Summer Reruns: Threat Actors Are Sticking with Malware that Works
Let’s take a look back at this summer’s malware trends as observed by Cofense IntelligenceTM. Summer 2018 has been marked by extremely inconsistent delivery of TrickBot and Geodo, though volumes of lower-impact malware families like Pony and Loki Bot remained consistently high. What’s more, improvements to the delivery and behavior of Geodo and TrickBot accompanied the resurgence of two updated malware families—Hermes ransomware and AZORult stealer—in reaffirming a preference by threat actors to update previous tools instead of developing new malware. Because threat actors will continue to improve their software to ensure a successful infection, it’s important to understand these potentially harmful attacks.
Highest Volume Malware Families this Summer: June – August 2018
This summer, the usual simple-script malware variants have been observed in high volumes in June, July, and August. The following pie charts depict the highest-volume malware families in the summer months.
Chart 1: Top malware families from June – August 2018
Chart 1 shows Loki Bot, Pony, and jRAT dominating as the top three sustained malware families this summer, which is not unusual to the season. Meanwhile, TrickBot’s dissemination was marked by characteristic periods of high-volume campaigns followed by periodic lulls. Some changes to TrickBot’s infrastructure indicate that the lulls may have been due to a focus on retooling and updating the malware.
Trojans, Botnets, and Information Stealers: New Delivery and Capabilities
Cofense Intelligence observed a sustained increase in TrickBot targeting United Kingdom residents from April through June, with relatively few campaigns targeting other regions at that time. The assessed targeting is based on phishing narratives purportedly from UK financial institutions. This trend altered in July when TrickBot equally targeted both UK and United States residents.
Command and Control
Changes to TrickBot’s command and control (C2) infrastructure have improved the malware’s resiliency. This summer, TrickBot introduced Tor hosted C2 locations to download additional modules, plugins, and other updates as well as facilitating a BackConnect feature. This location, typically a .onion domain, is hard-coded in the TrickBot binary’s configuration file. An example of a Tor hosted C2 location is displayed below:
Threat actors often differentiate campaigns based on phishing lures targeting the UK versus the US—a distinctive characteristic of lure narratives determined by TrickBot’s command and control. This is based on the group tag, (referred to as the GTAG in the configuration files), which indicates the version of TrickBot and can be found in the C2 URL’s path. Campaigns using the “ser” GTAG typically include this distinction. The tag “ser,” followed by the month and day of the TrickBot sample, implies that the version of TrickBot targets UK residents by default, while US residents receive the version containing “us” appended after the month and day. This is similar to what we observed in the Dyre malware. Table 1 provides several examples of “ser” C2 infrastructure targeting both UK and US residents. The first column consists of subject lines that either include the impersonated brand in the subject line or have the brand specified in the message body in parentheses. The “GTAG” column lists group tags for each of those subject lines.
Table 1: Distinctions between UK and US TrickBot versions
Inconsistent phishing lures and distractions
TrickBot distributions were marked by peaks and valleys throughout the summer. One of the lulls coincided with the FIFA World Cup (hosted in Russia this year). During the World Cup, Cofense Intelligence noted that TrickBot phishing lures, usually known for their sophistication and appearance of legitimacy, were incredibly simplistic. There are a few possible explanations for this peculiar lull:
- The World Cup and/or summer vacation season distracted TrickBot’s operators
- TrickBot phishing emails were disseminated by a group with fewer resources
- TrickBot operators were using this time to curate the malware or its delivery
After the World Cup concluded, Cofense Intelligence observed a sustained uptick in TrickBot throughout the rest of July, before again tapering off in August for another temporary lull.
This summer, the Geodo trojan, also known as Emotet, increased in activity from mid-July through August. In an unusual turn, it was used as a loader for additional malware in multiple campaigns. Geodo traditionally has three primary roles: spamming botnet, information stealer, and banking trojan. Like TrickBot, Geodo has also undergone changes, including its phishing lures and execution on victims’ machines.
