Astaroth Uses Facebook and YouTube within Infection Chain

Cofense Intelligence™ has identified a phishing campaign targeting Brazilian citizens with the Astaroth Trojan in which Facebook and YouTube profiles are used in support of the infection. The complex chain of events that leads to the successful installation of the Astaroth Trojan all starts with an .htm file attached to an email. There are numerous stages within this infection chain that could have been stopped with properly layered defenses on the email and network security stack. However, at each step of the infection, this campaign uses trusted sources and the end user to help advance to the next stage, ultimately leading to an eventual exfiltration of sensitive information.

This Astaroth Trojan campaign exclusively targeted Brazilians, as also reported in 2018. In one week, it was able to compromise around 8,000 machines. Astaroth leverages legitimate Microsoft Windows services to help propagate and deliver the payloads. This campaign also utilized Cloudflare workers (JavaScript execution environment) to download modules and payloads, negating network security measures. Using these resources adds to the trusted source methodology employed by this campaign to bypass the security stack.

The emails analyzed by Cofense Intelligence were in Portuguese and had three distinct themes: an invoice theme, a show ticket theme, and a civil lawsuit theme. Each of the phishing campaigns enticed the end user into downloading and opening a .htm file to start the infection chain. The email security stack would need to be able to scan the attachments for malicious links and/or downloads to stop this technique. Having proper mitigations in place alongside user education on safeguard procedures will also help negate this type of attack, as it is mainly reliant on the end user.

Technical Findings

Once opened, the .htm downloads a .zip archive that is geo-fenced to Brazil and contains a malicious .LNK file. The .LNK file then downloads a JavaScript from a Cloudflare workers domain, shown in Figure 1.

Figure 1: The Cloudflare workers domain used within the infection chain

The JavaScript then downloads multiple files that are used to help obfuscate and execute a sample of the Astaroth information stealer. Among the files downloaded are two .DLL files that are joined together and side-loaded into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe’. Using a legitimate program to run the two-part malicious code that was downloaded from a trusted source helps to bypass security mseasures such as Anti-Virus (AV), application white-listing, and URL filtering.

After ExtExport.exe is running with the malicious code side-loaded, it uses a technique known as process hollowing to execute a legitimate program within a suspended state. Process hollowing is used to inject malicious code retrieved from multiple files downloaded by the earlier JavaScript. The legitimate programs that were targeted for process hollowing were unins000.exe, svchost.exe, and userinit.exe. The program unins000.exe is most notably used within a security program on systems that allow online banking in Brazil. After the program’s process is hollowed out and replaced with malicious code, Astaroth begins to retrieve the Command and Control (C2) configuration data from outside trusted sources.

Astaroth uses Youtube and Facebook profiles to host and maintain the C2 configuration data. This C2 data is base64 encoded as well as custom encrypted, and bookended by ‘|||’ as shown in Figure 2. The data is within posts on Facebook or within the profile information of user accounts on YouTube. By hosting the C2 data within these trusted sources, the threat actors can bypass network security measures like content filtering. The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down.

Figure 2: Shows the C2 configurations data hosted on YouTube

Once the C2 information is gathered, Astaroth then proceeds to collect sensitive data on the endpoint. The data gathered includes financial information, stored passwords in the browser, email client credentials, SSH credentials, and more. The modules used to collect this data are part of the multiple files downloaded by the JavaScript discussed above. All collected information is encrypted with two layers of encryption and sent via HTTPS POST to a site from the C2 list, a majority of which are hosted on Appspot. This encrypted connection to another trusted source allows for the communication to bypass network security measures that cannot decrypt it.

Astaroth’s complex infection chain targeting Brazilian citizens shows the value in layered defense as well as education of the end user. At each step, the security stack could have made an impact to stop the infection chain; however, through the use of legitimate processes and outside trusted sources, Astaroth was able to negate those defensive measures. Understanding these types of threat actor Tactics, Techniques, and Procedures (TTPs) can help finetune the security stack to defend against them. Technology can help empower an end user to help protect against this type of attack, but education will make them confident in doing so.


89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.


