Re: The Zombie Phish

By: Lucas Ashbaugh, Nick Guarino, Max Gannon

Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message.

This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish.

Not Your Average Phish
The Cofense™ Phishing Defense Center (PDC) has recently been defending against an extensive Zombie Phishing campaign against multiple clients. Fraudsters hijack a compromised email account, and using that account’s inbox, reply to long dead conversations with a phishing link or malicious attachment. Due to the subject of the email being directly relevant to the victim, a curious click is highly likely to occur.

These Zombie Phish appear to use automatically generated infection URLs to evade detection. No two links are the same. These links are hidden behind unassuming “error” messages in the body of the email, providing an appealing scheme for users to fall victim to. Thus far, the PDC has observed two common Zombie Phishing templates that lead to malicious links. These email campaigns can be seen in Figures 1 and 2.

Figure 1

Figure 2

Another common hallmark of this campaign is the use of the .icu top-level domain (TLD), however this could change in the future. Example domains identified during this campaign, which abuse the .icu TLD, can be seen in Figure 3.

Figure 3 shows .icu domains associated with these campaigns.

Already, many of these domains have been shut down by their domain registrar after receiving reports of domain abuse. Figure 4 shows a domain associated with this campaign and the data that is collected and displayed by the registrar.

Figure 4, Courtesy of

Additionally, the PDC has observed these phish using official organizational logos to add legitimacy to fake login pages – an example of such can be seen in figure 5. The pages are designed to impersonate an online portal of the target, including the company’s logo, and even its favicon. The end goal is credential theft of the victim.

Figure 5

Finally, any victim that visits the malicious website is “fingerprinted” using the host’s IP address as an identifier and upon entering credentials is immediately redirected to the same spam website seen by other victims. This is often via links obfuscated using URL shorteners (such as hxxps://href[.]li/). If the same host attempts to visit the phishing link again the spoofed login page is skipped and instead you are forwarded directly to the spam page. This finger-printing and the URL shortener obfuscation helps the attackers keep a low profile and continue their campaign unabated.

Conversation Hijacking
The tactic of “conversation hijacking” itself is by no means new, fraudsters have been hijacking compromised email accounts to dish out malware and phish as replies to prior conversations for years now. This technique is still popular because it makes victims much more likely to click on links and download or open files because their guard is down when these are within conversations already in their inbox. An ongoing and currently in the wild example of this is the Geodo botnet which has a history of inserting itself into existing email threads to deliver malicious documents that in turn download a sample of Geodo or other malware like Ursnif. However, the effectiveness of this tactic can depend greatly on the content of the conversations, a response to an automated advertising email is less likely to result in an infection than a response to a help desk support thread such as the one seen in Figure 6. Cofense IntelligenceTM has seen several Geodo campaigns consisting of responses to automated advertising emails indicating that, in some cases, the campaigns consist of indiscriminate responses to all emails in an inbox. Given that the volume of these “conversation hijacking” campaigns is still comparatively low, the smaller scope of these emails is likely limited by the number of ongoing conversations. Certain types of accounts therefore are more likely to draw threat actors direct attention and to induce them to invest additional effort and time into developing unique phishing campaigns for those accounts.

Preventing Your Personal Zombie Apocalypse
The PDC has compiled these quick tips to avoid losing your credentials (or your brains) to a Zombie Phish:

  • Be alert for email subjects that may appear relevant but are from old conversations.
  • Watch out for the hallmark green “error” button (pictured above in figure 1).
  • Don’t trust attached documents simply because they are replying to a conversation.
  • Mouse over buttons or links in suspicious messages to check them for the “.icu” top-level domain.

Cofense’s Phishing Defense CenterTM has observed that these campaigns have become increasingly clever, to combat this, training employees to be able to spot these types of emails is key. You can put down your nail-bats and pitchforks – a properly trained workforce is what is needed to defend your organization against the Zombie Phish hordes.

