Emotet Gears Up to File (Your) Taxes

By Tonia Dudley, Cofense Security Solutions

What’s the first form you need to file in order to collect US taxes? Why a W-9 of course! So, what have we been seeing from Emotet as it gears up for filing taxes on your behalf? A W-9 phish of course!

As with any other trend we’ve seen from this threat actor, the email messages are not sophisticated – in  fact, these are quite basic. We are seeing both an attachment (figure 1) and a simple link (figure 2) to  download this document. And look, the attachment (figure 3) isn’t anything fancy either. While this tax season is just getting started, with many tax filing forms due to taxpayers last week, by Jan 31st, we anticipate these campaigns will likely evolve and get better as we move towards the annual filing date of April 15th.

Figure 1 – Emotet using W9 attachment 

Figure 2 – Emotet with URL link to attachment 

Figure 3  Emotet W9 Attachment 

FYI, this week has been declared Tax Identity Theft Awareness Week by the Federal Trade Commission (FTC). It’s a great time of the year to remind your organization, friends, and family to be vigilant in protecting their tax forms. Below are some tips from the FTC to better protect your identity during this tax season:

  • Protect your SSN throughout the year. Don’t give it out unless there’s a good reason and you’re sure who you’re giving it to.
  • File your tax return as early in the tax season as you can.
  • Use a secure internet connection if you file electronically, or mail your tax return directly from the post office.
  • Research a tax preparer thoroughly before you hand over personal information.
  • Check your credit report at least once a year for free at annualcreditreport.com. Make sure no one has opened a new account in your name.

 

HOW COFENSE CAN HELP

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Hot Off the Press: Cofense Q4 2019 Malware Trends Report

By Alan Rainer

The fourth quarter of 2019 showed a strong start but a dull finish, as the world eased into the holiday season. Although the end of Q3 2019 saw a resurgence in Emotet, Q4 witnessed a higher degree of phishing from the Trojan and its botnet. Read all about it, alongside other malware trends and campaigns, in the Cofense Intelligence Q4 2019 Malware Trends Report.

Continuing from Q3, Emotet picked up momentum in distributing malicious emails. From email reply chain compromises to crafty phishing templates with macro-laden documents, user inboxes found no solace. Emotet delivered financial invoices, “invites” to a Christmas party, and other phish baits to trick recipients into infecting their systems. Other malware families were not as prolific, decreasing in volume as the quarter went on.

The new year, however, is likely to hold greater wickedness. On the malware front, Windows 7’s End of Life will probably lead to the creation of new malware and look for targeted ransomware to continue growing. 2020’s election season may bring about more phishing, while geopolitical events can result in more cyber threats. And to round it off, Emotet will keep on churning.

Figure 1: Varenyky Spambot Phishing Email Sample

Our Q4 report outlines key trends, statistics, breakdowns of specific campaigns, and insights on what to expect in Q1 2020 and beyond, all of which you can use to defend your organization. Cofense Intelligence provides phishing campaign updates throughout the year, which includes comprehensive threat reports and bi-weekly trend digests.

View the Q4 2019 Malware Trends Report at: https://go.cofense.com/malware-trends-2019-q4/

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

5 Cybersecurity Trends that Will Dominate 2020

5 Phishing Predictions, 1 Pandemic: What Really Happened?

Join Aaron Higbee & Tonia Dudley as they explore how our 5 predictions for 2020 actually measured up and what you need to do to defend against new and emerging phishing threats.

By Aaron Higbee, CTO, Cofense

The threat landscape continues to evolve at a rapid pace, with new threat vectors emerging and increasing in sophistication. Which ones should you watch most closely as 2020 unfolds? Based on insights collected from our Cofense research teams, here are five trends we see dominating next year.

Ransomware will continue becoming more targeted to reap more sizeable payouts.

Many people are under the impression that ransomware is slowing down, but in reality it’s simply being used in a more targeted fashion. So many private and public organizations, as well as government entities, have been infiltrated by ransomware that we’ve become desensitized to its devastating effects.

