PhishMe Expands Phishing Incident Response Platform Capabilities

Announced at RSA Conference 2017: PhishMe Enhances Solution Unmatched in the Industry

SAN FRANCISCO – February 13, 2017PhishMe®, the leading provider of human-phishing defense solutions, announced today that it has released enhancements to improve efficiency and analytics in its phishing threat management and incident response platform, PhishMe Triage™.

PhishMe Triage Integrates with Palo Alto Networks WildFire Cloud to Combat Phishing

Integration Pairs Efficient and Expedient Phishing Incident Response with Integrated Threat Analysis and Prevention

PhishMe® and Palo Alto Networks® technologies equip security teams with enhanced protection against phishing threats.

Conditioning employees to detect and report suspicious email is a strategy security leaders have adopted to protect the business and empower employees to become a defensive asset. PhishMe Triage™ ingests employee-reported suspicious email – allowing security teams to quickly assess and respond to threats.  PhishMe Triage now integrates with Palo Alto Networks WildFire™ cloud-based threat analysis and prevention capabilities to provide an even more formidable approach to identifying and preventing potentially damaging phishing attacks.

When Phish Swim Through the ‘Net

As attackers continue to innovate, preventing successful execution of email with malicious intent will continue to be a challenge if it makes it to the inbox. Ransomware, business email compromise (BEC), malware infections, and credential-based theft all primarily stem from a single vector of compromise – phishing. A key defensive tactic is to condition employees to identify and report suspicious email to security teams for analysis. Yet, security teams need to be efficient and can’t afford to be bogged down with manual processing and analysis when responding to incidents. High functioning security teams must automate the ability to ingest, verify and enforce new protections for potential phishing attacks, all within their existing infrastructure.

Empowered Employees and Technology – Catchin’ Phish!

PhishMe Research has proven that employees who are conditioned to report suspicious email are assets, not liabilities, to the security posture of the business. Reporting suspicious email allows for additional technical and human analysis. Just a single employee reporting a malicious email is enough for security teams using the right resources to identify and disrupt the attacker before they are able to achieve their mission.

That one employee who has received proper conditioning to recognize and report suspicious email serves as an early warning system – tipping off the security team to an anomaly as soon as it hits the inbox!

PhishMe Triage receives reported suspicious email from employees and organizes and analyzes through its own security analytic engine as well as security partner integrations. These integrations allow security leaders to maximize their security technology investments and defenses. Triage identifies what is nefarious, and does it through automation rather than inundating security analysts with more reports to dissect.

Integrated PhishMe Phishing Analysis with Palo Alto Networks

Security teams who aspire to accelerate their phishing analysis can do so with the Palo Alto Networks WildFire API integration with PhishMe Triage. As email is reported to security teams operating PhishMe Triage, Palo Alto Networks WildFire customers can harness the integration capabilities to detect and prevent phishing cyberthreats.

Here’s a sample of how PhishMe and Palo Alto Networks are spotting threats that demand security teams’ attention.

  • The analysis results produced by WildFire are strengthened when PhishMe Triage collects and prioritizes reported phishing attacks from PhishMe Reporter™ and maps useful indicators in the workflow.
  • Customers with a valid WildFire subscription simply enter their API credentials into Triage to enable analysis of file attachments automatically. PhishMe Triage supports customer environments who utilize WildFire in the cloud or an on-premise WF-500 appliance. When configured, these solutions quickly analyze and provide a detailed examination to help security teams determine which threats require immediate attention to remediate or prevent similar attacks.
  • Security teams simply choose the file-types they wish to have automatically analyzed at ingestion. The analysis results are then contained within PhishMe Triage and clustered to allow analysts to swiftly respond to the most critical.
  • PhishMe Triage scrutinizes suspicious email at ingestion and uses the WildFire API to send the file(s) to determine their cyberthreat verdict. Quickly, the analyst receives integration results back into PhishMe Triage with summary detail and a thorough human-readable report illustrating the threat’s characteristics.
  • With PhishMe Triage rule matching, reputation of the employee reporting, threat intelligence, and combined threat analysis from the WildFire cloud, analysts will be confident in their response and automation workflow action. Security teams can manually or programmatically categorize the threat to follow a workflow involving support for leading SIEM providers.

More about WildFire:

Palo Alto Networks WildFire™ cloud-based threat analysis and prevention service analyzes files and links and designates never-before-seen items for further investigation using static and dynamic analysis over multiple operating systems and application versions. If a sample is categorized as malicious, WildFire will automatically generate and populate a holistic set of new preventions to the Palo Alto Networks Next-Generation Security Platform and integration partners, minimizing the risk of infection from both known and unknown threats without any additional, manual action. WildFire correlates global, community-driven threat intelligence from multiple sources across networks, endpoints and clouds to immediately halt threats from spreading. WildFire’s architecture provides granular controls over what data will be submitted for analysis. Elements like file type and session data, as well as choosing the data path and regional WildFire cloud where the analysis and data storage will take place, are all configurable.

 

To learn more about the Palo Alto Networks Next-Generation Security Platform and WildFire, visit: https://www.paloaltonetworks.com/products/designing-for-prevention/security-platform

To learn more about the PhishMe Triage, visit:  http://phishme.com/product-services/triage.

For more information, download the full solution brief.

PhishMe Announces New Premium Features for Flagship Product PhishMe Simulator

 

Global Phishing Defense Leader Demonstrates Continued Commitment to Innovation via Product Enhancements

SAN FRANCISCO – February 13, 2017PhishMe®, the leading provider of human-phishing defense solutions, announced today at RSA Conference 2017 that it has added advanced enhancements to its behavioral conditioning program PhishMe Simulator™ to meet the ever-changing needs of organizations of all sizes.

