_type parameter denotes the type of access being requested to the Microsoft Identity Platform /authorize endpoint. In this case, both an ID token and an authorization code (id_token+code) are requested. The latter will be exchanged for an access token which will, in turn, be presented by the application to Microsoft Graph for data access.

Next, the redirect uri parameter indicates the location to which authorization responses are sent. This includes tokens and authorization codes. As we can see, responses are sent to hxxps://officehnoc[.]com/office, a domain masquerading as a legitimate Office 365 entity, located at 88[.]80[.]148[.]31 in Sofia, Bulgaria and hosted by BelCloud.

Moving on, the scope parameter shows a list of permissions the user gives to the application (note “%20” represents a blank space). These allow the application to read (read) and/or modify (write) specific resources for the signed in user. If the “All” constraint is present, permissions apply for all such resources in a directory.

For example “contacts.read” enables the application to read only the user’s contacts, whereas “notes.read.all” allows it to read all OneNote notebooks the user has access to, and “Files.ReadWrite.All” to both read and modify (create, update and delete) all files accessible to the user, not only his or her own.

If the attackers were successful, they could grab all the victims’ email and access cloud hosted documents containing sensitive or confidential information. Once the attacker has sensitive information, they can use it to extort victims for a Bitcoin ransom. The same permissions can also be used to download the user’s contact list to be used against fresh victims. Using the address book and old emails would allow the attacker to create hyper-realistic Reply-Chain phishing emails.

Perhaps most concerning however is “offline_access” As access tokens have an expiration time, this permission allows the application to obtain refresh tokens, which can be exchanged for new access tokens. Therefore, users need only to authenticate and approve permissions once to potentially enable indefinite access to their data.

Finally, we find openid and profile which are technically scopes in themselves; openid indicates the application uses OIDC for user authentication, while profile provides basic information such as the user’s name, profile picture, gender and locale among others. This information, known as claims, is sent to the application in the ID token issued by the /authorize endpoint.

After signing in, the user will be asked to confirm one last time that he or she wants to grant the application the aforementioned permissions. If users fail to act, it will be up to domain administrators to spot and deal with any suspicious applications their users might have misguidedly approved.

The OAuth2 phish is a relevant example of adversary adaptation. Not only is there no need to compromise credentials, but touted security measures such as MFA are also bypassed; it is users themselves who unwittingly approve malicious access to their data.

Network IOC IP
hxxps://officehnoc[.]com:8081/office 88[.]80[.]148[.]31

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots of real phish that have evaded secure email gateway detection and other helpful resources so you can help keep your organization protected.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Staff Members’ Inbox Positive for Coronavirus Themed Phish

By Ashley Tran, Cofense Phishing Defense Center

From prime ministers, members of congress to celebrities and staff of nursing homes — many have been affected by COVID-19. And the worst part? Threat actors know this and are heavily weaponizing this pandemic, exploiting the fears and concerns of users everywhere. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign found in environments protected by Microsoft and Symantec that not only impersonates a company’s management but also suggests that a fellow employee has tested positive for the disease, urging users to read an enclosed malicious attachment posed as “guidelines” or “next steps.”

As we have seen before and noted in previous Cofense blogs and media stories, Coronavirus themed phishing attacks are running rampant and attacking users across all industries. Although the attacks vary in method, the main takeaway is the same: all users must exercise the utmost caution and restraint in the face of emotionally jarring emails.

Figures 1-3: Email Bodies

The PDC has found multiple instances of this attack and a trend among them all. As demonstrated in Figures 1-3, the email subject lines are relatively similar: “Staff Member Confirmed COVID 19 Positive ID,” followed by a random string of numbers and that day’s date. The emotion these subject lines evoke in users are also the same: fear and curiosity. Emails appearing to be a “Team Update on COVID 19” and bearing their company’s name can convince end users to believe the email was sent internally. However, the true senders are revealed via the return paths:

Maga[@]tus[.]tusdns[.]com and ungrez[@]ssd7[@]linuxpl[.]com

Admittedly these emails would appear suspicious to most, but the threat actor is relying on the emotional subject line to overcome logic and push users to read just the first line of the sender information and nothing more.