Ransomware is very much alive, and more sophisticated actors are using it every day as a gateway into an organization’s network, once they identify crown jewels left vulnerable. One of the reasons why we’re not hearing as much about ransomware in the media is that attacks are increasingly difficult to cover. Due to cyber liability insurance policies and law enforcement involvement creating so much red tape, the real information is shrouded in secrecy and not making it into the public domain. Threat actors will continue to refine their targeting in 2020 in order to maximize their profits with organizations that don’t have an advanced security posture but do have a lot to lose.

Healthcare and genetic testing organizations will be a rich target for monetizing data.  

Healthcare organizations will always be one of the richest targets for ransomware and consumer fraud, as they provide easy access to valuable information, such as social security numbers, that can be monetized quickly. But as we look to the future, the prospect of malicious actors hacking into a database of a genetic testing company is especially disturbing. Not only would a threat actor have a detailed record of medical history and family heritage, but if the ethics of gene editing evolve further—and it’s not far off—a master log of thousands, if not millions, of peoples’ DNA is potentially available for attackers to exploit.

Cryptocurrency will find itself in the crosshairs.

The cryptocurrency industry is not widely understood, but it is on the receiving end of some of the most advanced attack methods we’ve seen to-date. Whether it’s a high-profile crypto holder or an entire cryptocurrency exchange, we’ve seen first-hand at Cofense how this realm of cyberspace is impacted by elite phishing tactics. Ultimately, the hackers look at their targets from two angles.

The first, if you’re a sole cryptocurrency holder: is your line of defense weak enough for me to hack you, log into your exchange, steal your cryptocurrency, and transfer it out? The second: is one of your employees, and it only takes one, susceptible to clicking on a phishing link so I can hack into your entire network and dig deep enough to access the cold storage vaults and pull off a heist?

The latter is far more likely, as organizations often neglect to train their employees to identify malicious emails. They mistakenly believe that more expensive, “we-promise-to-stop-it-all” technologies will thwart every attack. The reality is that the circle of trust at some organizations is so large that their employees are really the first and last line of defense against an attack.

SIM-jacking will be used to jack cryptocrurrency.

SIM-jacking is a trend that has recently emerged and will pick up speed in 2020, due to its success and the ease of implementation. Instead of wasting time trying to infiltrate the source, SIM hijackers will go to someone who works for a telecom company and pay them off to assign your phone number to another device and then use that phone number to reset your passwords and steal your cryptocurrency. In fact, one major U.S. telecom company is currently in the throes of a lawsuit following a handful of employees who helped hackers rob a customer of $1.8 million worth of cryptocurrency. It is heavily debated who exactly is at fault for SIM-jacking attacks, and while cybercriminals are obviously at fault, there are several layers to the attack that blur the lines.

Information warfare will put human intuition to the test.

In an era of fake news, information warfare is a very real consequence of social media platforms and an influx of news outlets. The public has to rely on, and decipher between, numerous news sources that offer little evidence, and much to the imagination, when it comes to the root cause of most stories.

Evidence is the key to validating any story. At Cofense, we stress the importance of conditioning people to recognize fake from real—phishing emails and other scams that target employees at work and home.

Human intuition is one of the most powerful tools in your arsenal, and it’s vital to hone it as a natural defense mechanism to combat against all types of threats, whether it’s fake news, a conspiracy theory, or a scam designed to bilk your company of its data, funds, or brand reputation.

To stay on top of phishing and malware threats in 2020, be sure to check this blog. We’ll continue to share our teams’ findings, both what we see in the wild and what evades the email gateway.

 

HOW COFENSE CAN HELP

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense Center were reported by end users. 0% were stopped by technology. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

 

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

This Advanced Keylogger Delivers a Cryptocurrency Miner

By Aaron Riley

In a new twist, a phishing campaign is delivering the advanced Hawkeye Keylogger malware to act as a first stage loader for a cryptocurrency miner. Hawkeye Keylogger – Reborn V9 was attached to a job application attachment themed phishing email. Once executed, Hawkeye then downloaded and ran a sample of the open-source software CGMiner. The CGMiner sample was an older version and configured for the cryptocurrency Litecoin. This is the first instance in which Cofense Intelligence™ has analyzed a keylogger being used as merely a first stage loader to deploy a crypto-miner.