Got Any Good Phishing TIPs?

PhishMe Intelligence Integrates with Industry Leading Threat Intelligence Platforms (TIPs)

Swimming in a sea of threat intelligence indicators and services, security teams have been working towards effective ways to centralize, de-duplicate, and correlate massive amounts of threat data. The challenge is once this is done, acting on the what matters most. This requires intelligence, not just data.

This is why PhishMe has completed technical integrations with TIP partners Anomali™ and ThreatConnect®. These integrations offer security teams the ability to ingest and correlate phishing-specific indicators with easy-to-act-on impact ratings and contextual reports to make confident security and business decisions.

PhishMe Intelligence customers gain from our human-verified phishing intelligence. What does this mean? It means that our customers receive phishing indicators from daily criminal phishing campaigns such as compromised IP addresses, domains, URLs, hashes, and botnet and command and control infrastructure. These indicators and credible intelligence reports are meticulously maintained and verified by PhishMe security researchers. Customers receive expert phishing intelligence that connects indicators with threat actors’ infrastructure so that security teams can confidently act quickly and accurately in their investigations.

PhishMe precisely delivers timely indicators and intelligence about ransomware, business email compromise, credential-stealing phish, and other malware. It is the timeliness and accuracy that is so crucial because the longer it takes security teams to determine the impact and severity of the threat, the more time the attacker has to plot their next move and achieve their mission.

When PhishMe designates an indicator with a major impact rating, teams can heed this warning and confidently take action. PhishMe doesn’t just tell security teams what is malicious, we explain why something is malicious. This is the context that allows analysts to act on the data analyzed and enriched by trustworthy PhishMe researchers.

PhishMe also helps answer the never-ending question; “is this a threat to my business”? The Active Threat Reports are contextually-rich reports that illustrate threat actor tactics and the neighboring criminal infrastructure that supports their operation. The reports take “so what” about an indicator, and provide an inside-out view of the threat actor and tactics.

Security analysts spend less time deducing and more time executing.

Security teams invest in TIPs as a way of bringing multiple sources of data into a centralized location that can be correlated and then distributed to other systems as part of the workflow. Open source, paid subscription, and industry-specific intelligence exchanges, all provide a useful purpose in managing threats to the business. The difficulty is managing vast amounts of data and ensuring a low signal-to-noise ratio. As such, TIPs emerged to support the endless need for data analysis and decisive action.

PhishMe Intelligence product management and solution engineers collaborated with TIP providers to complete technical integrations suited for security teams accountable for defending the business.

Conclusion

TIPs emerged to help security analysts who are inundated with so much information and the need to centrally manage it. They’ve become a concentrated repository for security teams to ingest, de-duplicate, analyze, and act on the indicators received. PhishMe’s technical partnerships with Anomali and ThreatConnect, will help ensure that the quality of intelligence available is second to none when it comes to indicators of phishing. Phishing is the primary vector of compromise and oftentimes leads to data loss. Consuming human-vetted phishing intelligence into a TIP ensures security teams can be confident in the action they take to protect their business.

Sage and Locky Ransomware Now Sharing Delivery Infrastructure in Phishing Attacks

BY BRENDAN GRIFFIN AND GARY WARNER

Threat actors have demonstrated that despite the past two years’ explosion in new ransomware varieties, ransomware developers still believe that the market has not reached the point of saturation. Examples of encryption ransomware like Sage have made notable appearances on the phishing threat landscape in the early days of 2017, continuing the ransomware trend from 2016.

PhishMe Reports Explosive Growth: Annual Run Rate Approaches $50 Million

Continued Growth Driven by Innovative Offerings and Strong Execution

 LEESBURG, VA January 31, 2017: PhishMe Inc., the leading provider of human phishing defense solutions, today announced another year of record growth, with Annual Run Rate (ARR) approaching $50 million. PhishMe’s more than 300 employees now serve 1,200 enterprise customers world-wide to defend against cybercriminals, hacktivists and state-sponsored hackers.

PhishMe is a Finalist in 4 Categories for the 13th Annual 2017 Info Security PG’s Global Excellence Awards

We are excited to announce that PhishMe has been selected as a finalist for the 13th Annual 2017 Info Security PG’s Global Excellence Awards in not just 1 but 4 different categories!

  • The first award is for Rohyt Belani, who has been honored as a “CEO of the Year” category winner of the 2017 Info Security Products Guide Global Excellence Awards for the second year in a row.
  • Fellow co-founder and CTO, Aaron Higbee, was honored as a finalist for the “CTO of the Year” category award.
  • PhishMe also was selected as a finalist for the “Best Security Service” and “Best Deployments in U.S.A.” award categories.

These prestigious global awards, put on by one of the industry’s leading information security research and advisory guide, recognize security and IT vendors with advanced, ground-breaking products and solutions that are helping set the bar higher for others in all areas of security and technologies.

“It is truly an honor to be recognized as a CEO of the Year by Info Security Products Guide for a second year in a row,” said Belani. “You are only as good as the people you surround yourself with. The real winners are the talented employees at PhishMe. These awards are proof of the hard work and dedication of every member of the PhishMe team.”

Belani and Higbee have led PhishMe from its infancy to a company with more than 200 employees and 892 percent growth in just 3 years, establishing themselves along the way as thought leaders in the cybersecurity industry. The company has secured several other major industry accolades including recognition in the 2016 SC Magazine Awards, Inc 5000 and the Deloitte Fast 500.

PhishMe’s world-class solution has emerged as a dominant force in the phishing threat management space with almost half of the Fortune 100 companies using its platform for attack identification, human-verified intelligence and incident response. The company’s achievements in 2016 have cemented its position as an innovator at the forefront of phishing defense technologies and laid the groundwork for further innovation in the coming years.