Click to Expand a Full List of IOCs

ATR ID: 28320 
































































































































































































































File   MD5 Hash Value 
06  dac44bfad9f76ba6dbdc2e5753b45ace 
09  ba048536df48d7e9dd893a6a03ef2241 
Casa&  19260462563234466f017056f6a206a4 
Casa&  02b9550e9530552f0291e018248616e3 
Casa&  b939510a06297f7df415da4969ad370f 
Convite-16478.doc.htm  1b4ba6193c41c002ca01b79be6b4bf58 
Convite-24434.doc.htm  b958cc34580f88a85ec213710096b3f2 
Convite-28353.doc.htm  fd5a66109a47f6f8e2ddccd18dff90ac 
Convite-Especial_450.lnk  c240f95d98b9a9c7013568bf82f82200  a4c9f257b3e59da8b2fcf0d8cea55c5a 
Convite-Especial_500.lnk  0ef2370581573a7dd04600957e1bf5f1  f71b63d22f4bab20aab0c9393857f665 
Convite-Especial_600.lnk  451dcb3829434c1e2f12bf894a8f2793  68b9e1a6ced7762ceb77f28632f0c462 
daffsyshqy64a.dll  6ddf3a891ea9f3cc96cf04c6a06f8176 
daffsyshqy64b.dll  a8eb5f30af5632b86f61b82d32b39dca 
daffsyshqy64.dll  14ffd7f15426f44f2f6cca63c1f3074b 
daffsyshqya.jpg  57bbfb7dfbd710aaef209bff71b08a32 
daffsyshqyb.jpg  f2cf0bc2a11c62afa0fd80a3e8cd704d 
daffsyshqyc.jpg  1f2204f86817402088d4cb8337bfbccc 
daffsyshqydwwn.gif  d0b486f131c70cf18b1e51651fa3667b 
daffsyshqydx.gif  e1762709a530f79365e53339c3f5a92c 
daffsyshqyg.gif  d2fb935b6a5ca8d61f27198eea7a3ad5 
daffsyshqygx.gif  7443bbbf9b2f02c68573f2788208f9b3 
daffsyshqyxa.~  95b4897223c0220a71f8b7db8d26b96f 
daffsyshqyxb.~  a75137f66c218886d6cd44f6efa703bf 
Departamento_Fiscal.170.lnk  f47531b59187ec87dcac80383fb43a32  8c39a5cbacf24535d83c116eb680cb08 
Departamento_Fiscal.300.lnk  9db1833a686fea058b12bb050ec71d15  3cfdeede42ce9a35009ab8755860ce97 
Departamento_Fiscal.490.lnk  1fda7ca3dca57d1eee0007695af6c36d  7f01a1f829a1c514fcf372a5fed4852b 
Departamento_Fiscal.580.lnk  a9939044af4b9886ed5fc570bef357d7  c0bbbc27ed84ffb2066f4fd53f66fb8f 
Departamento_Fiscal.700.lnk  8d6379a39692ace24ec6232e333733ca  cb67c6e585b5ed0ffa8d6a1da0f50f6d 
FISCAL_ELETRONICA.htm  356f364e63d1cb900f4210497c006592 
FISCAL_ELETRONICA.htm  be34918b1b4f68885f12cfe79d79eaed 
FISCAL_ELETRONICA.htm  1b2fbd4b8e0fc09f18e385f3e99c7c18 
FISCAL_ELETRONICA.htm  8d5ac61b30c704f18131afe16c6a931d 
FISCAL_ELETRONICA.htm  0c8c016e42cde175761ef1ccf5f49393 
l0hdOOY.js  de057b5a7518f0117a884b0393cb24f8 
mozcrt19.dll  14ffd7f15426f44f2f6cca63c1f3074b 
mozsqlite3.dll  14ffd7f15426f44f2f6cca63c1f3074b  e36ae691fc76dd3afdab86f120ef45f0  9f20b09dd004fffb3bd440f1a69ff7e2  bde41fa97144ef74be6ae129aa699f9f  2159653ee0374fa4a157ba98ecd6dfe3  74e9ee1b315b4bbe2f393eb434d282e8 
Processo_0339688.htm  1b99d7c6ba70f5b51d29aa7138871de3  9bf29a680a7ccdcf08539cc0334d3bf0 
Processo_0743333.htm  07eb7252072a9a367952e11e91099aba  676752b756d6b549ba70bfd78453df75 
Processo_3585524.htm  14c345a7b0832d978b0bfc1a41936cce  99716f3749772b55a7a2337aa9c2ceae 
Processo_4520552.htm  552c4f4606586020e649e608a9635283  b3e3cc3fc712b4e3bc0513e15da49fb7 
Processo_5451802.htm  71c2dd1749b8b6424ae33fc742d8b979  95bb9a288c45ba4192c4c206a153898f 
Processo_5574567.htm  d1a5c070a423d13a9f9a7a6c30290b96  e829f09c42e9866027de2ba5ff37b42b 
Processo_5583423.htm  0c6bcf42b7eea1c88f501e7d27bd635a  4459af875005925cc214699ea65e433a 
Processo_8457803.htm  a62c73c1a6ffc93300ecd3417682caaa  4459af875005925cc214699ea65e433a 
Processo_8538828.htm  2b3cd62a7e1ffb67a2412045ff3175a5  a68847e5fa17cf6500fc2cc1bb9ad606 
Processo_Judicial_Eletronico.130.lnk  11f473c93a505d0be9b2bbe2261f6891  eca6717f16ce755254f39c1ff9175c62 
Processo_Judicial_Eletronico.150.lnk  cf333b6d6f5b22f41c685d7fce1ed30e  d623289773b08bddf4cb05b4c2155779 
Processo_Judicial_Eletronico.30.lnk  cf9599ed5188bf857d325a383492230b  9986df584fbc379e71c94462f680435b 
Processo_Judicial_Eletronico.310.lnk  b6f0527fe826a1c367f9385e6097284d  fee203eea24f9a647a7feb7c194cd36d 
Processo_Judicial_Eletronico.420.lnk  6bd1f103d08fd98d16346ef53a1bec9c  deb93d749ae8027263432e40be98fc22 
Processo_Judicial_Eletronico.480.lnk  b7901d33364a4734b9c02b6083ef3f7f  e38239422342eb717bcaccd3dc2c3c8e 
Processo_Judicial_Eletronico.740.lnk  7479929ccaa6c4a7b4e3e68eeac1668f  5cff755c3bd694d8927d6ceb6bee3e0b 
Processo_Judicial_Eletronico.750.lnk  4f82854519cd2f6bdd77dd43bd8f7605  17f2e35d0e108c0a70325450c25bd57e 