Cofense offers comprehensive phishing training to arm your employees with the weapons they need to protect your organization. And if you need reinforcements to help against the hordes, the Cofense Phishing Defense Center is happy to do battle with you.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Indicators of Compromise:

Observed Domains
































Observed IPs



“Brazilian Election” Themed Phish Target Users with South American-Targeted Malware, Astaroth Trojan

Threat actors attempted to leverage the current Brazilian presidential election to distribute the Astaroth WMIC Trojan to Brazilian victims. The emails had a subject line related to an alleged scandal involving Brazilian then-presidential candidate Jair Bolsonaro. Some campaigns impersonated a well-known Brazilian research and statistics company. Multiple delivery methods and geolocation techniques were used to target Brazilian users, who were encouraged to interact with the attached and downloaded archives containing .lnk files. These files downloaded the first stage of the Astaroth WMIC Trojan, previously spotted this year by the Cofense Phishing Defense Center and known to target South American users.

Threat Actors Seek Your Credentials Before You Even Reach the URL

Cofense Intelligence™ has observed a phishing technique that takes a unique approach to illicitly obtain a target’s sensitive information. In a recent campaign, threat actors harvested victims’ credentials through a PDF window prompt rather than via a webpage—the more traditional credential phishing technique.

Cofense Intelligence obtained a phishing email that allegedly informs the recipient of an bill of sale. The German language email lure claims to deliver a tax invoice and requests the recipient to view the attached PDF. The PDF, also presented in German, specifies that the document cannot be opened in a browser and must be opened in Adobe Reader or Adobe Acrobat. When the PDF is opened in either Adobe Reader or Acrobat, the victim will be prompted through the PDF to enter their email address and password (Figure 1).

Figure 1:  The German-language PDF prompts the victim to enter their Amazon credentials (Note: The credentials entered in the screenshot are false and are used as an example.)

Once the credentials are accepted, the victim receives another pop-up window warning the victim that the PDF is attempting to open a webpage to panelessolaresparaguay[.]com (Figure 2).

Figure 2: The victim is required to click “Allow” in order to proceed to the next step

After clicking “Allow,” the PDF opens a browser window and directs the victim to a German Amazon phishing page, whose URL contains the email address entered in the PDF prompt in the path of the URL:

hxxp://[.]347ty49h89ehg8ui7yt348[.]panelessolaresparaguay[.]com/step1[.][email protected](.)com

Figure 3 displays the first step in the German Amazon phishing page which has a loading image and a countdown informing the victim that a verification code has been sent to the recipient, yet Figure 3 does not specify the method by which the recipient will receive the code.

Figure 3: The PDF directs the victim to a German Amazon phishing page

When the page finishes loading, the victim is required to enter a code that was supposedly sent to the victim’s phone number, possibly in an attempt overcome Two Factor Authentication (2FA) (Figure 4). However, the phish never once prompts the victim to enter a phone number in this scam. The victim also has the option of clicking on what appears to be a link that would supposedly provide information on retrieving the code labeled “Haben Sie den Code nicht erhalten?” (English translation: “Did not you receive the code?”). Instead, the link does not direct the victim to another page and the victim is forced to enter any string of characters to proceed to the next step. Thus, it is more likely this is done not to overcome 2FA but to distract intended victims and leave them none-the-wiser that they exposed their credentials.

The following URL directs the victim to step 2:


Figure 4: The field will accept any information entered to proceed to the next page

After the victim enters a “code” and clicks the button to proceed to the next step, the page redirects the victim to the genuine Amazon Seller Central’s European website on, indicating the phishing scam is completed.

This credential phishing scam underscores a unique method of stealing login credentials before the victim is required to interact with a browser window. This is unusual given that most scams harvest credentials via a phishing webpage. In analyzing this campaign, Cofense Intelligence found that opening the PDF in non-Adobe applications will not display the login prompt and, because the PDF states the document cannot be opened in a browser, victims cannot interact with the PDF in Adobe PDF Online, an application used to edit PDFs in a browser.

The tactics, techniques, and procedures observed in this credential phishing scam highlight a unique method in which threat actors now steal their victims’ credentials. Credential phishing scams like the one above pose a serious risk to individuals and organizations and emphasize the importance of phishing awareness and education. Learn how Cofense PhishMeTM empowers users to recognize and report suspicious messages and avoid falling victim to costly phishing scams.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

H-Worm and jRAT Malware: Two RATs are Better than One

When threat actors bundle two or more malware families in one campaign, they gain broader capabilities. Cofense Intelligence™ recently analyzed a phishing campaign delivering both jRAT and H-Worm remote access trojans. jRAT, aka the Java Remote Access Trojan, has the primary role of remotely controlling a victim’s machine. H-Worm, also known as Houdini Worm, operates as a remote access trojan but has worm-like capabilities, such as propagating itself on removable devices like a USB.