We look forward to seeing you all at RSA Conference in San Francisco, where we have two different booths: S1715 in the South Expo and N4601 in the North Expo.

 

To learn more about the 2017 Info Security PG’s Global Excellence Awards, visit http://www.infosecurityproductsguide.com/world/.

Kovter Ad Fraud Trojan Now Shipping with Locky Ransomware

Over the past couple of months, the PhishMe Research Team has observed Locky ransomware being distributed alongside the Kovter ad fraud trojan. We have looked at this malware distribution channel in the past, and since then, the threat actors have evolved from using a fake file encryption threat to using a well known and effective ransomware family: Locky. In this post we will examine the history of the Kovter actors’ experimentation with ransomware and walk through a sample campaign that our PhishMe Threat Intelligence Team captured.

Ransomware Evolution

The distributors behind Kovter have been experimenting with “ransomware” since as early as January 2016. We place the word in quotations marks because their first attempt at including code that demanded payment was ineffective. These initial attempts were malicious JS email attachments that would only change Windows file extensions on the victim’s computer to “.crypted”. Below is a screenshot of an early ransom note.

initial_ransomware_instructions

An example of the ransomware instructions seen in earlier attempts.

Then in March of 2016, we saw a shift to actual file encryption by utilizing XOR on the first 2048 bytes of the files. In April, the threat actors shifted again with the use of 7zip, a legitimate archiving utility, to encrypt files with a static key. The actors then in June 2016 started distributing a PHP interpreter with a script to encrypt the files. A fantastic writeup on the PHP method used by these actors can be found here. They finally shift to utilizing the full blown ransomware family, Locky, in late October 2016.

locky_encrypted_desktop

A desktop infected with Locky ransomware now being spread with Kovter.

One analysis artifact that distinguishes Locky campaigns in the wild is the use of an affiliate identification number that gets hardcoded in to every Locky infector build. Locky affiliates 1 & 3 are the most commonly seen affiliate IDs in spam campaigns, albeit from the Necurs botnet (an x86 bootkit that contains spam modules). This differs from the Locky affiliates 23 & 24 that we are currently seeing being distributed with Kovter in that distribution relies on a botnet that utilizes compromised websites for spamming.

Sample Campaign

Spam messages containing lures that eventually download Kovter usually contain verbiage of missed package deliveries, as seen in the message sample below.

initial_lure

By viewing the headers of this malicious spam message, we can see that the message appears to be originating from a compromised Joomla website based on the directory structure of the sending script that the webserver prepended to the messages. Depending on server configuration, some webservers will add the lines seen in the snippet below when email is sent using the PHP mail() function call.

phpheaders

PHP email headers contain Joomla CMS path.

The ZIP archive attached to the email contains an obfuscated JScript file that is capable of downloading Kovter and the Locky ransomware loaders.

zipcontents

Zip attachment contains malicious JS downloader.

In an effort to defeat malware sandboxes, this initial JScript file sleeps for at least 5 minutes, then writes another obfuscated JScript file to the folder %TMP% and executes it using the WScript.Run method. The %TMP% is a Windows environment variable placeholder for the C:\Users\{user}\AppData\Local\Temp\ directory. The resulting, de-obfuscated JScript file runs the ping command in another effort to exceed sandbox timeouts, then downloads two binaries from gatheringmd[.]top, writing them to %TMP% and executes them, as seen in the code snippet below.

jsdeobs

De-obfuscated JScript that downloads two binaries and executes them both.

The Windows executable 24.exe downloaded from hxxp://gatheringmd[.]top/cb/l2[.]php is an NSIS-packed executable for the Kovter ad fraud trojan loader. Kovter is a “fileless” trojan that stores itself in the Windows registry for persistence and antivirus evasion. Upon execution, the trojan checks in with a command and control location that contains a URL path usually ending in upload.php or upload2.php, sending infected machine information such as the operating system version, service pack level, and the system architecture, and whether any known security programs were detected. Kovter will also check for and install the latest version of Internet Explorer Adobe Flash browser plugin, and .Net frameworks.

The Kovter trojan will then generate web traffic hidden from the victim’s desktop. The malware actors craft search terms, injecting them in to browser sessions with their malware that “clicks” on advertisements that generate revenue through pay-per-click models. We won’t dive too deep in to Kovter analysis since it has been well-documented already here (PDF) and here (PDF). Configuration data, seen in Table 1 below, is easily extracted from memory while the trojan is running.

Table 1: Kovter configuration for sample 0d01517ad68b4abacb2dce5b8a3bd1d0
cp1
(IP Addresses – please see Indicators of Compromise section below)
cp1cptm
30
cptmkey
a7887cc809cf0d4df17fc5dafd03e4e7 – MD5 of “smooth”
keypass
65537::20717578436666370206990156461786566788132748458910865354994919388630407187082788932551065567891365033974994995141358277530021944793516607142737605543772104350635734672485498640041982499636009940196953103877199811371834197299886690010229547993815721647414299018829914480336700775760032044922438942690008663278856440487164946050309668972730239620373400036156807226902415414689227139343695179004305146177952041410093920067335850237232148134221904306706694425837140102211178161590920721365317540938040383023194954613997204876850415109848188765254167924483000246775174171501733414326729845936854172715365200925796295269097
passdebug
False
debugelg
True
elgdl_sl
False
dl_slb_dll
False
b_dllnonul
hxxp://185.117.72[.]90/upload2[.]php
nonuldnet32
hxxp://download.microsoft[.]com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86[.]exe
dnet32dnet64
hxxp://download.microsoft[.]com/download/9/8/6/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64[.]exe
dnet64pshellxp
hxxp://download.microsoft[.]com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG[.]exe
pshellxppshellvistax32
hxxp://download.microsoft[.]com/download/A/7/5/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54/Windows6.0-KB968930-x86[.]msu
pshellvistax32pshellvistax64
hxxp://download.microsoft[.]com/download/3/C/8/3C8CF51E-1D9D-4DAA-AAEA-5C48D1CD055C/Windows6.0-KB968930-x64[.]msu
pshellvistax64pshell2k3x32
hxxp://download.microsoft[.]com/download/1/1/7/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30/WindowsServer2003-KB968930-x86-ENG[.]exe
pshell2k3x32pshell2k3x64
hxxp://download.microsoft[.]com/download/B/D/9/BD9BB1FF-6609-4B10-9334-6D0C58066AA7/WindowsServer2003-KB968930-x64-ENG[.]exe
pshell2k3x64cl_fv
20
cl_fvfl_fu
hxxps://fpdownload.macromedia[.]com/get/flashplayer/current/licensing/win/install_flash_player_22_active_x[.]exe
fl_fumainanti
DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:0:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:0:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16DDD17D:0:DD17Dal:hxxp://185.117.72[.]90/upload[.]php:al::mainanti