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Advanced Phishing Campaign Delivers Quasar RAT

Cofense IntelligenceTM has uncovered an advanced campaign that uses multiple anti-analysis methods to deliver Quasar Remote Access Tool (RAT). A phishing email poses as a job seeker and uses the unsophisticated ploy of an attached resume to deliver the malware. Quasar RAT is freely available as an open-source tool on public repositories and provides a number of capabilities. Organizations find a higher degree of difficulty with the ‘.doc’ file attachment distributing Quasar RAT itself, because the document employs a multitude of measures to deter detection. Such methods include password protection—which is a built-in feature of Microsoft Word—and encoded macros. Along with automated tools, educating employees on new phishing trends is the best way of countering a campaign such as this.

Figure 1: Original Email

Technical Findings

The initial email used to deliver this malware, seen in Figure 1, uses a relatively common “resume” theme with an attached document. As previously mentioned, Quasar RAT is not particularly unusual or advanced compared to other toolkits. A US-Cert report states that Quasar RAT “has been observed being used maliciously by Advanced Persistent Threat (APT) actors to facilitate network exploitation,” however, Quasar is also “a publicly available, open-source RAT” and can be found on GitHub. Since the tool is easily accessible, attributing the activity to a specific threat actor is tedious at best.

The malicious attachment used by this campaign employs counter-detection measures to reach the end user. Even if the email is marked as being suspicious, the attachment may be treated as legitimate and delivered. Despite a simplistic and apparent first stage delivery, threat actors took advantage of increasingly sophisticated methods to increase the difficulty of analysis and delay detection. This delay can provide threat actors with enough time to gather information and potentially install additional, more subtle, malware before being detected or removed.

The first stage of the avoidance practiced by the document in this campaign is simple password protection. A password of “123” is not particularly inventive, but to an automated system that processes attachments separately from emails it means that the document will be opened and no malicious activity will be recorded because the system has not determined either a need for a password or what the password is. Sufficiently advanced systems should still be able to guess a password of “123”; however, this only opens the document and does not necessarily trigger malicious activity. The resulting prompt is shown in Figure 2.

Figure 2: Request to enable macros

If an analyst or automated system were then to attempt to analyze the macros using an analysis tool (such as the popular tool ‘olevba’ by Philippe Lagadec), the script would fail and potentially crash from using too much memory when it attempted to analyze the macro. This is likely an intentional effect by the threat actor in the form of more than 1200 lines of garbage code that appears to be base64 encoded. Forcing the script to attempt to decode the garbage strings causes, in all likelihood, a crash due to the magnitude of decoding required. An example of some of these garbage strings is shown in Figure 3.

Figure 3: Example of the fake encoded strings

If those strings are not decoded or the process decoding them has enough resources allocated, the resulting content still lacks the all-important payload URL. Instead, partial strings and filler text give some semblance of legitimacy. Portions of the payload URL, as well as additional information, are in fact hidden as meta-data for embedded images and objects, as shown in Figure 4.

Figure 4: Script content in the meta-data of a form object

Other script content bears essential information within its comments. Below, you can see evidence that this macro may originate from a template or guide. Here, some of the commentary relates to if the operating system is Windows or Mac.

Figure 5: Commentary included in the script

Embedded comments describe the usage of a shelled application and the startup process. If the macro is successfully run, it will display a series of images claiming to be loading content while repeatedly adding a garbage string to the document contents. It will then show an error message while downloading and running a malicious executable in the background.

The last significant step the threat actors take to avoid discovery is to download a Microsoft Self Extracting executable. This executable then unpacks a Quasar RAT binary that is 401MB. The technical maximum file upload size for the popular malware information sharing website, VirusTotal, is 550 MB. However, the commonly used public methods of submission, email and API, are set to 32MB maximum with special circumstances for API submission going up to 200MB. By using an artificially large file size the threat actors make sharing information difficult while also causing problems for automated platforms that attempt to statically analyze the content.