The job application attachment theme used in this phishing campaign was generic and did not target a specific business department or job opening. As seen in Figure 1, the email is short and plain; however, the email source code showed a configuration that can be used for alerts. The email’s character set was configured for “Windows-1251,” which is used to support Cyrillic languages. Considering the business use of Cyrillic languages, this configuration can be used for alerting within the email security stack. The email had a .zip archive attachment that delivered a sample of Hawkeye Keylogger – Reborn V9.

Figure 1: Compromised email address delivering malicious ZIP attachment under guise of a CV

Hawkeye Keylogger is subscription-based and has been sold on forums since 2013. It has gone through many version updates and has even changed development ownership in the past. This advanced keylogger can be used to monitor systems, gather sensitive information from the machine, and exfiltrate the information to the Command and Control (C2) structure in multiple ways. The developer’s advertisement does not tout it as a first stage downloader. The threat operator behind this campaign utilized the file installation feature—typically used for setting persistence on the infected machine—to download and execute the sample of CGMiner. After the download and execution of the secondary payload, Hawkeye Keylogger stalled in its processes and did not attempt any further action.

CGMiner is an open-source cryptocurrency miner that can be executed across all operating systems. Older CGMiner versions can be configured to mine multiple different types of cryptocurrency and are designed to work with most AMD graphics cards. This sample of CGMiner is version 3.5, which is an older version that still supports CPU/GPU mining. This miner sample uses the Stratum protocol over TCP port 3333 and is configured to mine Litecoin. Newer versions of CGMiner do not support CPU/GPU mining and only provide algorithms for the Bitcoin cryptocurrency. CGMiner can be easily spotted when analyzed in a sandbox environment. The same is true of the Stratum protocol, which can be used as an alert for network activity.

Cryptocurrency miners have been seen in phishing campaigns before, but rarely are they ever used as a second stage infection from an advanced keylogger. This version of CGMiner was deliberately selected for the CPU/GPU mining feature for Litecoin mining. The infection chain showed places where the email and network security stack should have acted. Setting these alerts, tuning the technology, and educating end users is the best way to avoid these phishing campaigns.

Table 1: Indicators of Compromise

Description Indicator
Hawkeye Keylogger Within Attachment Redacted_RESUME_Sep.exe a381ba89d294f120dd76a684bda24276
Email Attachment Redacted_RESUME_Sep.zip
3866532d537df4795d88f97c38c1c25a
CGMiner functionupdate.exe
4a7d5d67ce8e6a890f4a272be3f782bd
Payload URL hxxp://165[.]22[.]50[.]215/functionupdate[.]exe
Litecoin Mining Connection stratum+tcp://us[.]litecoinpool[.]org:3333

 

 

HOW COFENSE CAN HELP

Cofense PhishMeTM offers simulation templates to educate users on phishing tactics similar to those described in today’s blog.

  • Job Application – Office Macro / Hermes Ransomware
  • Job Inquiry – Cerber (Attachment)
  • Response to Job Posting
  • Resume Attached
  • CV Attached – Petya

Cofense Intelligence TM: ATR ID 32403

Cofense Triage TM: PM_Intel_GCMiner_32403

Every day, the Cofense Phishing Defense CenterTM analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe TM and remove the blind spot with Cofense Reporter TM.