The bodies of the emails have more variety and are worded differently, but the same main point: a fellow employee has the virus, so read this guideline we’ve attached to get more details or at least learn the “next steps” to take. To top it off the email is signed by “Management.”

The true part of this attack lies within the HTML file found in the email.

Figure 4 shows that the attachment has been detected as malicious by a multitude of services, however users won’t see this when they read the email.

Figure 4: VirusTotal Analysis

Figure 5: Phishing Page

Upon opening the attachment users are presented with a generic Microsoft login page, a frequently targeted brand. The difference with this phish, however, is the threat actor has superimposed the login box over a blurred document that may appear to users as the previously mentioned “guidelines” lending an even greater sense of legitimacy.

The email of the recipient is automatically appended to the username field via code in the HTML. In fact, the threat actor has painstakingly put the base64 for each of the recipient’s email addresses, which is then translated to a readable format when interacting with the phish. This snippet of code can be observed in Figure 6.

Figure 6: Email Bodies

Once a user navigates to the next page and inputs their password, the information is then sent to the compromised site:

hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423

This exchange of information can be viewed by opening developer tools on any browser and navigating to the networking tab as shown in Figure 7.

Figure 7: Phishing Page

The code found within the HTML file that hosts the phishing content employs typical malicious tactics. For example, as seen in Figure 8, the code does not look like a typical HTML code. This is because the threat actor has attempted to obfuscate their code, to make analysis as well as detection harder. However, this is nothing new for phishing campaigns that choose to utilize a HTML file. De-obfuscating the code and revealing some its methods is not difficult.

Figure 8: Obfuscated Code

To begin, the code is notably broken into different parts. Each of these parts may stand out to anyone with an eye for encoding as being Hex text and base64. These both can easily be decoded back into their original form, the true HTML code, by utilizing tools such as RapidTables and Base64 Decode.

Figure 9: De-obfuscated Code

After de-obfuscating the code, the true HTML is seen in Figure 9, revealing the threat actor has compromised, or at the very least utilized, a compromised site to host the style sheet for their phish:

hxxp://ibuykenya[.]com/vendor/doctrine/styles[.]css

Figure 10: Open Directory with Phish Resource Files

The following is the directory which the threat actor has used to store the style sheet for the phish, along with what appears to be two additional files, based on their last modified dates.

Within the code, the image seen in the background of the document can also be recovered. The image is hosted on ImgBB, yet another relatively benign image hosting site to which threat actors flock to host images for their attacks.

hxxps://i[.]ibb[.]co/dMcjCWC/image[.]png

Figure 11: Document Preview from Phish

Upon closer observation, the title of the document can be obtained. With a quick search, the image the threat actor has used to further legitimize this login page in the eyes of the user can be linked back to the legitimate document found in Figure 12.

Figure 12: Legitimate Document Utilized by Threat Actor

All these steps – the social engineering, the obfuscated code, use of official COVID health advisories and more-are designed to ensure users don’t detect the phishing attack is in progress. This phish also demonstrates the attacker’s need to employ layered techniques designed to avoid detection by email gateways, as well as the incident responder’s need for the right investigative tools to properly analyze, detect and quarantine this threat.

Network IOC  IP
hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423 150[.]60[.]156[.]116

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns. (edited) 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Targeted Attack Uses Fake EE Email to Deceive Users

By Kian Mahdavi and Tej Tulachan, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has discovered a spear-phishing campaign designed to defraud corporate executives’ payment details by spoofing EE, a well-known UK-based telecommunications and internet service provider.  These spear phishing messages were reported to the Cofense PDC by end users whose email environments are protected by Microsoft 365 EOP and Symantec. This new, targeted campaign shows that while exploiting well-known telecommunications brands is nothing new, such phishing emails continue to go undetected by popular email gateways designed to protect end users, leading to possible theft of prized corporate credentials

Figure 1: Email Body

Threat actors sent a targeted email to a few executives, including one at a leading financial firm, with the subject line reading ‘View Bill – Error’ from a purchased top-level domain (moniquemoll[.]nl). These details in and of themselves may raise red flags to eagle-eyed recipients, as EE’s trademarked name isn’t included in any part of the full email address.