Table 1: Malware Artifacts

Filename MD5
0.doc 1d7328b01845117ca2220d8f5e725617
Period1.exe 15dbb457466567bfeaad1d5c88f4ebfe
Uni.exe e7bcec4d736a6553b4366b0273aaf6f8

Table 2: Network IOCs



Yara Rule:

rule PM_Intel_Quasar_27476



        $message_lede = "the password is " nocase

        $attachment = /[0-9]{1,3}\.doc/ nocase

        $subject = /subject:\s*attached resume/ nocase


        all of them




90% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM . Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM. Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM

Looking for a holistic phishing defense solution? Cofense provides everything you need to catch them stop phish quickly. Our combination of technology and unique human insight allows us to detect and stop attacks — before they hurt your business. Learn more about our managed phishing detection and response (mPDR) solution.

New Phishing Campaign Bypasses Microsoft 365 ATP to Deliver Adwind to Utilities Industry

The Cofense Phishing Defense CenterTM has observed a new phishing campaign that spoofs a PDF attachment to deliver the notorious Adwind malware. This campaign was found explicitly in national grid utilities infrastructure. Adwind, aka JRAT or SockRat, is sold as a malware-as-a-service where users can purchase access to the software for a small subscription-based fee.

The malware boasts the following features:

  • Takes screen shots
  • Harvests credentials from Chrome, IE and Edge
  • Accesses the webcam, record video and take photos
  • Records audio from the microphone
  • Transfers files
  • Collects general system and user information
  • Steals VPN certificates
  • Serves as a Key Logger

Email Body

Fig1. Email Body

This email comes from a hijacked account at Friary Shoes. Also note the web address for Fletcher Specs, whose domain threat actors are abusing to host the malware.

The email body is simple and to the point: “Attached is a copy of our remittance advice which you are required to sign and return.” At the top of the email is an embedded image which is meant to look like a PDF file attachment, however, is in fact a jpg file with an embedded hyperlink. When victims click on the attachment, they are brought to the infection URL hxxps://fletcherspecs[.]co[.]uk/ where the initial payload is downloaded.

Fig 2. Payload 

The initial payload is in the form of a .JAR file named: “Scan050819.pdf_obf.jar.” Note that the attacker has attempted to make the file appear as if it were a PDF by attempting to obfuscate the file true extension.

Fig 3. Running processes

Once executed, we can see that two java.exe processes are created which load two separate .class files. JRAT then beacons out to its command and control server: hxxp://ns1648[.]ztomy[.]com

Fig 4. C2 Traffic

Adwind installs its dependencies and harvested information in: C:\Users\Byte\AppData\Local\Temp\. Here we can see the two class files the jave.exe process has loaded along with a registry key entries and several .dlls:

Fig5. Additional dependencies and artifacts 

The malware also attempts to circumvent analysis and avoid detection by using taskkill.exe to disable popular analysis tools and antivirus software. If we take a closer look at the registry entries file we see that the malware looks for popular antivirus and malware analysis tools.

Fig 6. Anti-Analysis

Indicators of Compromise (IOCs):

Malicious File(s):

File Name: Scan050819.pdf_obf.jar

MD5: 6b94046ac3ade886488881521bfce90f

SHA256: b9cb86ae6a0691859a921e093b4d3349a3d8f452f5776b250b6ee938f4a8cba2

File size: 634,529 bytes (619K)

File Name: _0.116187311888071087770622558430261020.class

MD5: 781fb531354d6f291f1ccab48da6d39f

SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

File size: 247,088 bytes (241K)    

File Name: _0.40308597817769314486921725080498503.class

MD5: 781fb531354d6f291f1ccab48da6d39f

SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

File size: 247,088 bytes (241K)

File Name: gCMmWntWwp7328181049172078943.reg

MD5: 7f97f5f336944d427c03cc730c636b8f

SHA256: 9613caed306e9a267c62c56506985ef99ea2bee6e11afc185b8133dda37cbc57

File size: 27,926 bytes (27K)

File Name: Windows3382130663692717257.dll

MD5: 0b7b52302c8c5df59d960dd97e3abdaf

SHA256: a6be5be2d16a24430c795faa7ab7cc7826ed24d6d4bc74ad33da5c2ed0c793d0

File size: 46,592 bytes (45K)

File Name: sqlite-

MD5: a4e510d903f05892d77741c5f4d95b5d

SHA256: a3fbdf4fbdf56ac6a2ebeb4c131c5682f2e2eadabc758cfe645989c311648506

File size: 695,808 bytes (679K)

File Name: Windows8838144181261500314.dll

MD5: c17b03d5a1f0dc6581344fd3d67d7be1

SHA256: 1afb6ab4b5be19d0197bcb76c3b150153955ae569cfe18b8e40b74b97ccd9c3d

File size: 39,424 bytes (38K)


Malicious URL(s):




Associated IP(s):





89% of phishing threats delivering malware payloads analysed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM.It offers a phishing simulation, “Remittance Advice – Adwind,” to educate users on the attack described in today’s blog.