Quickly turn user reported emails into actionable intelligence with Cofense Triage TM. Reduce exposure time by rapidly quarantining threats with Cofense Vision TM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence TM.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Raccoon Stealer Found Rummaging Past Symantec and Microsoft Gateways

By Max Gannon and Alan Rainer, Cofense IntelligenceTM

Threat actors continue to exploit legitimate services to trick users, as seen in the latest campaign using Raccoon Stealer malware, aimed at a financial organization and delivered by a Dropbox-hosted .IMG file. A rather unsophisticated malware, Raccoon Stealer came to light around April 2019, bypassing Symantec Email Security and Microsoft EOP gateways. The malware is sold on underground forums in both Russian and English, features an easy-to-use interface, around-the-clock customer support, and highly active development. Users of the malware can distribute it in any way they deem fit. In this campaign, the actors chose to host the malicious .IMG file on a Dropbox share, which upon execution, drops Raccoon Stealer onto the victim machine.

The email used in this campaign was delivered to the inbox of an employee of a financial institution. Figure 1 shows the email signature and originator address which probably belong to a compromised user. Using the familiar theme of a wire transfer—closely akin to those often seen in Business Email Compromise (BEC) scams—the threat actors look to trick users into opening the Dropbox URL and downloading the malicious file.

Educating users on spotting these types of scams and carefully scrutinizing emails that originate outside the organization are great ways to thwart this threat. Cofense IntelligenceTM Indicators of Compromise (IOCs) provided via our feed and noted in the appendix below can be used to fortify network defense and endpoint protection solutions.

Technical Findings

In the past, CofenseTM has seen Raccoon Stealer delivered by direct attachments and via RTF documents leveraging CVE-2017-8570 that targeted sectors such as utilities. In this most recent campaign, a potentially compromised email account was used to send the email shown in Figure 1, which managed to make its way past Symantec Email Security and Microsoft EOP gateways without the URL being removed or tampered with to the extent that it would prevent victims from clicking on it and downloading the payload.

Figure 1: Email delivering Dropbox URL

Raccoon Stealer is a relatively new malware that first appeared on the market around April 2019. Due to Raccoon Stealer’s ease of use and range of capabilities that allow for quick monetization of infected users, it is becoming increasingly popular. Although not particularly advanced or subtle with its network activity and processes, the malware can quickly gather and exfiltrate data as well as download additional payloads.

Initial contact with the command and control center (C2) is made when the malware does an HTTP POST that includes the “bot ID” and “configuration ID”. The C2 location responds with a JSON object explicitly including C2 data and payload locations for libraries and additional files, as shown in Figure 2.

Figure 2: Configuration Data From C2

The payload URLs currently deliver a set of DLLs, as specified by the “attachment url” and “libraries” parameters, but future development could easily allow threat actors to use Racoon Stealer as a loader for other malware to generate additional income.

The use of several distinct delivery methods in a relatively short time, including via the Fallout Exploit Kit, may indicate increased usage by numerous threat actors as predicted in prior Cofense research. Given the variety of delivery options, Racoon Stealer could be a problem for organizations that focus too much on one infection vector.

Table 1: Indicators of Compromise

Description

Indicator

Dropbox URL

hXXp://www[.]dropbox[.]com/s/g6pz8dm4051rs0o/SCAN%20DOC[.]IMG?dl=1

Raccoon Stealer C2 Locations

34[.]89[.]185[.]248

hXXp://34[.]89[.]185[.]248/file_handler/file[.]php hXXp://34[.]89[.]185[.]248/gate/libs[.]zip hXXp://34[.]89[.]185[.]248/gate/log[.]php hXXp://34[.]89[.]185[.]248/gate/sqlite3[.]dll

Raccoon Stealer Hashes

SCAN DOC.exe             f7bcb18e5814db9fd51d0ab05f2d7ee9

SCAN DOC.IMG            0c8158e2a4267eea51e12b6890e68da8

HOW COFENSE CAN HELP

Cofense PhishMeTM Offers a simulation template, “Dropbox Wire Transfer – Raccoon Stealer,” to educate users on the phishing tactic described in today’s blog.