The other Windows executable 23.exe that is downloaded form hxxp://gatheringmd[.]top/ll/l1[.]php is the loader for Locky ransomware. Locky is written in Visuall C++ and contains hard-coded IP addresses for command and control callbacks, although some versions of Locky do not require the victim to have Internet connectivity to start the file encryption process. The following table includes the configuration data we found in this campaign.

Table 2: Locky configuration for sample f3d935f9884cb0dc8c9f22b44129a356
Affiliate ID
23
Key
RSA1
RSA Key ID
711
RSA Key Size
114 (bytes)
DGA Seed
90577
Execution Delay
None
Svchost Process Persistence
Disabled
Registry Persistence
Disabled
Ignore Russian Computers
Enabled
C2 Callback URL Path
/message.php
C2 Callback Servers
109.234.35[.]230 176.103.56[.]119

 

Conclusion

Distributors behind Kovter are constantly evolving their ransomware game. We can only speculate why these malware actors would “burn” their foothold on an infected machine where they have also placed profitable ad fraud code. Perhaps the return on investment is much higher with ransomware and preferable to standing up the infrastructure and money laundering channels required for conducting ad fraud. PhishMe Intelligence customers can view more details about this threat in ID 7409.

This specific email template is available in PhishMe Simulator to use in your own scenarios.

 

How susceptible is your organization to phishing threats? Download our latest Phishing Susceptibility and Resiliency Report to learn how reporting phishing can greatly improve your organization’s security posture.

Indicators of Compromise

..:: Email Subject Lines
Courier was unable to deliver the parcel, ID{rand}
Delivery Notification, ID {rand}
Problem with parcel shipping, ID:{rand}
Problems with item delivery, n.{rand}
Shipment delivery problem #{rand}
Unable to deliver your item, #{rand}
We could not delivery your parcel, #{rand}
Fedex parcel #{rand} delivery problem
Notification status of your delivery (FedEx {rand})
Parcel ID{rand} delivery problems, please review
Parcel {rand} delivery notification, USPS
USPS parcel #{rand} delivery problem

 