Using a generic phishing lure pertaining to an invoice, the email below contains two attached .zip archives: one with a VBScript application and the other a .jar Java application.

Figure 1: Phishing lure delivering jRAT and H-Worm

While the .jar file is a sample of jRAT, it also drops a copy of H-Worm on the infected machine. The VBScript file is tasked with downloading a Java Runtime Environment (JRE), if it is not already on the machine, which allows the .jar file to run. This VBScript file is a sample of H-Worm. The delivery is unusual compared to older analyses of H-Worm with jRAT, which typically consists of a single payload used to facilitate the infection of both H-Worm and jRAT (and sometimes H-Worm with other malware families).

Two RATs, One Infection

Disseminating two similarly functioning malware families in a single infection is not a new tactic. Threat actors do this to exfiltrate more valuable information and to carry out additional tasks that support further infection or monetization. Some of the functions and capabilities of H-Worm and jRAT are shown below.

Figure 2: Distinct functions and similarities of H-Worm and jRAT

Each remote access trojan serves a specific purpose, such as keylogging, monitoring audio or video, or modifying the registry. At the end of the day, the specific malware or number of malware families used in a single infection cycle does not matter to the threat actor as long as there is a better chance for a successful infection. In the end, all that matters to the threat actors is if they were able to exfiltrate the information they seek.

However, for many attackers, the outcome of a successful infection also relies upon the successful delivery of a phishing email. Threat actors will continue to develop new tactics, techniques, and procedures (TTPs) to lure their intended targets. The first step to avoid an infection like the one above is to recognize and report suspicious messages. Educating computer users to identify suspicious emails can help your organization stop an attack on your infrastructure.

Learn how Cofense PhishMeTM conditions users to recognize active phishing threats.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.


America’s First: US Leads in Global Malware C2 Distribution

By Mollie MacDougall and Darrel Rendell

Cofense Intelligence™ has found that 27% of network Indicators of Compromise (IoC) from phishing-borne malware analysed during 2018 used C2 infrastructure located in, or proxied through, the United States—making the US the leader in global malware C2 distribution.

Map 1 details these observations. This does not indicate that US-based users are getting hit disproportionately, as threat actors are incentivised to host C2 infrastructure outside of their own country or countries with extradition agreements with their host nations to avoid arrest and/or extradition. However, C2 infrastructure is enormously biased toward compromised hosts, indicating a high prevalence of host compromises within the United States.

Map 1: All IPs, both resolved from domain and names and direct-connects, observed during 2018

Chart 1 reflects the top 5 data points observed in Map 1, calculated relative to one another.

Chart 1: Top 5 C2 location points across the globe, year-to-date 2018.

Maps 2 and 3 detail the juxtaposition in C2 locations between TrickBot and Geodo Tier 1 proxy nodes.

Map 2: TrickBot C2 distribution year-to-date 2018

Map 3: Geodo C2 distribution year-to-date 2018

At first glance, the contrast between Geodo and TrickBot may seem odd; Geodo overwhelmingly favors US hosts whereas TrickBot has a propensity toward Russian devices. However, Geodo uses networks of compromised web servers, running Nginx to serve as Tier 1 proxy nodes. More specifically, Geodo uses legitimate web servers as a reverse proxy, tunnelling traffic through these legitimate web servers to hosts on the true hidden C2 infrastructure. TrickBot, on the other hand, almost exclusively uses for-purpose Virtual Private Servers (VPSs) to host its nefarious infrastructure.