Cofense IntelligenceTM: ATR IDs 32407, 31881, 31977

Cofense TriageTM: PM_Intel_Raccoon_31881, PM_Intel_Raccoon_31977

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense CenterTM were reported by end users. 0% were stopped by technology. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence TM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

What’s Up With Malware? Find Out In Our Q3 Report

By Alan Rainer and Max Gannon

On the malware front, the summer of 2019 was quiet and steady-state. But the end of Q3 saw the infamous Emotet resurface, presaging a malware uptick in Q4. Read all about it in the Cofense Q3 2019 Malware Trends Report.

Maintaining a relative lull when Emotet suspended activity, threat actors in Q3 stuck to tried-and-true practices of intrusion. Phishing emails containing keyloggers (namely ‘Agent Tesla’) slightly rose in popularity, while information stealers like Loki Bot fell. Threat actors continue to seek the easiest, most efficient way of infiltrating users. Agent Tesla, for example, offers customer support and a web interface to develop and manage the keylogger. Similarly, cybercriminals continue to capitalize on known and patched vulnerabilities to deliver malware through phishing campaigns.

When Emotet resurfaced towards the end of Q3, this significant malware player wasted no time in compromising email chains or tricking users with convincing templates. As such, CofenseTM expects Q4 to show more malware activity.

Figure 1: Emotet Phishing Email Sample

Our Q3 report outlines these trends, alongside statistics, breakdowns of specific campaigns, and insights on what to expect in Q4, all of which you can use to defend your organization. Cofense IntelligenceTM provides phishing campaign updates throughout the year, which include the Strategic Analysis (a comprehensive threat report) and Executive Phishing Summary (a bi-weekly trend synopsis) communiqués.

View the Q3 Report now.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Agent Tesla Keylogger Is Now a Top Phishing Threat

By Aaron Riley, Cofense IntelligenceTM

The Agent Tesla keylogger is an increasingly widespread piece of malware in the phishing threat landscape, targeting multiple industries and using multiple stages within its infection chain. Currently, threat actors prefer archived files or weaponized Microsoft Office productivity documents to deliver this malicious software to the endpoint. Agent Tesla is sold as a commercial subscription license and offers a 24/7 support team. With an easy to use and abundant feature set—like a document exploit builder embedded into the malware management web panel—this keylogger lends itself to all levels of threat actors.

A typical theme for these campaigns revolves around finances, orders, and shipments. The most common way for this keylogger to make it to the endpoint is by archiving the executable and attaching it to a phishing email. This delivery vector can be successful if the email security stack does not have a standard in place for allowed archival types, does not conduct archive file analysis, or determines the file to be an unknown archive type.

For the infection chain, there are numerous methods a threat actor can choose. Most notably, Agent Tesla leverages a document exploiting an equation editor vulnerability documented in CVE-2017-11882 as the first stage loader. Exploiting this vulnerability allows for the attached document to download and execute a binary on the victim’s endpoint once opened. Although a patch has been out for this vulnerability, threat actors continue to utilize it for exploits.

An Office macro-laden document is the second most popular ‘stage one’ loader for this keylogger. This is somewhat surprising, given the fact that the macro builder is embedded into the Agent Tesla web panel as a feature, thus making it easier than the CVE-2017-11882 exploit to capitalize on. As such, this keylogger demonstrates features that fit closer in line with a Remote Access Trojan (RAT), including the capability to take screenshots or control the webcam. Agent Tesla adds to its robustness with the ‘File Binder’ option which links a selected file on the endpoint to the Agent Tesla executable and executes the keylogger at the same time as the selected file. This is done to keep the keylogger up and running without interaction needed from the victim.

Unlike most RAT suites, Agent Tesla’s preferred exfiltration method for the stolen data is the use of email. The web panel allows for a threat actor to set an email address as the recipient or the sender and has the ability for the email traffic to be SSL encrypted. This exfiltration technique can be avoided by blocking all traffic using SMTP that does not match organizational or enterprise standards. Agent Tesla, however, can also exfiltrate the stolen information via FTP or an HTTP POST. Each of these exfiltration methods can be defended against with proper firewall, content filtering, and alerting rules in place.

Figure 1: An example phishing email with Agent Tesla keylogger attached.