Remove the blind spot with Cofense ReporterTM—give users a one-click tool to report suspicious messages, alerting security teams to potential threats.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand current threats, read the 2019 Phishing Threat & Malware Review.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations.  Subsequent updates or different configurations may be effective at stopping these or similar threats.

TrickBot Adds ‘Cookie Grabber’ Information Stealing Module

Cofense Intelligence™ has identified a new credential information stealing module for the TrickBot banking trojan being used to gather web browser cookie data. Previous versions of TrickBot allowed for minimal web browser data theft; however, this ability was within the main functionality of the trojan platform and not a stand-alone module as it is now. This new module, dubbed ‘Cookie Grabber,’ has an added feature that allows for further control and manipulation of the victim’s host.

TrickBot is a modular banking trojan that targets financial information within an infected host. The threat actors behind TrickBot are always re-tooling and adapting to threat mitigation controls. By moving the web browser credential harvesting feature to a standalone module, threat actors trim down their initial footprint of infection. This adaption allows for fewer detections and the ability to download specific modules for better results after the infected host has been fingerprinted.

Safeguarding against this attack requires educating users about the importance of not saving credentials in the browser. For protection against other attacks, use technology to limit the number of times this type of payload gets to end users and educate them on the impacts these executables can have.

Technical Findings

The ‘Cookie Grabber’ module is downloaded in the same fashion as the other modules used by TrickBot. This module’s stark difference is the ability to parse through web browser databases locally to extract the targeted information. The module is placed within the %APPDATA%/Roaming directory with the other downloaded modules, all of which include ‘cookiesDll64’ in the naming convention.

This information stealing module targets Firefox, Chrome, and Internet Explorer web browsers. With Internet Explorer, the module targets the text files that store browser cookie information located within the user profile directories, as shown in Figure 1 (Appendix A). Additionally, it targets Firefox and Chrome cookie information that is housed within a SQLite database on the local host. The ‘Cookie Grabber’ module appears to have pre-defined SQL queries to gather the targeted information from both Firefox and Chrome. This module also makes use of a SQLite 3 embedded engine to allow for further database manipulation from the threat actor.

Once the infection has taken hold on the victim’s machine and the modules have been downloaded, decoded, and injected into svchost.exe, the sample then attempts to exfiltrate the gathered information using two HTTP POST commands.

  • The first HTTP POST is a form-data content-type to the Command and Control (C2) server containing other credentials harvested outside of the web browsers. Appended to the C2 URL is a unique string identifier containing host fingerprint information. This POST contains two distinct sections of information, one is the harvested credentials, the other is the source of the credentials. Figure 2 (Appendix B) shows the first HTTP POST to the C2 and contains FTP credentials gathered from the legitimate application, WinSCP.
  • The second HTTP POST to the C2, shown in Figure 3 (Appendix B), has a different User-Agent string, which has changed from a legitimate value to ‘dpost.’ The dpost value comes from the name of the configuration file used and serves as an identifying marker for the TrickBot’s network traffic used while exfiltrating the data. The destination port has also changed from 80 to 8082. This second HTTP POST includes the harvested web browser information, which is base64 encoded. The encoded information appears to contain the user profile name, the browser the information was harvested from, the URL, user name, password, time last used, and time created. These values are separated by a pipe (‘|’) and resemble the format below:

‘User Profile | Web Browser | URL | User Name | Password | Timestamp | Timestamp |/’

Each record collected by TrickBot and exfiltrated through the HTTP POST is separated by a forward slash (‘/’) character. In both HTTP POSTs, the C2 server was named ‘Cowboy’ and replied with a HTTP 200 OK containing a small text response of ‘/1/’. Figure 2 (Appendix B) shows the first HTTP POST to the C2, while Figure 3 (Appendix B) shows the second HTTP POST to the same C2. Notice the User-Agent value differences as well as the base64 encoded data strings within the second HTTP POST.


CofenseTM encourages organizations to train users to be cautious in clicking links or opening attachments that could lead to harmful malware being installed on their machine. It’s also important to encourage users to report a suspicious message even if they clicked on the link or opened the attachment as malware can still get installed in the background.

The appendices below contain figures related to this sample of TrickBot. For more information please contact [email protected]

Appendix A:

Figure 1: Locations that ‘Cookie Grabber’ searched for Internet Explorer cookies

Appendix B:

Figure 2: The First HTTP POST to the C2 containing gathered non-web browser related credentials

Figure 3: The second HTTP POST to the C2 containing the base64 encoded credential strings


89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Following are links to other blog posts on Trickbot:


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Labs Shares Research on Massive Sextortion Campaign

Are you one in two hundred (or so) million?  

Today, CofenseTM announced the launch of Cofense Labs. Our experts are sharing the details of some deep research into the inner workings of a large-scale sextortion campaign that to date has over 200m recipients in its sights – and you might be one of them.  

What’s Sextortion? 