..:: File Hashes
Filename
MD5 Checksum
Type
23.exe
f3d935f9884cb0dc8c9f22b44129a356
Locky
24.exe
0d01517ad68b4abacb2dce5b8a3bd1d0
Kovter
details_AneLU.zip
bb84729c02b898b7aeef6b65c119f0c4
Attachment
details_bkxeL.js
10c1be3b95fa013458081d19747bc0df
JSDownloader
details_cOBYkk.zip
cc095bc05e61a0b373671e6f80f72686
Attachment
details_CRFuvd.zip
c9cf8185d1168b0712e532a6a7d88fe9
Attachment
details_dFTHp.zip
5ad3fec19d0723532dea49a2ccc3ea9c
Attachment
details_FyReR.zip
f2284d51a3daffcb12ff91f57601c246
Attachment
details_LKXcNI.js
a811a54525161017e5ac1f85b83d2758
JSDownloader
details_MGStju.zip
ab5540f78e67fd196c1be1dfd3612947
Attachment
details_mSplK.js
cdacbaf9b13333ac264b798797432391
JSDownloader
details_pKvHWv.js
17d0d6d8176e01e92f74b9ce08ba188b
JSDownloader
details_PpxpD.zip
320151d35fd61ef1b17f8fe921c4beef
Attachment
details_rqpOqK.zip
f30d21a5c882dbdb011b361a5cba67a4
Attachment
details_shHih.js
111af7977728443aa268479a87c29656
JSDownloader
details_XCFvfh.js
b4179c5a075fed9b606e9b7f068dca4c
JSDownloader
details_XHZms.zip
c3e012a26c9fee9ff72bddf413f74f52
Attachment
details_YAVSi.zip
e0cabfc058cc4d6ff2419743a79f6b1a
Attachment
details_ZHewkz.zip
f7a7d41def5a90ed504581edf719c079
Attachment
details_zZcSMY.js
d2096cc86d4d89904316caca5b2242f9
JSDownloader
doc-details_cLOFYn.js
035caab39c0cbe55e59a78ce6cb8e3f7
JSDownloader
doc-details_CPwxGO.js
ab4ed724a82100735195d8767afec999
JSDownloader
doc-details_dNqBy.js
81a37ce8dc207d6adfe99fe4f29790ac
JSDownloader
doc-details_FUCxwj.js
963fa75b2d36b525df79c89bb6674c57
JSDownloader
doc-details_gfSxM.zip
f79543458f14e4fd05077f497e5b3b6c
Attachment
doc-details_hKuupX.js
72940493157e8313f53f40ecb0cc8999
JSDownloader
doc-details_hZpjC.js
acf53f8fedb0c9e7c717f17b24c2bd40
JSDownloader
doc-details_LamGu.js
a76c99d8e8e1fb61c80751a3b86b0161
JSDownloader
doc-details_qHpxP.zip
f5e55dd9c3f1258792940e6d44ff69e6
Attachment
doc-details_xMSZnv.zip
4615a66cff28ab1993d1cf1767012fa2
Attachment
doc-details_ysKya.zip
5af53a61146d95ff3cd4906998d5a3dc
Attachment
docinformation_chckfG.zip
53da2b40b05311ebf1c96d1390e498c5
Attachment
docinformation_eiBUR.js
0fdbf59914be1d61b2ebea804681a06d
JSDownloader
docinformation_fobWte.zip
de92d06890c4c036059805eb76cf6932
Attachment
docinformation_gFsaxs.js
f3bb12d7fd0512075154b68f748b106c
JSDownloader
docinformation_hYBnW.js
fa99be4f0cf635cf5ab27c8d9cdb737c
JSDownloader
docinformation_jwmOKD.zip
397985be48b08034596b74f3258f4be8
Attachment
docinformation_KxARw.js
5b4dd2f0077cb49626ea0fc4b28042e6
JSDownloader
docinformation_LyIGo.zip
f137879fd5f1b616e5468f2940a72670
Attachment
docinformation_tfFVrb.zip
a1e2571d4a9a9adc0e43a844e24f4b9a
Attachment
docinformation_UKqiN.js
d27d0caa0998f3d55a3742410849af0e
JSDownloader
docinformation_vvfUNP.zip
68c80b0764dae51a444798e84b7d567c
Attachment
document_aCBltX.zip
7835b9b6460756b69421b4ad9ee4d460
Attachment
document_bgFtst.js
33a195f89bc70f47d0b3531b6929cacc
JSDownloader
document_gDhkHi.js
1a0897eb182ce799950844870003bffb
JSDownloader
document_GZrswr.zip
6b51f7dc3d01e1e1d80e663251e826c0
Attachment
document_NpkFE.js
c17fd226efc58df20d61e98799728b9e
JSDownloader
document_Rgvjf.js
060d4ecd9101dec77ef2ff932682660c
JSDownloader
document_xSdOeE.zip
85a93ae756b903c27dc348a566a05bda
Attachment
info_aaRda.js
d3902306e1a94fa58670c93db5565a9e
JSDownloader
info_EkuERW.zip
489ec3212a4ff602a0d44296913468c3
Attachment
info_LUTTy.js
90023223eb47013711919de9dcd5dd07
JSDownloader
info_SCfca.zip
8ef1cc722479c09ab067be9caa130113
Attachment
info_wKfhS.zip
07362becf09c43f14ff6bd112c117176
Attachment
letter_cjJeHL.zip
7b72a9ceec70a30b0dbb7cc0a4b2e202
Attachment
letter_DsrtV.zip
1715cc68bd8fc453415ecf39ede93cd6
Attachment
letter_kNYHrR.zip
3d698ce90f48b585bd932521c065cda6
Attachment
letter_OjWlc.zip
3a13e6f6846a5a1722e8b266ceae8dd6
Attachment
letter_QnBTi.zip
4cbc25dcbf08de24ee87bcc119f6c16f
Attachment
letter_RfVviz.zip
0cfc0aec33a7bdbffa53895c9cd7fb57
Attachment
letter_VuHASr.js
100a19a7278820886461ca509ec1c993
JSDownloader
letter_YKkPE.js
ed12fead265edfe0152f27dae6078212
JSDownloader
post_info_asgHE.zip
d60c838a51236ac585013a8f807b7569
Attachment
post_info_bwJbDR.js
e47f9353f491581e46e46647a357c93c
JSDownloader
post_info_CeZZu.js
a363de2b167ac355a0f93888b5e04a6b
JSDownloader
post_info_cGuqm.zip
cdee553957fb83a40f7b14eba0a41ed0
Attachment
post_info_CsbYG.zip
f5af5b7834bda884188490452c2c85e6
Attachment
post_info_CzRrE.zip
1567ed8c60a92e2ff8678432ad083a4d
Attachment
post_info_FvdXc.js
b50585cc02304fc4e3238b4d2e071178
JSDownloader
post_info_KsELg.js
0b28a46cd55c859e2bc42d5ed48a3f0d
JSDownloader
post_info_MSGDE.js
e0f23f5e0403c2a3de0cfde2fe89938d
JSDownloader
post_info_pJtOt.js
e8e093060c70372ef942f89633d9bd0c
JSDownloader
post_info_tuOxpr.js
8da38959402c894db8e55b01fd6ffb6b
JSDownloader
post_info_xXWwy.js
be900919c08a6f9e15dbc88f9a8bc91f
JSDownloader
warning-letter_equIH.zip
31ae173517f1c3b95c2eae4e7b546c9a
Attachment
warning-letter_IcDwG.js
7afa14b7941098c48d88ba8befa926cc
JSDownloader
warning-letter_IoBWF.js
412d93a1600236b226784e6011399dc2
JSDownloader
warning-letter_ojIjtc.zip
749a7c139690a6b527800fbccd4066f9
Attachment
warning-letter_PNEIi.zip
dc6f872e1f5caea1d29a48b9f183de40
Attachment
warning-letter_rAvJv.js
dfe0d32610330f32747da3551b3b722f
JSDownloader
warning-letter_ShAAZ.zip
e9d953fb3dc52364d71674c3b1aa8b9d
Attachment
warning-letter_swXcEq.js
3987c2d03042dee1bf5f90127dc8dc0d
JSDownloader
warning-letter_tjTfks.zip
992b864fa761ff7ae3ae114f1c0b3237
JSDownloader
warning-letter_ZHsTF.js
8078316a13c0139c4b8472dc53cff718
JSDownloader
warning-letter_ZoikPb.zip
316b7e8bb7bb773aa8a6ad47c6953e4f
Attachment
watch_it_CdJex.js
5ae36d68911396dd7c0bf9ef674e25d0
JSDownloader
watch_it_dZpLi.zip
f5ddcfb1545a1af403131d115cf04ce6
JSDownloader
watch_it_GCzQN.js
be44dd6023c9ea40e82369272bb933d2
JSDownloader
watch_it_JNHNs.zip
d997419f7348c2e45e3fff33ed66985f
Attachment
watch_it_KgDcbd.zip
80fc86862e21d7022743b1b388334bbe
Attachment
watch_it_lRqvTG.js
7ac74145aa485acf711df23e2d3ed6ec
JSDownloader
watch_it_odoRqP.js
2dfe5e49862d57ac1f5c510f0568afd2
JSDownloader
watch_it_sOqdK.js
b0cd17c7ecddfc176adb089948f5703e
JSDownloader
watch_it_udGEp.zip
3277afcde8d2dd473d3da61c0a4b0b61
Attachment
watch_it_VuCwU.js
35f36d821794c5951dd4a29fd326b379
JSDownloader
watch_it_WeOiwi.js
8f3e35cead2b76bfb0bfbeb9783101c1
JSDownloader
watch_it_wiaSit.js
1c5a1719337b72562a9e09f51c44b088
JSDownloader
watch_it_wJInBR.zip
eb34a9e90d3ec4a8e358d69a006ebf2c
Attachment
watch_it_WkuTs.js
a9cdf2f2e946f32bde8054167c49f025
JSDownloader
watch_it_YKqLr.zip
ecc2e62e42ea24134b9522e2c3b4df5e
Attachment

