Cisco Ironport
By Kyle Duncan and Ashley Tran, Cofense Phishing Defense Center
The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign found in an environment protected by Ironport that aims to strike alarm and manipulate end users into clicking on a Microsoft-branded credential phish that prays on concerns surrounding the coronavirus.
The email appears to be from The Centers for Disease Control and the message is that the coronavirus has officially become airborne and there have been confirmed cases of the disease in your location. The email goes on to say that the only way to minimize risk of infection is by avoiding high-risk areas that are listed on a page they have personally hyperlinked to you – the recipient. The email is NOT from the CDC and the link to possible safe havens is actually malicious.
Since news of the coronavirus hit national headlines, many threat actors have played on its infamy to target unsuspecting users. While there are numerous phishing campaigns raving about the latest safety measures, all claiming to be reputable health organizations or doctors, this email differs in its methods, weaponizing fear to panic users into clicking malicious links.
Figure 1: Email Header
The following are snippets of the header information for the email. Looking at the first stop on the received path we see that the email originated from the domain veloxserv.net with an IP address of 193[.]105[.]188[.]10. This obviously has nothing to do with the Centers for Disease Control, as this is an IP located within the United Kingdom. However, the sender is issuing a HELO command which tells the email server to treat this email as if it were originating from the domain “cdc.gov”.
Figure 2: Email Body
The subject of the email is “COVID-19 – Now Airborne, Increased Community Transmission” followed by a spoofed display name, CDC INFO, and from address, [email protected], thus making it appear as if the sender is really the CDC. Despite odd capitalization on some words in the email, it is a rather good forgery which, when combined with the high stress situation it presents, may cause most users to overlook those details and click the link immediately.
Users are led to believe they are clicking a link to:
hxxps://www[.]cdc[.]gov/COVID-19/newcases/feb26/your-city[.]html
However, embedded behind that link is the following malicious redirect:
hxxp://healing-yui223[.]com/cd[.]php
Which in turn goes to the final landing page of the phish located at:
hxxps://www[.]schooluniformtrading[.]com[.]au/cdcgov/files/
Upon further research, there were two additional compromised sites set up with this same phishing kit.
Additional redirecting URLs found were:
hxxps://onthefx[.]com/cd[.]php
Additional phishing pages:
hxxps://urbanandruraldesign[.]com[.]au/cdcgov/files
hxxps://gocycle[.]com[.]au/cdcgov/files/
In each of these three unique attacks, the URLs used to redirect the victim to the credential phishing site are of Japanese origin. All use the file cd.php, which forces the redirection to the phish. The phishing pages themselves have the same Top-Level Domain, .com.au, and each has a SSL certificate. These clues point to a single threat actor carrying out these attacks. Further observation may soon reveal the actor’s identity or at least a general attack vector that can be monitored for and blocked by network firewalls.
Figure 3: Phishing Page
Users will be presented with a generic looking Microsoft login page upon clicking the link.
The recipient email address is appended within the URL, thus automatically populating the login box with their account name. The only thing for the user to provide now is their password. Upon doing so, the user is sent to the threat actor.
Once users enter their credentials, they are redirected to a legitimate website of the CDC:
hxxps://www[.]cdc[.]gov/coronavirus/2019-ncov/php/preparing-communities[.]html
Indicators of Compromise:
| Network IOC | IP |
| hxxps://healing-yui223.com/cd[.]php | 150[.]95[.]52[.]104 |
| hxxps://www.schooluniformtrading[.]com[.]au/cdcgov/files/ | 118[.]127[.]3[.]247 |
| hxxps://onthefx[.]com/cd[.]php | 153[.]120[.]181[.]196 |
| hxxps://urbanandruraldesign[.]com[.]au/cdcgov/files | 112[.]140[.]180[.]26 |
| hxxps://gocycle[.]com[.]au/cdcgov/files/ | 13[.]239[.]26[.]132 |
Spoofed World Health Organization Delivers Agent Tesla Keylogger
In addition to the spoofed CDC message discovered by the Cofense Phishing Defense Center, Cofense Intelligence also recently identified a phishing campaign spoofing the World Health Organization (WHO) to deliver the Agent Tesla keylogger. The phishing campaign is designed to invoke fear and curiosity of the intended recipient with the subject “Attention: List Of Companies Affected With Coronavirus March 02, 2020.”
The attachment accompanying the phishing email spoofing the WHO is labeled ‘SAFETY PRECAUTIONS’ and has a .exe extension. The icon of this executable is that of a Microsoft Office Excel file, intending to fool the end user into believing that the attachment is indeed an Excel document, listing the infected companies. The attachment is in fact an .exe, delivering a sample of Agent Tesla keylogger. The email body can be seen below.
Figure 4: The phishing email spoofing the World Health Organization
| Filename | MD5 Hash |
| SAFETY PRECAUTIONS.rar | 05adf4a08f16776ee0b1c271713a7880 |
| SAFETY PRECAUTIONS.exe | ef07feae7c00a550f97ed4824862c459 |
Table 1: Agent Tesla Keylogger Attachments
| Agent Tesla C2s |
| Postmaster[@]mallinckrodt[.]xyz |
| brentpaul403[@]yandex[.]ru |
Table 2: Agent Tesla Keylogger Command and Control (C2) Locations
| YARA Rules |
| PM_Intel_AgentTesla_36802 |
Given the levels of concern associated with the COVID-19 outbreak, such phishing themes will almost certainly increase, delivering a broader array of malware families.
HOW COFENSE CAN HELP
75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.
Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting.
Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.
Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.
Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