Agent Tesla’s recent rise to the top of the phishing threat landscape shouldn’t be a surprise, given the ease of use, options, and technical support from the creators. Network safeguards can help stop the exfiltration of data from a successful infection. Patching and updating user endpoints can combat at least one of the delivery mechanisms used within these phishing campaigns. Educating users on company standards for file extensions and Office macro use can combat the other two delivery mechanisms.

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Emotet Malicious Phishing Campaigns Return in Force

By Alan Rainer and Max Gannon

The infamous malware family Emotet—also known as Geodo—has fully resurfaced and resumed sending phishing campaigns that trick users into clicking on links and downloading attachments that contain malicious macros. Many of the emails feature common financial themes that capitalize on an existing reply chain or contact list impersonation.

In most cases, subjects for these phishing emails are rather mundane, such as “RE: Re: Contract/Invoice Count” and “Customer Statement 09/16/2019”, with attachments that use Microsoft Office macros to install malware. Upon installation of the Emotet executable, the banking Trojan TrickBot may be placed onto the victim machine, mainly depending on geography and organization. TrickBot is known to siphon information from a host and has shown to result in Ryuk ransomware making its way to the victim after some time. Current statistics show that Emotet is targeting over 66,000 unique emails on more than 30,000 domains. The origin emails—of which credentials had likely been stolen—span over 1,900 unique domains from 3,400 different senders. This extensive reach makes it tricky to combat the Emotet threat.

User awareness and technical safeguards such as email defense capabilities and endpoint protection solutions are vital in thwarting Emotet. Users should be increasingly wary of reply chain emails that contain unexpected documents, especially ones that ask to ‘Enable Content’ for editing or to ‘Accept the license agreement.’

Security teams should maintain a heightened awareness of Emotet trends and leverage the analysis to deny or hunt down malicious activity. Through active monitoring of the Emotet botnet and malware, Cofense IntelligenceTM continues to identify phishing threats that may impact customers and to provide security operations with the latest campaign data.  In the Technical Findings section below, Cofense Intelligence has chosen a random example of the most common email and macro as seen today for analysis.

Figure 1: Original Email

Technical Findings

Emotet delivers malicious documents as either part of a reply chain or as a finance-themed (such as invoice, new document, bank transfer, and quotation) phishing email. The languages used for each email body differ widely and have been seen to include English, Italian, Polish, or German, among others. These phishing emails contain a Microsoft Word document with a .doc extension and an Office macro that downloads Emotet executables.

Historically, Emotet utilized malicious links as well, but current indications show this is not the preferred method of malware delivery. The attached Office documents with macros store payload information in embedded object data, rather than in the macro itself, which makes analysis more difficult.

While similar to a delivery mechanism discussed in a previous blog, this version of the dropper is more advanced than before. When the document is opened, it displays a lure stating that to continue to use Microsoft Word after September 20, 2019, the user must accept the license agreement and enable editing. The lure shown in Figure 2 does not appear to be significantly different from the typical Office message that asks to enable macros; however, a requirement to accept a new license agreement makes the lure seem so routine that this new trap may be more effective.

Figure 2: Macro Request

After Office macros are enabled, Emotet executables are downloaded from one of five different payload locations. When run, these executables launch a service, shown in Figure 3, that looks for other computers on the network. Emotet then downloads an updated binary and proceeds to fetch TrickBot if (currently undetermined) criteria of geographical location and organization are met.

Figure 3: Service Launched by Emotet

The macros used in this case are relatively small even with the garbage code included, totaling approximately 150 to 300 lines. Removing the garbage code reveals only 10 lines of actual code. This code extracts metadata from embedded objects in the Word document; specifically, the “caption” data of these objects as seen in Figure 4.

Figure 4: Object content

While the attached documents all have a .doc extension, they are in fact .dotm, .docx, and other document file types, which enables them to successfully hide the embedded objects as ActiveX objects rather than typical “Form” objects whose metadata can be easily accessed in an opened document.