The malicious URL inserted within the text is:

hXXps://fly-guyz[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo

The vague email indicates ‘we’re working to get this fixed’. At no point does the email give an indication what this error is. As we read on, the second hyperlink states ‘view billing to make sure your account details are correct’ to entice the recipient to click the phishing link.

The threat actor fails to include the correct registered office address, evident towards the bottom of the email. Once the threat actor’s social engineering does the trick and the user clicks one of the links, they are redirected to a phishing page.

Noted in Figure 2 below is the trusted HTTPS protocol (also displayed as the green padlock) within the URL, giving false hope to the user that network traffic is being encrypted, ensuring all data transferred between the browser and website is secure and not being eavesdropped on.

However, the threat actor even went to the trouble of obtaining SSL certificates for the domain to further gain end users’ trust. In fact, it has become much easier for site owners, including fraudsters, to obtain these certificates.

Figures 2 and 3: First and second phishing pages

The peculiar aspect is the message in which the threat actor included: ‘You will not be charged’ to reassure recipients and trick them into providing their payment information.  The user is then automatically redirected to the legitimate EE website, as displayed below in Figure 4, to avoid suspicion. This is a common tactic to make the user believe the session timed out or their password was mistyped.

Figure 4: Legitimate Redirect Login Page

At the time of writing, the phishing page is still live and active. To further validate the analysis of the investigation, we decided to input some fake credentials, allowing us to verify the transmitted TCP requests and redirects to the fraudster’s domain at hXXps://kbimperial[.]com/data[.]php.

Figure 5: TCP Retransmission Packets

Indicators of Compromise:

Network IOC IP
hXXps://fly-guyz[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo/
hXXps://kbimperial[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo/logins
hXXps://kbimperial[.]com/data[.]php?
104[.]31[.]82[.]7
104[.]31[.]83[.]7
35[.]208[.]71[.]62

 

Discover how cybersecurity awareness training can help your organization defend against changing phishing threats.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishers Are Using Google Forms to Bypass Popular Email Gateways

By Kian Mahdavi

Over the past couple of weeks, the Cofense Phishing Defense Center (PDC) has witnessed an increase in phishing campaigns that aim to harvest credentials from innocent email recipients by tricking them into ‘Updating their Office 365’ using a Google Docs Form.

Google Docs is a free web-based application, allowing people to create text documents and input and collect data. It is an enticing way for threat actors to harvest credentials and compromise accounts. Here’s how it works:

Figure 1 – Email Header

The phishing email originates from a compromised financial email account with privileged access to CIM Finance, a legitimate financial services provider. The threat actor used the CIM Finance website to host an array of comprised phishing emails. Since the emails come from a legitimate source, they pass basic email security checks such as DKIM and SPF. As seen from the headers above in figure 1, the email passed both the DKIM authentication check and SPF.

This threat actor set up a staged Microsoft form hosted on Google that provides the authentic SSL certificate to entice end recipients to believe they are being linked to a Microsoft page associated with their company. However, they are instead linked to an external website hosted by Google, such as

hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLSfzgrwZB23BXv6vumZljSGg0mUuYP4UcafmShTpUzWJoYzBPA/viewform.

Figure 2 – Email Body

The email masquerades as a notification from “IT corporate team,” informing the business user to “update your Office 365” that has supposedly expired. The “administrator” claims immediate action must be taken or the account will be placed on hold. The importance of email access is key to this credential phish, leading users to panic and click on the phishing link, providing their credentials.