TrickBot’s C2 distribution trends significantly more eastward—with a greater number of C2 locations in Eastern Europe and Russia. TrickBot campaigns almost always target Western victims. In June, Cofense Intelligence released a report detailing sustained, pernicious attacks against UK targets. TrickBot’s targeting of Western victims from Eastern-hosted C2 could be due to the lack of extradition agreements amongst those countries (Figure 1). Still, TrickBot does rely on some C2 locations in North America and Western Europe. This could alternatively be a strategic move wherein TrickBot uses regionally diverse C2 locations to make it more difficult to profile its infrastructure, to introduce uncertainty and help keep the hosts viable for the longest possible time. Chart 2 is a companion of Map 2, detailing TrickBot’s favored demographics.

Figure 1: Countries with which the US has extradition agreements.1

Chart 2: A breakdown of TrickBot’s C2 locations. Note: In the ‘Other’ category, 64% are Eastern (including Eastern European).

Looking Ahead

The scattering of C2 locations for Geodo and TrickBot demonstrates the vast infrastructure of two of the most pernicious malware currently distributed via phishing. This suggests that these malware families will almost certainly remain on the scene in the months to come. An avid network defender should take note that using geolocation to help differentiate legitimate traffic from potentially malicious traffic may not be as effective as it seems. In light of the case study above, it would be prudent to actively monitor the threat landscape from a reliable source and stay vigilant.

To learn more about 2018 Geodo and TrickBot activity, view the Cofense™ analysis.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.



Potential Misuse of Legitimate Websites to Avoid Malware Detection

Sometimes, common malware will attempt to gather information about its environment, such as public IP address, language, and location. System queries and identifier websites like are often used for these purposes, but are easily identified by modern network monitors and antivirus. It’s important to know, however, that everyday interactions with legitimate websites provide much of the same information and are not monitored because the interactions are legitimate. In other words, threat actors can bypass automated defenses by abusing legitimate websites that often cannot be blocked for business purposes.

First, cookies—easily accessible records of a user’s interactions with a webpage—are often stored on the local machine and can be accessed by malware.  Second, some servers include additional information about the local machine in the response header. Though this is not as easily accessible to the average computer user, it could be leveraged by malicious actors to gain information related to the local machine’s settings, location, operating system, public IP address, language, region, and unique identifiers.

This information about the local environment could be used to avoid directly querying the local machine, avoiding techniques that trigger automated defenses. For example, a malicious document could determine the region of an infected computer from to bypass network monitoring systems looking for web traffic to identifier websites like and then download region specific malware that is tailored to combat the antivirus software used in that region.

What Information Can Be Derived

Wikipedia’s response headers highlight the wealth of valuable information available to a malicious actor (Figure 1). Here, the “set-cookie” field contains the cookie value, which includes the GeoIP of the browser, consisting of the country, city, and GPS coordinates. The “x-client-ip” in the header records the public IP address of the local machine (redacted).

Figure 1: A response header from Wikipedia

Google has a useful cookie to track if a user has accepted their terms of service. As seen in Figure 2, this small cookie contains the state of agreement, the country where the computer is located, and the language of the browser used.

Figure 2: Matching contents of Google’s CONSENT cookie

How This Information Is Used

Some of this information, such as the IP address, can be leveraged by threat actors to determine if the infected computer is within a certain IP range of particular interest, such as Amazon Web Services or Microsoft Azure. Other malware families will not run unless the infected machine is located in a specific country. Malware that downloads additional files uses many different sources to obtain a variety of information about the local environment including:

  • Using the location and language to determine what to deliver (as discussed in a prior blog)
  • Noting the operating system to determine what kind of malware to deliver
  • Determining the use of a VPN based on the IP address to decide whether to run

What Actions Look Suspicious

Automated systems and malware sandboxes often monitor a list of events that are rarely made by legitimate software. These events include system queries for information such as the system language, generating cryptographic key, or the operating system version, as well as network traffic. Certain language checks or domains appearing in network traffic will trigger alerts, as seen in Figure 3.

Figure 3: A moderate event alert from a Cuckoo sandbox execution

Avoiding Alerts When Seeking Valuable Information

By making web requests to legitimate websites, malware can obtain additional information about its environment while avoiding detection. Suspicious system calls or network traffic that might alert automated systems can be avoided by deriving information from these web requests. There is nothing inherently malicious about contacting legitimate websites, and no suspicions would be raised simply based on such contact.  Many of these checks can be done unobtrusively. This leads researchers to assume the malware is not functional rather than that it is detecting an analysis environment. For example, the same cookie shown in Figure 2 can also be used to detect a mismatch between the browser language and endpoint country (shown in Figure 4).