You may be lucky enough to have not encountered the threatening narrative of a sextortion email. If so, the threat actor’s M.O. is typically this: 

Send an email in which they claim to have installed malware on your system and have a record of your browsing history to some websites of an adult nature, and also footage from your webcam. If you don’t pay the stated ransom in bitcoin, they will release the footage to your family, friends, and co-workers. To add credibility to their threats, they include passwords hoovered up from data breaches of old that they have found littering the web.  

Show me the money! 

Find Out If Your Business Is at Risk 

During the research into this campaign, Cofense Labs identified over 200m recipients on the target list. Over 7.8m sextortion emails have been analysed and bitcoin payments have been tracked. In this single campaign, over 17,000 bitcoin wallets were identified, with 1,265 payments being made across 321 of them, with one payment = one victim. At the time of analysis, these payments were worth over $1.8m.   

We have made it possible for you to check whether your email address, or email domain, is on the list. Just visit to perform the lookup and download an infographic and educational guide regarding sextortion campaigns and how to defend against them. 

Why Cofense Labs? 

Knowing is everything, and to be able to effectively defend against the fast-evolving phishing threat landscape, you’ve got to have a deep understanding of it. Cofense Labs allows us to share the results and the output of the pioneering research that our R&D team undertakes to provide this knowledge. By sharing what we know, we can hopefully enable organizations of all sizes to collaborate and protect their most precious assets against the latest phishing threats. 

If you’re at Black Hat in Las Vegas this week, come and see us at Booth 938 in the Shoreline Business Hall. You can meet members of the Cofense Labs team, and see whether your email address or domain is on the target list. 


Reports of sextortion and other ransom scams to the Cofense Phishing Defense CenterTM are increasing. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM. 

Quickly turn userreported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM. 

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains – do YOUR research with Cofense CloudSeekerTM. 

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review. 


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Threat Actors Subscribe To Patches

Cofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld. The patching subscription model may be a burden to some enterprise environments, but its underworld equivalent is a significant boon to law enforcement and network defenders. Personnel tasked with combating nefarious software can leverage the patching and licensing mechanisms of subscription-based malware to track down distributors.  

The Reasons Behind The Model 

Much like with legitimate software, threat actors decide what malware to buy based on several factors including the reviews, price, type (such as a keylogger or a Remote Access Tool (RAT), developer, and marketing. However, to make money in this competitive environment, malware developers need to take different approaches, such as: 

  • Sell the product for much less than similar malware. 
  • Give the product away. While this strategy may appear to be a good deal, malware developers have been known to include a back door enabling them to steal their “customer’s” stolen data.  
  • Base the new malware on a pre-existing and well-known malware, such as WSH RAT. As discussed in a previous CofenseTM report, the developers of this RAT billed it as a “new” RAT with advanced features and offered it at a starting subscription price of only $50 per month. However, in reality, WSH RAT wasn’t new at all and was a variant of the pre-existing and long-lived Houdini Worm with some minor feature improvements. 
  • Focus on spending heavily on marketing. While concentrating on marketing can be profitable, it is likely the reason that some malware perceived as the “next big threat” disappears shortly after making headlines – probably because the budget was spent mainly on marketing rather than development.  

Possibly taking a lesson from legitimate software companies and the frequent failure of the options mentioned above, more and more malware developers have started to adopt the patching subscription model. This model allows them to take the middle road, charging relatively smaller subscriptions (in the case of Alpha Keylogger, $13 per month) while claiming to deliver more and being able to delay feature release.  

The glut of available products, however, often leads malware developers to over-promise on features for which they then must include a basic test or example of in their code. Expedited or rushed releases of the software lead to buggy code, in turn hurting the credibility of malware authors. For instance, Alpha Keylogger claims to have a suite of features including the ability to exfiltrate data over email, FTP, or via the API of the messaging company Telegram. In practice, customers (threat actors) can choose FTP or email, and the keylogger will still attempt to exfiltrate information via Telegram API even when the configuration data is blank. This attempt creates a distinct and apparent HTTPS request on infected machines that do not successfully exfiltrate data and can be used to help identify this malware in network traffic. 

Why Network Defenders Like Updates 

The “bug” in Alpha Keylogger that causes extraneous network traffic could allow network defenders to look for such malformed URLs as signs of malicious activity despite the involvement of a legitimate domain. Even intentional updates on the part of malware developers can assist network defenders. An example of this is when the Geodo/Emotet botnet began distributing a new module. The nature of this deployment allowed Cofense to correctly assess and prepare for the delivery of more sophisticated phishing emails. If the changes had been made by a new family of malware rather than as part of an update that Cofense was looking for, it would have been more challenging to prepare. 

Why Law Enforcement Likes Licensing 

The bugs and hints provided via malware updates are helpful to network defenders, but the licensing system behind these updates can be even more useful to law enforcement. Many RATs store the license key of the individual that purchased the malware builder as a registry entry on infected computers. Depending on the method used to obtain this license key, the payment information may be associated with the key even if it is not directly associated with the individual who purchased the key. Subsequentially, a receipt of some sort may be sent to an account that is accessed by the threat actor who bought the license key. Under the right circumstances, a license key saved as a registry entry on a victims computer could be linked with a receipt in a threat actor’s inbox, attributing them to the attack. Law enforcement organizations could then build a case using this link and additional information, such as the IP address used to access the inbox. 

