Cofense Intelligence™ recently observed a sample of Zeus Panda which, upon further research, revealed the malware has been increasingly employing a very creative tactic. This crafty malware variant distracts its victims while quietly draining the victims’ bank accounts, even those accounts that employ additional security mechanisms such as Multi-Factor Authentication. After transferring funds, the malware then masks any evidence that the illicit transactions ever occurred. This tactic ensures that victims with the deepest pockets will remain in the dark as their bank accounts are silently liquidated.
Since this April, Cofense Intelligence™ has observed a sustained increase in the financially motivated targeting of United Kingdom-based users with phishing lures imitating brands like Her Majesty’s Revenue & Customs (HMRC), Lloyds Bank, and HSBC Bank. The most common final payloads delivered by these campaigns are designed to compromise victims’ financial accounts and provide illicit access to financial information. This surge in targeting almost certainly represents a stage in the “whack-a-mole” strategy long employed by threat actors: expand campaigns against a segment of the vast vulnerable attack surface until those users catch on to the threat, then move to the next target.
On Monday May 28, 2018, during routine operations, Cofense Intelligence™ identified traits across several campaigns that indicated they were linked. In fact, this discovery helped to reveal a sprawling criminal enterprise that uses linked infrastructure to host nearly 100 domains, along with corresponding malware campaigns.
Recently, Cofense IntelligenceTM reported on a new mechanism used to distribute Dreambot malware, where a malicious page impersonating Microsoft Office Online entices victims to download the banking trojan. We have noted a similar delivery technique in the distribution of a TrickBot sample where targets are required to download a “plugin” to interact with a PDF, adding to the iteration of purported “plugin” downloads for malware delivery. The detailed campaign leverages social engineering techniques to gain access to victims’ sensitive information and also contains code obfuscation to evade detection by security technologies.
Cofense Intelligence has observed several recent Sigma ransomware campaigns that demonstrate either a new iteration or a fork of this malware. Prior to these new campaigns, the actors behind Sigma stuck rigidly to two very distinct phishing narratives, as detailed in Cofense’s recent blog post, and relied on the same infection process. With these newly observed changes, Sigma’s operators have eliminated various infrastructure concerns and improved the UX (User eXperience) of the whole ransom process, representing the first major shifts in Sigma tactics, techniques and procedures (TTPs).
Cofense Intelligence recently identified a large Sigma ransomware campaign that contained significant deviations from the established TTPs employed by the actors behind this prolific piece of extortionware. These changes improve Sigma’s A/V detection-evasion and demonstrate new social engineering tactics intended to increase the likelihood that a targeted user would open the phishing email and its malicious attachment.
Posted by: Jason Meurer, Researcher, Cofense
As security researchers, we sometimes have very little information to begin our investigations or research activities. A rumor here or there can sometimes spread from a single word attributed to a current phishing or malware campaign. This was exactly the case for us on February 27th, when we identified a phishing campaign but were provided with very limited information to aid us in starting our research.
Adding to a growing trend of phishing attacks wherein Windows and Office functionalities are abused to compromise victim systems, Cofense Intelligence™ has analyzed a recent campaign that uses the URL file type to deliver subsequent malware payloads. This file type is similar to a Windows LNK shortcut file (both file types share the same global object identifier within Windows) and can be used as a shortcut to online locations or network file shares. These files may abuse built-in functionality in Windows to enhance the ability of an attacker to deliver malware to endpoints.
By abusing these built-in functionalities, threat actors can complicate detection and mitigation in these scenarios, because the software is behaving exactly as it was designed to. The proliferation of abuse techniques indicates that threat actors may be increasingly prioritizing the use of such methodologies due to detection difficulties.
The emails analyzed by Cofense Intelligence include a nondescript phishing campaign that informs recipients of an attached bill, receipt, or invoice. The analysis performed for Threat ID 10993 focused on emails that deliver attached URL shortcut files with their target resource identified using the “file://” scheme. Windows environments use this scheme to denote a file resource that is on the hard drive or hosted on a network file share.
However, the target for these Uniform Resource Identifiers (URIs) can also be a remote resource. When a URL shortcut file is written to disk, Windows will attempt to validate the target denoted by the “file://” scheme. If validated, the remote resource can be downloaded to the local machine. The use of this file format and URI scheme may indicate that threat actors seek to abuse the resource resolution functionality associated with these shortcut files to deliver malware onto victims’ machines at the time the URL file is extracted from a Zip archive.
Figure 1 – URL shortcut files can reference remote file shares to deliver malware
Figure 2 – Downloading a payload over SMB is a less-common method for malware delivery
This technique showcases yet another method in which commonplace Windows features are abused by threat actors, adding to the expanding set of delivery applications crafted to distribute malware.
The nature of these files reveals the risk involved with applications that obtain files simply by issuing connection requests without user interaction. Incident responders and network defenders must devise a response plan to address this scenario, especially if enterprises and organizations operate on a Windows environment. This campaign also demonstrates that as threat actors develop new attack methodologies, more emails are likely to reach user inboxes. Therefore, it is crucial that those users can identify and report such campaigns, because they are the final line of defense at that point.
Sign up for free threat alerts. Get phishing and malware trends delivered to your inbox: https://cofense.com/threat-alerts/
Cofense Intelligence™ uncovered a resurgent Sigma ransomware campaign on March 13, 2018 following a noted three-month hiatus of the malware. Although many aspects of this campaign—including its anti-analysis techniques—are consistent with previously analyzed Sigma samples, its return is in and of itself atypical.