Figure 4: The endpoint is recorded as Germany (DE,) but the browser language is French(fr)

Potential Impact

This technique is not currently widely used, but offers several benefits to attackers and would be difficult for organizations to defend against. Websites such as Wikipedia and Google cannot simply be blocked, and current local and network defenses may not be able to distinguish traffic that is not inherently malicious. Although this does not disguise the connections that malware makes to its command and control hosts or payload servers, it does hinder analysis and allows an infection to progress further before it is detected.

Given the ease with which threat actors are able to bypass automated defenses by abusing legitimate websites and tools that often cannot be blocked for business purposes, it is imperative that individuals be trained to recognize the initial threat and to report it. Combining this training with human verified intelligence helps to ensure a successful defense strategy.

Learn how Cofense PhishMe™ helps thousands of organizations train users to spot and report phishing emails.

For more information on the abuse of legitimate websites for data exfiltration and malware delivery, as well as the abuse of Microsoft Utilities to avoid detection, see these previous Cofense™ blogs:  “Threat Actors Abusing Google Docs” and “Abusing Microsoft Windows Utilities.”


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Beware of payroll-themed phishing. Here’s one example.

Last week, the Internet Crime Complaint Center (IC3) published a public service announcement on cybercriminals disseminating payroll-themed phishing emails. These phishing emails, often imitating financial organizations, contain alluring content such as an enticing subject line or use social engineering techniques to convince targets that the email is from a legitimate source.

Cofense Intelligence™ has observed payroll-themed phishing lures requesting targets to view an embedded link or download an attached file. The emails typically deliver credential phishing links or malware that is tasked with stealing the target’s financial and personal credentials.

Recently, Cofense Intelligence analyzed a payroll-themed phish distributing the TrickBot malware, Figure 1. While the phishing lure is simple, it does entice the recipient to view the attached document by using an eye-catching subject line and a “confidentiality notice” to convince targets of its legitimacy.

Figure 1: A payroll-themed phishing email received by Cofense Intelligence

The email has an attached Microsoft Office Excel spreadsheet containing a hostile macro script used to download and run the TrickBot malware on the target’s machine. TrickBot targets multiple financial institutions and intercepts relevant internet traffic and exfiltrates it to the threat actors via the command and control locations. TrickBot can also make use of a large suite of plugins which enable it to inject into web browsers, steal email credentials, and operate as a worm, spreading laterally within a LAN via SMB exploitation.

See anything odd in this email?

While the sender’s address (redacted) was spoofed to look internal, there are still a few things that raise red flags. First, there’s no greeting or introduction. It just launches into the message. Second, given the subject’s importance the message is very bare-bones—a single incomplete sentence not even graced by a verb. Third, if you’re not in Payroll or some other part of Finance, why would you receive this? For most recipients, the context wouldn’t make sense.

It’s important to educate and empower users to recognize and report suspicious emails. The following tips will help your users avoid falling victim:

  • Attackers have the ability to make phishing emails look incredibly enticing. Verify that the email comes from a trusted source.
  • Pay attention to the language of the email and note any grammar mistakes.
  • Stay alert! Social engineering is a common technique used by attackers. Use caution if a suspicious email seems convincing.
  • Avoid re-using passwords.
  • Avoid sharing personally identifiable information (PII) over email.
  • Always make sure to verify if a website is legitimate.
  • If an email does seem suspicious, avoid interacting with the sender and instead report it!

To keep up with the latest phishing and malware developments, sign up for free Cofense Threat Alerts.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Into a Dark Realm: The Shifting Ways of Geodo Malware

The Geodo malware is a banking trojan that presents significant challenges. For starters, it conducts financial theft on a vast scale and enables other financially driven trojans. Also known as Emotet, Geodo has a rich history, with five distinct variants, three of which are currently active according to Feodo Tracker. Geodo’s lineage is incredibly convoluted and intertwined with malware such as Cridex as well as the later iterations known as Dridex.