Applicability In Enterprise Environments 

Organizations with enterprise-scale infrastructure often encounter “shadow IT” software or malware applications that can be difficult to spot and eradicate. The licensing mechanisms found in subscription-based malware—to include potential receipts in email—can be used by threat hunters to identify insider threats. Organizations impacted by malware akin to Alpha Keylogger can weed out further infections by leveraging incident response tools and YARA rules (such as the ones provided by Cofense IntelligenceTM) which inspect registry keys. Furthermore, the potential for attribution and legal action against a threat actor through license tracking provides large corporations with enhanced defensive capabilities. 

Table 1: Malware Artifacts 

Filename  MD5 
Company Profile.doc  b46396f32742da9162300efc1820abb3 
bukak.exe  3ceb85bcd9d123fc0d75aefade801568 


Table 2: Network IOCs 





Cofense Intelligence processes and analyzes millions of emails and malware samples each day, providing a view of emerging phishing and malware threats. 

The Cofense Phishing Defense CenterTM identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats. 

Condition end users to be resilient to ransomware and other attacks with Cofense PhishMeTM.  It includes a variety of ransomware templates to help users recognize the threat. Empower users to report phishing emails with one click using Cofense ReporterTM. 

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM. 

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekeTM. 

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understanding, read the 2019 Phishing Threat & Malware Review. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Ransomware: A Mid-Year Summary

By Alan Rainer

Recently, ransomware has given off the appearance of widespread destruction and rampant use. 2019 alone has seen headlines such as “Florida City Agrees to Pay Hackers $600,000” and “Baltimore City Operations Impaired by Cyber Criminals.” Yet, despite the resurgence of large-impact headlines, phishing campaigns have delivered less ransomware overall since 2016, per Cofense analytics. The decline in Ransomware-as-a-Service (RaaS) operations demonstrates an impact on threat actor ransomware activity. Attackers find that emerging protection technology, improved law enforcement tracking of cryptocurrency payments, systems patching, and costly infrastructure upkeep all pose a deterrent to broad-spectrum targeting.

Ransomware Is Down Holistically, But Targeted Infections Are Up

Threat actors find that targeted ransomware attacks against high-value victims can be accomplished with greater efficiency, enabled by other malware families such as Emotet/Geodo. These secondary malware families provide an effective attack vector that increases the success of phishing attempts and targeted ransomware campaigns. Emotet—an email-borne Trojan which actors use to install other nefarious tools—has gone offline with no activity since June 2019. If the Trojan were to resurface, we assess that threat actors could rather easily carry out more email ransomware attacks on a broader scope. Without the efficiency provided by Emotet or even a Ransomware-as-a-Service such as GandCrab (which has supposedly shut down permanently), targeted infections continue to be the more lucrative option for ransomware operators.

Recent headlines have drawn attention to exceptionally costly targeted ransomware attacks against local US governments, healthcare services, and the transportation sector. Also spurring great debate: cyber insurance companies are recommending payment of ransom and are directly contributing to those payments as part of their insurance coverage. Taking this into account— along with the hefty price tags associated with the recovery costs of cities who have not elected to pay the ransom, such as Atlanta and Baltimore—Cofense Intelligence™ assesses this could lead to an uptick in ransom payments and further embolden an increase in targeted ransomware campaigns.

Only last week, the cyber insurer of La Porte County in Indiana contributed $100,000 toward an equivalent of $130,000-valued Bitcoin demand. The firm advised La Porte County to pay the threat actors, who infected local networks using the Ryuk ransomware. Similar stories have emerged across the United States. What remains to be seen is how effective recovery is following payment. Often, decryption is not as immediate or successful as ransomware operators would have their victims believe.

Will Cyber Insurance Create New Targets?

It makes sense that organizations seek indemnity to protect their financial portfolios. But while everyday scams or fraud occur in a traditional insurance setting, cyber criminals may look to specifically target insured organizations for a guaranteed return in the future. Cyber insurance companies known to pay out ransom could present a surefire target for actors.

Regardless of targeting potential, all organizations should engage in appropriate planning and preparation with defense technology and user awareness. Threat intelligence will help to ensure that your organization’s defense is as proactive as possible. Educating and enabling your users to identify and report phishing messages ensures preparedness at every line of defense. As an industry leader in phishing defense solutions, CofenseTM provides security professionals with tools and skills to combat email-borne threats, so that you can defend against even those threats that bypass your perimeter technologies and reach user inboxes. Only by stepping up our collective defense will we reduce the efficacy and proliferation of ransomware campaigns for good.

More Ways Cofense Can Help

Cofense IntelligenceTM processes and analyzes millions of emails and malware samples each day, providing a view of emerging phishing and malware threats.