Figure 3 – Phishing Page

Upon clicking the link, the end user is presented with a substandard imitation of the Microsoft Office365 login page, as seen in figure 3, that does not follow Microsoft’s visual protocol. Half the words are capitalized, and letters are replaced with asterisks; examples include the word ‘email’ and the word ‘password.’ In addition, when end users type their credentials, they appear in plain text as opposed to asterisks, raising a red flag the login page is not real. Once the user enters credentials, the data is then forwarded to the threat actors via Google Drive.

 

Network IOC IP
hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLSfzgrwZB23BXv6vumZljSGg0mUuYP4UcafmShTpUzWJoYzBPA/viewform 172[.]217[.]7[.]238

 

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe through the “Account Security Alert” or “Cloud Login” templates and get visibility of attacks with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 36388.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Raccoon Stealer Found Rummaging Past Symantec and Microsoft Gateways

By Max Gannon and Alan Rainer, Cofense IntelligenceTM

Threat actors continue to exploit legitimate services to trick users, as seen in the latest campaign using Raccoon Stealer malware, aimed at a financial organization and delivered by a Dropbox-hosted .IMG file. A rather unsophisticated malware, Raccoon Stealer came to light around April 2019, bypassing Symantec Email Security and Microsoft EOP gateways. The malware is sold on underground forums in both Russian and English, features an easy-to-use interface, around-the-clock customer support, and highly active development. Users of the malware can distribute it in any way they deem fit. In this campaign, the actors chose to host the malicious .IMG file on a Dropbox share, which upon execution, drops Raccoon Stealer onto the victim machine.

The email used in this campaign was delivered to the inbox of an employee of a financial institution. Figure 1 shows the email signature and originator address which probably belong to a compromised user. Using the familiar theme of a wire transfer—closely akin to those often seen in Business Email Compromise (BEC) scams—the threat actors look to trick users into opening the Dropbox URL and downloading the malicious file.

Educating users on spotting these types of scams and carefully scrutinizing emails that originate outside the organization are great ways to thwart this threat. Cofense IntelligenceTM Indicators of Compromise (IOCs) provided via our feed and noted in the appendix below can be used to fortify network defense and endpoint protection solutions.

Technical Findings

In the past, CofenseTM has seen Raccoon Stealer delivered by direct attachments and via RTF documents leveraging CVE-2017-8570 that targeted sectors such as utilities. In this most recent campaign, a potentially compromised email account was used to send the email shown in Figure 1, which managed to make its way past Symantec Email Security and Microsoft EOP gateways without the URL being removed or tampered with to the extent that it would prevent victims from clicking on it and downloading the payload.

Figure 1: Email delivering Dropbox URL

Raccoon Stealer is a relatively new malware that first appeared on the market around April 2019. Due to Raccoon Stealer’s ease of use and range of capabilities that allow for quick monetization of infected users, it is becoming increasingly popular. Although not particularly advanced or subtle with its network activity and processes, the malware can quickly gather and exfiltrate data as well as download additional payloads.

Initial contact with the command and control center (C2) is made when the malware does an HTTP POST that includes the “bot ID” and “configuration ID”. The C2 location responds with a JSON object explicitly including C2 data and payload locations for libraries and additional files, as shown in Figure 2.

Figure 2: Configuration Data From C2

The payload URLs currently deliver a set of DLLs, as specified by the “attachment url” and “libraries” parameters, but future development could easily allow threat actors to use Racoon Stealer as a loader for other malware to generate additional income.

The use of several distinct delivery methods in a relatively short time, including via the Fallout Exploit Kit, may indicate increased usage by numerous threat actors as predicted in prior Cofense research. Given the variety of delivery options, Racoon Stealer could be a problem for organizations that focus too much on one infection vector.