This blog is the first of a CofenseTM three-part series on Geodo. Our analysis of Geodo focuses not on code analysis, rather on observed behaviours, infrastructure choices and proliferation. We note there has been an upward trend of education and government-based mail account credentials being compromised and used to further distribute Geodo. Further, we investigate message content and its focus on financial themes and narratives.

Future blogs will dive into the technical details of the URL structures prevalent in Geodo campaigns and will feature an in-depth analysis and deobfuscation techniques for the multi-layered macro code found within these documents.


Geodo has been steadily building momentum during 2018; after a quiet first quarter, campaigns involving Geodo have increased significantly both in frequency and density. Cofense Intelligence™ is seeing more consecutive days of campaigns, as well as more campaigns per day. Chart 1 details the year-to-date trends of Geodo as tracked by Cofense Intelligence.

Chart 1: The yearly trends of campaigns involving Geodo or its derivatives.

 A very recent change in Geodo’s behavior has seen the banking Trojan move away from its stealer roots and move towards the loader space. Recent campaigns have seen Geodo conditionally deliver either TrickBot or Zeus Panda, both of which would be considered competitors to Geodo’s banking functionality. The actors behind Geodo had been testing the water of competitor delivery as far back as March 26th, 2018, where a campaign delivering Geodo via weaponised Microsoft Office documents led to a further infection of Zeus Panda (See TID 11199). The authors of banking trojans are continually pushed to combat and overcome evolving financial security measures, such as Multi-Factor Authentication (MFA) and software-based security solutions. This arms-race could well be a motivator for the actors behind Geodo’s distribution having moved to the long-term revenue strategy of leasing out their botnet as a loader platform.

Geodo overwhelmingly favours an infection chain of:

Malicious URL → Downloaded Office Document → Macro → Geodo.

Geodo heavily favours both package delivery notices and financial institution-themed campaigns. Figure 1 is a world cloud based upon all Geodo campaigns observed by Cofense IntelligenceTM since tracking began. Figure 2 details campaigns observed strictly in 2018.

Figure 1: A word cloud generated from subject lines captured since tracking began.

Figure 2: Geodo campaign subject lines identified via tracking and botnet injection

Over time, Geodo has expanded from a propensity towards delivery-themed campaigns (spoofing companies like DHL, FedEx, and UPS), to Banking and financial narratives. However, this new focus does not preclude the tendency to spoof legitimate institutions, such as Bank of America and Chase bank. Chart 2 details the breakdown of campaigns throughout 2018, by [imitated] brand.

Chart 2: A breakdown of brands being spoofed by Geodo in 2018. Note: Generic Malware Threat is assigned to campaigns that do not imitate a legitimate entity or organisation. Note: the redacted entry is a large banking entity.


Geodo is a self-perpetuating bot. Once running on a machine, it actively begins to spam copies of itself to a victim list retrieved during one of its many check-ins to a plethora of C2 nodes, as well as addresses harvested directly from local contact lists. Typically, the messages sent by an infected host will contain either a URL from which a potential victim can download a weaponised Office document, or it will have that type of document attached directly to the message.

Message Structure

Geodo uses a subtle marker to track which bots are delivering messages on behalf of the actor(s) behind the campaigns. The Message-ID field of each message contains an identifier which can potentially be used to identify which bot sent a particular message. At this moment, the structure of the message ID is:

[email protected]

<20 numeric characters>.<16 hex characters>@<recipient domain>

A more literal example could be:

[email protected]

The identifier is a unique number assigned to each message as it is generated and sent by a bot. We have observed the identifier change as a bot progresses through its assigned list of recipients, then subsequent campaigns, as the bot becomes active again. Despite not changing linearly or sequentially, the general trend of these identifiers has seen the character count increase from 15 to 19-20.

There are several key pieces of data that can guide us toward some likely reasons for this behavior:

  1. The identifier ranges are not unique to each bot – multiple bots can have overlap within the same range.
  2. Identifiers do not always increment sequentially. This is true across multiple bots.
  3. Since tracking began, the identifier size has risen consistently from 15 bytes, up to 19-20 bytes.
  4. There are never any identifier collisions, even across different infections.