 

..:: 2nd Stage Downloads
gatheringmd[.]top
post-us-post[.]com
46_22_220_32:80 23_94_62_145:80 81_22_255_154:80 107_182_132_63:80 23_94_62_145:80 107_182_132_63:80 200_63_47_104:80 146_0_77_17:80 185_159_37_58:80

 

..:: Kovter C2
148_40_209_32:443 46_137_116_87:55583 22_73_46_193:80 14_154_83_169:80 114_88_78_247:80 213_3_143_182:443 35_221_138_66:443 110_111_98_226:8080 196_247_15_241:443 78_255_84_160:443 174_19_1_252:443 193_210_13_80:80 197_114_101_80:80 62_189_35_159:443 232_100_152_247:443 81_69_85_164:80 253_83_248_253:8080 3_190_33_15:80 168_212_129_14:80 53_76_226_88:80 65_79_26_56:40287 107_125_248_16:443 245_98_91_242:80 93_177_208_107:443 121_64_65_135:443 117_211_70_204:80 122_170_4_36:443 140_117_148_158:443 202_56_225_2:443 27_49_39_8:80 203_115_105_245:80 89_205_122_234:443 203_130_238_149:443 190_225_246_67:443 49_231_177_206:443 182_180_65_173:443 83_221_198_77:80 197_45_165_116:443 199_13_13_225:443 176_76_193_169:80 36_158_188_126:80 109_218_67_61:80 3_182_133_67:80 233_183_17_47:80 206_246_145_219:80 213_140_36_150:8080 127_186_211_59:80 100_167_18_166:80 88_169_155_220:8080 198_163_233_245:53859 184_235_184_147:80 141_32_231_36:443 102_221_40_161:80 139_73_39_50:80 126_218_200_91:80 161_33_105_138:443 144_66_2_72:80 197_212_244_173:8080 19_213_113_180:31441 252_18_46_42:59404 9_241_234_207:80 12_56_29_34:80 94_35_16_52:443 41_149_219_114:55592 177_226_92_155:443 88_172_13_130:8080 22_115_39_228:80 50_29_34_83:80 128_118_243_179:8080 215_220_243_179:80 155_100_49_247:80 80_172_28_209:22358 68_14_23_73:27750 51_107_147_23:80 10_158_103_224:21315 90_148_200_244:80 236_246_8_60:58866 36_13_138_86:443 152_108_154_216:80 5_107_180_239:443 190_142_217_159:80 52_51_208_40:80 201_21_34_209:80 196_244_93_79:80 174_230_181_72:80 84_77_42_9:443 157_199_202_119:80 210_170_153_163:80 196_108_230_229:8080 55_169_50_147:80 66_223_50_137:39390 133_214_199_142:443 101_85_221_219:80 176_133_85_83:443 25_191_61_253:80 167_47_7_159:37972 72_126_220_209:443 98_167_227_239:80 72_69_152_35:443 167_84_156_254:31354 91_59_106_88:80 18_135_180_177:443 251_47_14_204:80 112_116_47_96:80 119_164_199_154:80 17_66_247_172:443 100_8_122_206:80 40_223_230_220:80 24_215_191_38:80 11_149_25_58:443 176_152_16_75:31249 32_140_52_204:80 152_211_70_103:443 110_70_26_74:80 49_33_150_86:8080 161_234_222_218:443 39_139_120_54:8080 180_86_98_232:8080 45_128_245_115:80 224_45_66_42:26359 115_75_153_200:80 58_179_237_21:80 21_159_10_74:80 189_160_214_166:80 4_38_183_118:443 223_86_58_34:80 62_148_201_215:80 217_17_17_199:80 162_219_197_172:80 58_106_196_16:80 134_19_54_62:80 67_30_222_124:80 94_186_211_39:80 49_255_162_65:80 199_227_162_140:443 199_198_249_140:80 9_18_232_63:8080 114_129_109_80:80 173_183_127_212:46778 175_212_234_239:80 177_211_61_62:443 4_4_92_143:80 101_161_194_163:8080 37_93_132_34:28109 50_217_135_6:80 54_218_12_38:80 189_249_177_251:80 181_255_183_68:80 28_229_155_191:8080 206_227_51_83:8080 59_132_223_193:80 1_247_100_13:80 216_202_23_138:80 114_63_197_42:443 157_69_104_57:80 62_8_232_112:80
hxxp://185.117.72[.]90/upload[.]php
hxxp://185.117.72[.]90/upload2[.]php