The Cofense Phishing Defense CenterTM identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats.

Condition end users to be resilient to ransomware and other attacks with Cofense PhishMeTM.  It includes a variety of ransomware templates to help users recognize the threat. Empower users to report phishing emails with one click using Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understanding, read the 2019 Phishing Threat & Malware Review.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Double Duty: Dridex Banking Malware Delivered with RMS RAT

Cofense IntelligenceTM analyzes millions of emails and malware samples each day to alert organizations to emerging phishing threats. Thanks to our expansive view of the threat landscape, we recently were able to discover and investigate a campaign impersonating eFax that appeared to have an attached Microsoft Word document. The attachment was a .zip archive which contained a .xls Microsoft Excel spreadsheet. This spreadsheet included an Office macro which, when enabled, was used to download and execute two malicious executables: samples of Dridex and Remote Manipulator System Remote Access Tool (RMS RAT).

What’s notable: By delivering a banking trojan and a RAT, the threat actors are able to use the banking trojan purely for credential stealing via browsers and use the RAT for more complex management of the infected computer. Dridex may be able to handle some of the machine management tasks, but by using RMS RAT and Dridex for separate purposes threat actors can more efficiently accomplish their tasks. And having both available provides a backup communication channel in case one of the malware families is detected and removed.

RMS RAT Features

RMS RAT is a legitimate remote access tool appropriated for malicious use by threat actors. RMS RAT has a large number of features that include logging keystrokes, recording from the webcam or microphone, transferring files, and manipulating Windows Task Manager and other Windows utilities. This multi-featured tool allows for significant control of a compromised computer as well as multiple methods of information gathering. Due to its legitimate origins and usage of legitimate components, not all endpoint protection suites will immediately detect this tool as malicious, which allows threat actors more time to establish a foothold in the infrastructure.

Dridex Web Injects

Banking trojans often target a large number of websites and use different kinds of scripts for different targets. Some banking trojans will even share the same scripts and targets with other banking trojans. When a victim on an infected machine visits one of the targeted websites in an internet browser, the script will be “injected” into the browser. This allows the threat actor to steal information entered, redirect traffic, bypass multi-factor authentication, and even provide additional “security questions” to obtain information from the victim. In this case, the web injects used by Dridex were unusual because of both the large number of possible web inject scripts and the fact that some of the web injects were labeled as being from the Zeus banking trojan.

There are three types of web injects used in this case. The first type is used to hide or display content on certain web pages, making it possible to insert additional requests for personal questions used to verify banking accounts. The second type monitors the URLs visited by the browser and downloads additional files; the web injects labeled as Zeus fall in this category. Both of these web injects come hard coded into the original malicious binary. The third type of web inject is downloaded from a remote host and often has more capabilities, including greater information-gathering capacity.

Web injects in this sample of Dridex target a variety of websites:

  • The first set targets crypto currency websites such as coinbase[.]com and banking websites such as hsbc[.]co[.]uk and synovus[.]com. The web injects for these targets are downloaded from the same command and control location, 144[.]76[.]111[.]43.
  • A second set of web injects targets e-commerce websites, including paypal[.]com and bestbuy[.]com, and is sourced from a different location: akamai-static5[.]online. The threat actor’s use of this particular domain name is clever because it is similar enough to an Akamai network domain name that the domain might not be reported because it looks legitimate.
  • The final set of web injects are tagged as “Zeus” injects. The use of these injects is particularly unusual because several of the targeted websites overlap with those in other web injects, such as paypal[.]com and amazon[.]com.

By using multiple types of web injects, and in some cases duplicating websites of other web injects, the threat actors have a wide variety of possible targets at their disposal. Using both old and new web injects can also help threat actors target information even when the structure of the webpages’ URL has changed over time.

Threat Results and a Look Ahead:

The dual-pronged attack in this case provided the threat actors with multiple methods of compromise, access to data, and some resistance to traditional endpoint protections. RMS RAT provided remote access, key logging, and credential stealing. And using different types of web injects enabled threat actors to utilize some of the features of Zeus to improve the capabilities of Dridex. Each different type of web inject also made use of a different command and control location to provide information, which can help make the threat actor’s infrastructure more resilient.

Knowing all of the possible threats in combination rather than those seen individually can help organizations prepare for and defend against threats. Training employees to spot and report possible phishing messages can help stop malware from making it to an endpoint and prevent threat actors from ever establishing a foothold.

Learn More

See how Cofense Intelligence analyzes and processes millions of emails and malware samples daily so security teams can easily consume phishing-specific threat intelligence. Discover how to proactively defend your organization against evolving phishing attacks and the latest malware varieties.


Table 1: List of potential web inject source

Web Inject Sources

Table 2: Command and control hosts (C2)

Dridex C2

Table 3: Payload locations

Office Macro Payloads


All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Houdini Worm Transformed in New Phishing Attack

By Nick Guarino and Aaron Riley

The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. Figure 1 shows an example message from this campaign.