These four points lend credence to the supposition that these identifiers not only serve the functional purpose of a Message-ID (to act as a globally unique identifier of a message), but also allow the actors behind Geodo to track which bot is sending which message. By seeding recipient lists with attacker-controlled email addresses, it is possible to programmatically identify which bots are not sending messages as expected, and could be compromised, offline or otherwise in an undesirable state. With this information, attackers may be able to figure out which bots are legitimate infections, and which are researcher-controlled, thus giving them the capability to selectively send bogus templates or data to these compromised nodes.

The second part of the Message-ID structure is a 16 character hex string. As with the identifier, each hex string is unique to the message, meaning it is most likely a hash of some kind.

The final part of the Message-ID is simply the recipient’s own domain.


URL-based campaigns – that is, campaigns that deliver messages which contain URLs to download weaponised Office documents – are by far the most prevalent payload mechanism employed by Geodo. Indeed, analysis of ~612K messages shows just 7300 have attachments; a trifling 1.2% of the total. The structure of the URLs falls into two distinct classes. Cofense Intelligence analysed a corpus of 90,000 URLs and identified 165 unique URL paths.

There are two distinct classes of URLs employed by Geodo. A detailed breakdown of these URL structures will be discussed in an upcoming blog.

Chart 3: A breakdown of the top 10 URL tokens extracted from the 1000 most recently observed URLs.

A typical email from a URL-based campaign can be seen in Figure 3. Heavily contrasting TrickBot’s focus on social engineering, Geodo campaigns are fairly often lacking in any genuine attempt at brand imitation, beyond merely stating a name and perhaps a disclaimer.

Figure 3: An example of a Geodo email delivering a URL.

Figure 4 details the type of network activity that might occur, should a victim click on a link in one of these messages. When clicked, the user’s default browser is opened, and the download occurs directly. In the case of Google Chrome, the user typically will receive multiple warnings that the file being downloaded is hostile and requires multiple steps to allow the download to finish. Figures 5 and 6 details this process.

Figure 4: A Wireshark capture of the HTTP conversation after a live link is clicked.

Figure 5: A warning bar at the base of the Google Chrome browser warns the user the file is dangerous.

Figure 6: The user is required to click “Keep Dangerous File” followed by “Keep anyway” before Chrome will release the quarantined file.

Despite Chrome doing an admirable job of identifying some of the malicious documents, the permutations employed by the Geodo actors allows a significant number of documents to pass by unnoticed. Further stymying the malicious actors’ efforts: the downloaded documents are tagged with a “MotW” — or “Mark of the Web” – which, as seen in Figure 7, can potentially require further engagement by the recipient to finally get the file opened. A ZoneID of 3 indicates that the file is from the Internet Zone.

Figure 7: The downloaded documents are tagged with a Mark of the Web.


Although comparatively rare, Geodo campaigns occasionally deliver attachments instead of malicious URLs, but the narratives and themes used for these campaigns do not noticeably differ. Figure 8 shows an example of a message from an attachment-based campaign. This campaign used a generic theme with no identifiable company or entity being imitated.

Figure 8: An example message from an attachment-based, Geodo campaign.

Digging into a corpus of ~7500 filenames (examples of which are presented in Table 1) shows a very distinct set of naming conventions. These can mostly be described by a regular expression, with a few caveats.

Table 1: Example filenames used during very recent Geodo campaigns.

The naming structure bears very close resemblance to certain segments of URLs, described in detail in the next blog in this series. Although drawing any conclusions from this would be fallacious, it could potentially be used to predict the structure of a successor campaign.

Weaponised Office Documents

Regardless of which vehicle was used as the transport medium, the documents are invariably, intuitively similar. Each document comes weaponised with a hostile macro. The macros are always heavily obfuscated, with junk functions and string substitutions prevalent throughout the code. The obfuscation uses three languages or dialects as part of the obfuscation process: Visual Basic, PowerShell, and Batch.

An upcoming blog will provide an in-depth analysis of the deobfuscation techniques for the multi-layered macro code found within these documents.


The general behaviour of Geodo has been covered in extreme depth both by Cofense and the greater InfoSec community, so we will not rehash those analyses here. Rather, we will focus on Geodo’s ubiquitous spamming capabilities and the methods it uses to facilitate such behaviour.