Table 1: Indicators of Compromise

Description

Indicator

Dropbox URL

hXXp://www[.]dropbox[.]com/s/g6pz8dm4051rs0o/SCAN%20DOC[.]IMG?dl=1

Raccoon Stealer C2 Locations

34[.]89[.]185[.]248

hXXp://34[.]89[.]185[.]248/file_handler/file[.]php hXXp://34[.]89[.]185[.]248/gate/libs[.]zip hXXp://34[.]89[.]185[.]248/gate/log[.]php hXXp://34[.]89[.]185[.]248/gate/sqlite3[.]dll

Raccoon Stealer Hashes

SCAN DOC.exe             f7bcb18e5814db9fd51d0ab05f2d7ee9

SCAN DOC.IMG            0c8158e2a4267eea51e12b6890e68da8

HOW COFENSE CAN HELP

Cofense PhishMeTM Offers a simulation template, “Dropbox Wire Transfer – Raccoon Stealer,” to educate users on the phishing tactic described in today’s blog.

Cofense IntelligenceTM: ATR IDs 32407, 31881, 31977

Cofense TriageTM: PM_Intel_Raccoon_31881, PM_Intel_Raccoon_31977

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense CenterTM were reported by end users. 0% were stopped by technology. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence TM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Phishing Emails Are Using SharePoint to Slip Past Symantec’s Gateway and Attack Banks

Hiding in plain sight by using trusted enterprise technologies almost guarantees delivery of a phishing URL. Case in point: a phishing campaign that delivered a legitimate Sharepoint URL to bypass the email gateway, in this case Symantec’s. Here’s how this increasingly popular phishing tactic works.

Email Body

The phishing email is sent from a compromised account at a third-party vendor asking the recipient to review a proposal document. The recipient is urged to click on an embedded URL. As seen below in figure 1, the URL has been wrapped by Symantec’s Click-time URL Protection and redirects the recipient to a compromised SharePoint account. SharePoint, the initial delivery mechanism, then delivers a secondary malicious URL, allowing the threat actor to circumvent just about any email perimeter technology.

Figure 1: email body

The embedded URL in the email body delivers the recipient to a compromised SharePoint site where a malicious OneNote document is served. The document is illegible and invites the recipient to download it by clicking on yet another embedded URL, which leads to the main credential phishing page.

Figure 2: Malicious OneNote Document

Phishing Page

The phishing page is a cheap imitation of the OneDrive for Business login portal. There, the recipient is given two options to authenticate, with their O365 Login credentials or by choosing to login with any other email provider. We see this tactic quite often as it increases the chances that the recipient will log in.

Figure 3: Phishing Pages

When we download the files from the compromised server, we can see that the credentials from the phishing form are posted by login.php. Login.php posts the harvested credentials to a Gmail account.

Figure 4: Login.php

Other files harvested from the compromised server shed light on the origin of this attack. Below is a readme file that instructs the operator on how to configure and install the phishing page onto a compromised webserver. We have also identified that this phishing exploit kit is part of a series of “Hacking tools” built and sold by BlackShop Tools.

Figure 5: readme.txt

IOCs:

Malicious URL(s):

hxxps://botleighgrange-my[.]sharepoint[.]com/:o:/p/maintenance/EngTNCs22_REkaJY4gVf9lwBqkwYFtDSmJJ7L2H-AnoDQg?e=tgtauL
hxxps://alblatool[.]com/xxx/one/
hxxps://alblatool[.]com/xxx/one/office365/index[.]php

Associated IP(s):

13[.]107[.]136[.]9
198[.]54[.]126[.]160

 

HOW COFENSE CAN HELP

To defend against the attack described in today’s blog, Cofense offers:

 

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Updated Sep. 12

This Phish Uses DocuSign to Slip Past Symantec Gateway and Target Email Credentials

By Tej Tulachan

The Cofense Phishing Defense CenterTM has observed a new wave of phishing attacks masquerading as an email from DocuSign to target the credentials of all major email providers. DocuSign is an electronic signature technology that facilitates exchanges of contracts, tax documents, and legal materials. Threat actors utilize this legitimate application to bypass the email gateway and entice users into handing out their credentials. Here’s how it works.