Geodo can also act as a malware downloader, though prior to this summer it had not frequently been used as such. Cofense Intelligence observed Geodo obtaining and executing the Zeus Panda malware in three phishing campaigns, and it was later reported in the threat intelligence community that Geodo was involved in another malware delivery of a TrickBot infection, ostensibly based on location.
Prior to its increased activity this summer, Geodo campaigns primarily used simplistic and generic phishing lures. In July, Geodo began including phishing lures that are more advanced and effective, imitating US banks. The phishing email is considerably more enticing and convincing to potential targets. Some emails refer to the recipient in the email body—a popular social engineering technique intended to add to the credibility of the email.
What’s in the Future?
The threat of Geodo has escalated within the past few months. Geodo will almost certainly continue to utilize enticing phishing lures, and it will likely continue to act as a loader for other malware. For more information on Geodo’s significant shift in structure, please refer to this blog post produced by Cofense Intelligence.
Although AZORult malware was first reported by Cofense Intelligence in 2017, it resurged in June 2018. AZORult is an information stealer with a wide range of capabilities. Older versions of AZORult could collect cookies, archived passwords and financial credentials, and auto-complete data from mainstream browsers. In the newest version—Version 3—AZORult can handle security enhancements to web browsers and evade detection from security resources, enhancing the malware’s ability to successfully compromise its victims.
AZORult will only communicate with its C2 twice before terminating its own binary, which is unique for information stealers that are most commonly designed to maintain persistence. In August 2018, Cofense Intelligence reported that AZORult can act as a loader for additional malware Cofense™ assesses that threat actors involved in the distribution of AZORult are working to improve its delivery mechanism. Not only has AZORult used weaponized Office documents as intermediate payloads but it has also exploited known vulnerabilities such as both CVE-2018-0802 and CVE-2017-11882 to facilitate infections.
Involvement in Other Malware Infections
In late July, Cofense Intelligence observed a Chanitor campaign delivering AZORult in its infection cycle. Chanitor is a loader typically obtained by malicious URLs retrieving macro-enabled documents. Currently, most Chanitor infections lead to the delivery of three binaries to infected machines: two samples of Pony and one sample of Zeus Panda. One recent iteration revealed Chanitor replacing one of the two Pony samples for AZORult, however we did not observe the continuation of this trend in later campaigns. Table 2 contains a list of indicators of compromise (IOCs) involved in this infection.
Table 2: AZORult’s involvement in a Chanitor malware campaign
In August it was revealed that AZORult can act as a loader in its Version 3 build when it downloaded and executed the Hermes 2.1 encryption ransomware.
An updated version Hermes ransomware emerged in phishing campaigns in mid-July 2018. Hermes’s delivery method bears a striking similarity to both Sigma and GandCrab ransomware, suggesting threat actors distributing those families may be connected to or involved with the distribution of Hermes. The phishing lure associated with the delivery of Hermes ransomware mirrors those of Sigma and GandCrab based on the structure, language, and grammar exhibited in the phish. A recent blog published by Cofense Intelligence further illustrates similarities shared amongst the three ransomware families.
After Hermes’ appearance this summer, other popular ransomware variants of 2018, such as Sigma, GandCrab, and even GlobeImposter, have been almost non-existent, save a recent GandCrab campaign that recently deployed an updated version.
What We Learned This Summer
This summer was defined by uneven distribution of TrickBot and Geodo and changes to the delivery and methodology of both. The use of both Geodo and AZORult as loaders was unusual and further highlighted how multifunctional these different pieces of malware are. Finally, the ongoing updating of old families without the introduction of new malware reaffirms that threat actors are content to stick with what works and focus on investing resources on retooling and updating malware. Threat actors will continue to refine their software to increase the odds of infection.
These trends underscore two things. Incident responders and network defenders must devise a response plan for high-impact phishing campaigns. And the best way to avoid falling victim to attacks on your infrastructure is to empower and educate users to recognize and report suspicious emails.
Organizations worldwide use Cofense PhishMeTM to do exactly that. See how our phishing awareness solution can better prepare your teams.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.