Geodo is a modular trojan, which means most of its functionality is abstracted away from the core code and placed in external files that can be selectively imported and executed. One such example is the “spam” module. This module facilitates not only the distribution of spam, but also the validation of stolen credentials.

Geodo has two primary means of obtaining credentials. One way is retrieving a list along with the spam module. The other harvests accounts from the local machine, using a variety of external utilities. When new accounts are discovered, their credentials are validated before any attempt is made to communicate them. Figure 9 shows the credential validation phase of the spam process.

Figure 9: The credential validation phase. Each set of credentials is validated before it is used to send spam messages.

If a set of credentials is validated, spam messaging begins in earnest. Figures 10 and 11 show a Wireshark capture of a bot testing credentials before delivering messages to multiple recipients. These recipients are chosen from a large pool of email addresses containing hundreds of thousands, perhaps millions of addresses. It is unlikely that any bot ever receives a complete list of recipient addresses, meaning the sheer number available to Geodo is staggering.

Figure 10: A Wireshark capture of Geodo testing a set of credentials, before using them to authenticate and begin sending the current template.

Figure 11: Geodo iterates through its recipient list and continues to send phishing messages, using the same session.

Geodo is in constant contact with its C2 hosts. Geodo comes hardcoded with anywhere from 30-45 IP addresses, each pointing to a compromised (or, in some cases, outright malicious) web server. Most of these use Nginx as a reverse proxy to forward connections onto the actual command and control hosts. Figure 12 shows an approximate interpretation of this infrastructure.

Figure 12: An approximate representation of the Geodo infrastructure. It should be noted that there’s a high chance the proxies are tiered or layered; this representation defines a single-layer proxy configuration.

As part of its communications with the C2 infrastructure, Geodo is constantly polling for updates, commands, or instructions. Threat actors behind Geodo frequently deploy new email templates, updated C2 lists, and other module specific instructions or data. In the case of the spam module, we have actively observed Geodo launching spam campaigns against yet unseen victims in addition to new, stolen credentials. This type of information exchange is very unlikely to be unidirectional. To keep the recipient and credential lists fresh and relevant, Geodo must communicate dead recipients, bad credentials, or bad hosts.  Geodo has also been directly observed updating passwords for usernames as they become available. This type of information exchange allows the Geodo actors to automatically adjust their lists in as near real-time as is feasible, but it does open the botnet up to vulnerabilities.

It is plausible that researchers could poison the entire botnet from just a few hosts. Researchers could monitor the credentials being used by each bot, then create an account on the infected device that matches the username but contains a bad password. When the bot attempts to verify the authenticity of the new password and connects to a researcher-controlled SMTP host to accomplish this, the researcher’s host responds that authentication has been successful. Geodo will not only go ahead and begin spamming out phishing emails (as demonstrated in Figures 10 and 11), but it will also report the updated credentials to the C2 infrastructure. These bad credentials will propagate throughout the botnet and, potentially, cause large scale interruptions to its activity.

At the time of analysis, Cofense has tracked ~31,000 credential sets in a very short time. Charts 4 through 6 show multiple interpretations and permutations of this data.

Chart 4: Compromised credentials by Top-Level-Domain (TLD).

Chart 5: Compromised Credentials by Second-Level-Domain (SLD).

Chart 6: Compromised credentials by domain.

Beyond being interesting purely as data points, tracking the domains to which the compromised credentials belong allows us to actively see where outbreaks are succeeding. Spikes for certain TLDs (such as .edu) might indicate the actors are targeting students and educators. A rise in occurrences of SLDs (Second-Level Domains) could indicate the targeting of UK-based government agencies.

For many reasons, Geodo is a hugely problematic trojan. Its primary distribution method contributes an enormous amount of daily spam and phishing volumes. Not only does it engage in financial theft, but also enables additional finance-driven trojans. It can spread laterally across a network and steal credentials from a large array of software – further perpetuating the spam problem. Staying on top of these threats means employing timely, pertinent, and high-fidelity training to help users become familiar with this prolific threat. Security in depth means the ability to know not only “what”, but also “who.”

For a look behind and a look ahead at major malware trends, view the 2018 Cofense Malware Review.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.