 

With apologies to Led Zeppelin fans: The (BEC) Song (Still) Remains the Same

Almost three months have passed since I last updated you on the Business Email Compromise scam, also known as the CEO Fraud scam.   Though the volume of these attacks remains high, the information security community has continued to collaborate well regarding this type of fraud, preempting the transfer of millions of dollars and identifying numerous mules in control of bank accounts around the world.

Just last week, yet another phisher tried to phish PhishMe.  Our CTO, Aaron Higbee, reported on early attempts in September 2015 when he also described the use of PhishMe Reporter to phish-back and collect details of the phisher’s IP address and user-agent.

Since that time, we have seen repeated attempts against our CFO, Sam Hahn, where he receives messages impersonating our CEO, Rohyt Belani.  These messages seek to engage Sam in an exchange regarding an urgent request to make a wire transfer.  Of course, such wires would be fraudulent, but, amazingly, the phish-back technique almost always works.  It has resulted in the identification of as many as five mule accounts at five different banks for one potential transaction.

The Song

With this latest attempt against PhishMe, the phisher has apparently used social media and/or search engine results to identify the name and email address of a staff accountant who reports to Sam Hahn, bypassing Sam’s renowned phish-spotting skills.  But the phisher’s email message landed with another trained reporter at PhishMe, who submitted the message as Suspicious, using the PhishMe Reporter button.  The report fed into our internal PhishMe Triage where we could quickly see that the accountant has a high Reputation Score, indicating that she is good at spotting truly-suspicious messages.  We knew that we should have a look right away at her report, shown in Figure 1 below.  The subject line of the message was the accountant’s first name, and the salutation included her first name.

Figure 1  Initial message from BEC phisher

Then our incident response plan kicked in, and we asked the accountant to reply with an offer to help, as seen in Figure 2 below, where he responded right away with his plea for money to cover a secret international acquisition.  (Ah!  The Intrigue!)

Figure 2  BEC phisher makes plea for a wire transfer

In her response to that second message, our astute accountant indicated that she would need someone else to sign off on the wire transfer, “since it is an international wire.”  She actually copied our incident response team, which later provided a wire “confirmation link” to the phisher.  Figure 3 below shows the third message from the phisher, where he sent wire instructions to the accountant.

Figure 3  The BEC phisher sends wire transfer instructions

Once the mule account was revealed, it was reported to the bank, and our accountant’s associate sent a “confirmation link” that, when clicked by the phisher, revealed the phisher’s physical location.  From the phisher’s point of view, the link re-directed to the login page for the bank hosting the mule account.

The phisher must have been convinced that the wire transfer had been made because the next morning, twenty hours after the initial request, he came back for more.  In Figure 4 below, you can see where he hit up our accountant’s associate (really, our incident response team member) for a double dip.

Figure 4  The BEC phisher returns the next day to request more money

The final part of that thread included instructions for a $165,590 wire, details of an account at a second bank, and a request for a confirmation.

The Investigation

Beyond reporting this to the U.S. government’s Internet Crime Complaint Center at www.ic3.gov, our researchers wanted to dig deeper and document this phisher’s other activity.  It turns out that the lookalike domain name phislhme.com was registered at 1&1 Internet SE on December 15th –the same day as the first spam message to PhishMe, using the email address garyrabine@rabinagroup.com.  When we initially looked into whether that same email address had been used to register other domain names, we found 69 other idomain names, all registered within the previous week and all seeming to be misspellings of domain names in use by real companies.

We took the list of domain names and guessed at which real company each domain was meant to imitate.  We then notified the administrative contacts of record for those legitimate domain names.  Though there was a handful of bounced messages, four companies replied with appreciation, and, so far, one has responded that their company had also received a BEC phishing email.

We checked back again this week to see how many domain names have been registered with 1&1 by this threat actor, and now there is a total of 156 domains.  We notified 1&1 on December 19th and requested that all the names be de-activated.  (see list at this link)

Takeaways

Though the song remains the same, phishers are constantly evolving their tactics to lead to more success.  In this recent attack, the phisher did not use the word “urgent” or “wire” in the subject line of the email message.  He also opted not to try for the CFO again; he likely found our accountant’s name and email address online and contacted her instead, possibly in hopes that she would feel a sense of urgency to which our CFO has become inured.  Then, when we saw the plea for money, we knew a bit more about why the phisher may have opted to avoid our CFO—it was a secret deal that only the “CEO” could know about.

We also want you to understand that this does not just affect large companies.  Because this scam has been going on for years, some of the larger targets have already been hit, and some have learned very hard lessons.  And with over 150 companies of all sizes spoofed by this one phisher and almost a full day between the two wire requests we received, we think this phisher is very busy.

PhishMe also wants everyone to understand how simple but effective these scams can be.  Learn how to spot them, and make sure your employees are great reporters.  Your staff needs to know that raising a red flag to the appropriate team can make all the difference in the world to your company, preventing the loss of hundreds of thousands of dollars and helping us stamp out this fraud.