In each case, the result is the attempted download of an Emotet binary from a set of five payload locations using both HTTP and HTTPS. Emotet has been seen downloading TrickBot and other malware historically, with no noteworthy modifications to the present-day TrickBot sample.

 

How Cofense Can Help

Cofense Resources

Cofense PhishMeTM  offers a phishing simulation, “Service Report – Emotet,” to educate users on the phishing attack described in today’s blog.

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Phishing Campaign Targets U.S. Taxpayers by Dropping Amadey Botnet

The Cofense Phishing Defense CenterTM  has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails. Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality. Threat groups like TA505 have been known to leverage Amadey botnet as recently as July 2019 to deliver secondary malware like FlawedAmmy (RAT) and email stealers.

Here’s how a typical attack works:

Figure 1: Infection chain

Figure 2: Email Body

The email body reports to be from the Internal Revenue Service (IRS) and claims that the recipient is eligible for a tax refund. The recipient is presented with a “one time username and password” and urged to click the “Login Right Here” button. As seen above in figure 1, the login button is an embedded Hyperlink and redirects to hxxp://yosemitemanagement[.]com/fonts/page5/. Here the recipient is presented with an IRS login page to enter the one-time password.

Figure 3: Infection Page 

Once the recipient is logged into the fake IRS portal they are informed that they have “1 pending refund” and asked to download a document, print and sign, then either mail it back or upload a copy to the portal. When the recipient clicks to download the document, a zip file called “document.zip” is presented, which contains a Visual Basic script dropper.

Fig 4. Obfuscated vbs Script

The VBScript is highly obfuscated and encrypted. For more details on how this VBScript was decoded, please take a look at the Cofense™ Labs detailed write-up, which can be found here.

At a high level, once executed the script decrypts itself at run time and drops an executable file called “ZjOexiPr.exe” in C:\Users\Byte\AppData\Local\Temp\. Once dropped it then proceeds to install the executable kntd.exe in C:\ProgramData\0fa42aa593 and execute the process.

Figure 5: Persistence 

The Amadey process installs itself in C:\ProgramData\0fa42aa593 and to maintain persistence it uses Reg.exe, a command line tool for editing the registry. Next the script issues the command “REG ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” /f /v Startup /t REG_SZ /d C:\ProgramData\0fa42aa593”

Figure 6: C2 channels

Amadey instantly beacons out to its command and control (C2) channels sending system diagnostic information back to the C2 server and awaits further instructions. Amadey connects out via HTTP on port 80 to multiple C2 servers.

Figure 7: Network Traffic

If we take a closer look at the HTTP traffic we can see that Amadey sends system information back to its C2 server.

From the values given we can infer that:

ID – Unique identifier of the infected system

VS – Version of Amadey

OS – Operating system

AV – Antivirus

PC – System name

UN – Username

Additional Analysis:

Cofense Labs takes this analysis a bit deeper to deobfuscate the malware. To learn more, check out the Lab Notes on this analysis: https://cofenselabs.com/i-see-what-you-did-there/

Indicators of Compromise (IOCs):

Malware Artifacts

File  MD5 Hash Value
document.zip 7f9a3244d23baed3b67416e32eb949bd
a4-155QFYXY.vbs 79d24672fff4c771830b4c53a7079afe
kntd.exe a046030e2171ddf787f06a92941d37ca

 Network Connections

URL  IP
hxxp://yosemitemanagement[.]com/fonts/page5/ 160[.]153[.]138[.]163
hxxp://ledehaptal[.]ru/f5lkB/index[.]php 78[.]40[.]109[.]187
hxxp://nofawacat[.]com/f5lkB/index[.]php 179[.]43[.]139[.]222
hxxp://Ip[.]hoster[.]kz 192[.]4[.]58[.]78

 

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a phishing simulation, “Tax Refund Notice –Amadey Botnet,” to educate users on the attack described in today’s blog.

89% of phishing threats delivering malware payloads analysed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe.

Remove the blind spot with Cofense ReporterTM—give users a one-click tool to report suspicious messages, alerting security teams to potential threats.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand current threats, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.