Cofense IntelligenceTM has seen a substantial uptick in the use of .com extensions in phishing emails that target financial service departments. In October alone, Cofense Intelligence analyzed 132 unique samples with the .com extension, compared to only 34 samples analyzed in all nine months preceding. Four different malware families were utilized.
The .com file extension is used for text files with executable byte code. Both DOS (Disk Operating System) and Microsoft NT kernel-based operating systems allow execution of .com files for backwards compatibility reasons. The .com style byte code is the same across all PE32 binaries (.exe, .dll, .scr, etc.) within the DOS stub. The subject lines and email contents of the phishing emails (Figure 1) suggest that the threat actor is targeting financial service departments. The .iso file attachment mentioned in the email contents is an archive containing a .com1 executable.
Figure 1: Email Content Suggests Targeting of Financial Services Department
If you’re a Cofense PhishMe™ customer, you can use this same lure in your phishing simulations. Look for the template we’ve created, “Overdue Invoice – LokiBot.” It conditions employees to report phishes trying to deliver the Loki Bot information stealer malware. (More on Loki Bot and other malware below).
The two most popular subject line themes we’re seeing use the lures “payment” and “purchase order.” Threat actors are likely carrying out these campaigns to target employees with financial information stored on their local machines, which explains the use of information-stealing malware as the campaigns’ payloads.
Figure 2: Subject Line Categories used in .COM Campaigns
Our analyses showed that the email subject lines were specific to the malware payloads they delivered. For example, the “payment” subject-emails delivered more AZORult information stealer, while the “purchase order” subject-emails most often delivered the Loki Bot information stealer and the Hawkeye keylogger. It is possible that different actors are distributing the unique malware families via .com files. Or, perhaps the same group is responsible and assesses which lures are most appropriate for different malware and the information they target.
Most commonly, .com payloads are directly attached to a phishing email without any intermediary delivery mechanism. However, some campaigns did include an attachment that contained such an intermediary dropper: often the attachment was weaponized to exploit a CVE or a malicious macro, which would deploy a .com payload onto the endpoint. As network defenders become increasingly aware of this direct-attachment delivery, Cofense Intelligence expects to see an increase in intermediary delivery of malicious .com files, wherein a “dropper” attachment will arrive with the phish and subsequently load the weaponized .com file onto the end point.
Figure 3: Malware Families Delivered using .com Extensions.
Loki Bot, AZORult and Hawkeye made up the far majority of malware delivered in the campaigns we analyzed, whereas Pony accounted for a very small percentage. The combination section refers to the attachment utilizing a vulnerability within a document to deploy a .com payload on the endpoint as mentioned above.
The malware families delivered with the .com extension also revealed a trend with their Command and Control (C2) communication. The samples of .com binaries that delivered AZORult communicated exclusively with domains hosted by Cloudflare. Cloudflare was also the predominant host for Loki Bot with over 75% of its C2 domains hosted with that service. It is likely that Cloudflare is not hosting the actual C2, but in fact being used as a domain front. “Domain fronting” is a technique that allows for the connection to appear to go to one domain when it is actually going to another. This is achieved by connecting securely to one domain and then passing in the target domain via the HTTP host header value. By using Cloudflare, which is typically trusted by most organizations, the attackers are able to circumvent blocks that might be put in place. Cloudflare recently changed its policies to disallow its use for malicious hosting, yet the service has continued to be used by attackers for malicious redirection.
Figure 4 below shows the C2’s for Loki Bot, AZORult, and Pony that were hosted on Cloudflare compared to every other domain hosting service provider. Hawkeye keylogger stood apart in communicating with unique email domains.
Cofense Intelligence estimates that we’ll see an increased adoption of malware using the .com extension. Similar campaigns will likely expand to other industries that have monetizable data, like the healthcare and telecommunication sectors. An increased use of the .com extensions can be harmful to enterprise networks if organizations are not prepared for it, and once they are, another file extension will surge in popularity in a constant effort to stay ahead of the defense.
To stay ahead of the latest phishing and malware threats, sign up for free Cofense Threat Alerts.
- Filename: overdue payment.com MD5 hash: 8e6f9c6a1bde78b5053ccab208fae8fd
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.