Fortifying Defenses with Human-Verified Phishing Intelligence

Mining Phish in the IOCs

PhishMe® and Palo Alto Networks® are providing security teams with the ability to ingest human-verified phishing intelligence in a standard format that can be automatically enforced as new protections for the Palo Alto Networks Next-Generation Security Platform through the MineMeld application. Through this integration, PhishMe and Palo Alto Networks are providing a powerful approach to identifying and preventing potentially damaging phishing attacks.

The challenge of operationalizing threat intelligence

Ransomware, business email compromise (BEC), malware infections, and credential-based theft all primarily stem from a single vector of compromise – phishing. Operationalizing threat intelligence, especially when it comes to phishing, continues to weigh on the minds of businesses regardless of size. Security teams require the ability to ingest, verify and enforce new protections for potential phishing attacks, all within their existing infrastructure.

Where are the Phish?

PhishMe extends beyond a traditional data feed. Customers receive phishing intelligence. What’s the difference? Intelligence, vs. traditional data.

Information without context is data. Intelligence is information with context, and context is what security teams require in order to have confidence in their decisions.

Intelligence customers receive indicators specific to phishing and their criminal command and control (C2) and botnet infrastructure associated with malware families like Locky, Dyre, and Cerber. This is then backed up by threat intelligence reports with verbose context that provides security teams with insight into attacker TTPs.

PhishMe identifies what is nefarious, but more importantly, why, and what it means.

Integration Tackle Box for PhishMe and Palo Alto Networks

Security teams who wish to easily complement their Palo Alto Networks Next-Generation Security Platform’s security policies with PhishMe Intelligence will need an instance of MineMeld (version 0.9.26 and above) and PhishMe Intelligence API credentials (contact PhishMe for trial access http://phishme.com/product-services/live-demo). MineMeld will ingest intelligence from PhishMe, and can automatically feed new prevention controls to Palo Alto Networks devices, without adding heavy operational burden.

Configuring MineMeld with PhishMe

The following is a step-by-step guide to configure MineMeld in order to ingest PhishMe Intelligence phishing URLs, aggregate them, and construct into an output capable of preventing malicious URLs in security policies within PAN-OS devices. Before we dive into the configuration of MineMeld, it is important to review the three key concepts behind the application:

  • Miners: responsible for retrieving indicators from configured sources of intelligence and data feeds. Miners will bring in new indicators on a configurable, periodic basis, and also age-out any indicators that are no longer needed.
  • Processor: The processor node will aggregate the data obtained by the Miner and conforms the data to IPv4, Ipv6, URLs, or domains. Once aggregated, the data is sent to the output nodes.
  • Output: The output nodes gather data from the processor node and convert the data into a format that is capable of being consumed by PAN-OS (and other non-PAN-OS external services)

PhishMe Intelligence Miner Node

(Image of Miner Node with API credential example and phishme.intelligence prototype)

Processor Node

(Image of Processor Node using the stdlib.aggregatorURL prototype and the PM_Intel input from the configured Miner)

Output Node

(Image of Output Node using the stdlib.feedHCRedWithValue prototype and the agg_URL_all input from the configured Processor)

Configuration Graph Summary

The configuration graph is a summary exhibiting the flow of PhishMe Intelligence. The miner collects intelligence, aggregates, and the output node structures the data to be usefully applied to prevent phishing.

(Example of PhishMe Intelligence aggregated and with output URL data for PAN-OS)

Log Detail with URL Indicator and High Confidence rating of 100

The image below represents an example of URL intelligence received in the MineMeld log. This snippet specifies a malware payload from an OfficeMacro and TrickBot (similar to Dyre) family. If they choose to, analysts can then use the URL to the Threat Report with executive and technical details that explain more about the malware.

The above summarization of the MineMeld setup portrays how easy it is to take very relevant and useful information and structure it so that it can be operationalized with other security investments. Far too often teams have underutilized technical resources or processes that place a strain on the workforce. MineMeld reduces the human burden and provides security teams with the ability to create actionable prevention-based controls.

Phishing Intelligence Operationalized = PhishOps!

Let’s review an example of how to operationalize these indicators of phishing (IoPs) and apply them to a Palo Alto Networks security policy to deny egress traffic to these phishing URLs.

Create New Object in PAN-OS

From the Objects tab, select External Dynamic Lists from the navigational pane. Analysts just need to provide the relevant information to pull in the list of URLs from MineMeld.

(Example of External Dynamic List linking to URL list from MineMeld)

Apply to PAN-OS Security Policy

With the External Dynamic List defined, security policies can now be created based on acceptable criteria. In the case below, inside sources browsing externally and matching the PhishMe Intelligence URLs will be denied.

(Example policy to deny inside to outside web-browsing against PhishMe Intelligence URLs)

FINito! Wrapping up

A similar process can be repeated like the above, with IP lists and domains, and applied according to phishing threats facing the business. The way MineMeld handles the data received makes applying it to Palo Alto Networks Next-Generation Security Platform very effective. Security teams will need to determine where they want to apply the policies once MineMeld has compiled the data.

The phishing threat is alive and very well and the ability for security teams to maximize their investments and operationalize with low administrative overhead should be enticing to tackle the threat.

 

More about MineMeld:

MineMeld, by Palo Alto Networks, is an extensible threat intelligence processing framework and the ‘multi-tool’ of threat indicator feeds. Based on an extremely flexible engine, MineMeld can be used to collect, aggregate and filter indicators from a variety of sources and make them available for consumption to peers or to the Palo Alto Networks Next-Generation Security Platforms.

To learn more about the Palo Alto Networks Next-Generation Security Platform, visit: https://www.paloaltonetworks.com/products/designing-for-prevention/security-platform

To learn more about the PhishMe Intelligence, visit:  http://phishme.com/product-services/phishing-intelligence/.