Email Body

At first glance, the email body looks well-presented with the correct DocuSign logo and its content. However, there is something suspicious within the first line of the message—the absence of the recipient’s name, just “Good day.” If we look deeper into the message body, we can see that there is an embedded hyperlink which directs to hxxps://ori8aspzxoas[.]appspot[.]com/gfi8we/

Figure.1

Email Header

From the email header we can see that the threat source originates from the domain narndeo-tech[.]com. Further investigation reveals it belongs to Hetzner Online GmbH which is a well-known hosting company based in Germany. We noted that there is no sign of proof this came from a genuine DocuSign domain.

From: Lxxxx Mxxx <xxxxxx22@narndeo-tech[.]com>

To: R______ L_______ <unsuspecting.victim@example.com>

Message-ID: <20190716055127.3AEBF4689BD125B3[@]narndeo-tech[.]com>

Subject: New Docu-Sign

X-Env-Sender: lesliemason22[@]narndeo-tech[.]com

Phishing Page

When users click on the embedded link, it redirects to a phishing page as shown below in figure 2. Here the attacker gives six separate options for users to enter their credentials to access the DocuSign document, increasing the likelihood this phisher gets a bite.

Figure.2

Once the user clicks on the given option, it redirects to the main phishing page as shown below in three versions, Office 365, Gmail, and iCloud.

Figure.3

Email Gateway: This threat was found in an environment running Symantec EmailSecurity.Cloud.

Conclusion:  

IOC

hxxps://ori8aspzxoas[.]appspot[.]com/gfi8we/

108[.]177[.]111[.]153

Recommendation:

Cofense™ cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that instruct users to provide their credentials. If your organization uses DocuSign as part of its business processes, remind users how they should expect legitimate notifications according to your internal standards. Cofense PhishMe™ customers may consider launching simulations that follow this style of attack to further train their users to detect and report suspicious emails.  A simulation template is available as “Completed Document,” which is based on a real phishing campaign. We also have existing newsletter (Announcement) content available to send to your users.

Reference: https://www.docusign.com/sites/default/files/Combating_Phishing_WP_05082017.pdf

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM.

Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than  Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways

By Jake Longden

The Cofense Phishing Defense Center has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. Here’s how they work.

Email Body:

The email body is a genuine notification from WeTransfer which informs the victim that a file has been shared with them. The attackers utilise what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel straight through security checks at the gateway.

WeTransfer allows for the addition of a note to the email to clarify why the file was sent. Here, the threat actor will often write a note stating that the file is an invoice to be reviewed. This is a commonly observed phishing technique to pique the user’s interest.

Fig 1. Email body

Phishing Page:

When the user clicks on the “Get your files” button in the message body, the user is redirected to the WeTransfer download page where a HTM or HTML file is hosted and thus downloaded by the unsuspecting victim. When the user opens the .html file, he or she is redirected to the main phishing page.

Fig 2. WeTransfer Hosted file

In the final stage of the attack, victims are asked to enter their Office365 credentials to login. More often than not, we see a Microsoft Service being targeted, however we have observed other targeted brands.

Fig 3. Phishing Page

Gateway Evasion

As WeTransfer is a well-known and trusted file hosting system, used to share files too large to attach to an email, these links will typically bypass gateways as benign emails, unless settings are modified to restrict access to such file sharing sites. The PDC has observed this attack method to bypass multiple gateways. These include ProofPoint, Office365 Safe Links,  and Symantec.

Useful Resources for Customers

Description
Triage Yara rule: PM_WeTransfer_File_Download
PhishMe Templates: “File Transfer”
Cofense Intelligence: https://www.threathq.com/p42/search/default#m=26412&type=renderThreat 


Other Ways Cofense Can Help

The Cofense Phishing Defense Center identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats.

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.  Our solution offers a phishing simulation to protect against file-transfer attacks like the one described in this blog.

According to the Cofense Phishing Defense Center, over 91% of the credential harvesting attacks they identify bypassed email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understand, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.