Tales from the Trenches:  Loki Bot Malware

LokiOn March 15, 2017, our Phishing Defense Center observed several emails with the subject line “Request for quotation” pretending to award Shell Oil Company contracts – a very targeted subject tailored to the receiver. As with most phishing emails, there is a compelling call to action for the receiver, in this case a contract award from a well-known organization. And, an added bonus unknown to the receiver, the emails also contained a malicious attachment designed to siphon data from its targets.

Included is an example of one of these emails along with basic Triage header information.

Each email analyzed contained instructions to open an attached .ace archive file that when decompressed revealed a Windows executable containing Loki Bot Malware.

Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.

The following Loki Bot executable was identified during our analysis.

Filename MD5 Size
shellOil.ace 5d70858b154c8b0eb205e84ca7f27a04 118,473
Shell Oil.exe 6a95ae2c90a4a3c5a2c1ce3eaf399966 245,760

Upon infecting a machine, this malware performs a callback to the following command and control host reporting the new infection and submitting any private data stolen during the infection process.

Command and Control URL IP Address Location
hxxp://elmansy.net/pdf/fre.php 118.193.173.208 China

The command and control domain ‘elmansy.net’ was created almost exactly a year ago on 2016-03-18 with the email address sherif-elfmannsy@hotmail.com. The IP address reveals that the domain is being hosted out of Jiangsu, China.

Take Away

As always, PhishMe cautions our customers to be wary of emails requesting information or promising reward.  Specific to this sample, we recommend that customers be observant for emails containing the subject line “Request for quotation” or emails promising business with new or unknown businesses. PhishMe Simulator customers who feel this type of offer might be successful with its employees should consider launching simulations that follow this style of attack to further train their users.

Additionally, incident responders should consider blocking the domain and IP address mentioned above, as well as searching endpoint systems for the MD5’s if internal systems support it.

The Phishing Defense Center is the hub for our remotely managed PhishMe Triage services.  The fully staffed center manages all internal reported emails for a number of organizations.  All information shared has been cleansed of any identifiable data.

Got Any Good Phishing TIPs?

PhishMe Intelligence Integrates with Industry Leading Threat Intelligence Platforms (TIPs)

Swimming in a sea of threat intelligence indicators and services, security teams have been working towards effective ways to centralize, de-duplicate, and correlate massive amounts of threat data. The challenge is once this is done, acting on the what matters most. This requires intelligence, not just data.

This is why PhishMe has completed technical integrations with TIP partners Anomali™ and ThreatConnect®. These integrations offer security teams the ability to ingest and correlate phishing-specific indicators with easy-to-act-on impact ratings and contextual reports to make confident security and business decisions.

PhishMe Intelligence customers gain from our human-verified phishing intelligence. What does this mean? It means that our customers receive phishing indicators from daily criminal phishing campaigns such as compromised IP addresses, domains, URLs, hashes, and botnet and command and control infrastructure. These indicators and credible intelligence reports are meticulously maintained and verified by PhishMe security researchers. Customers receive expert phishing intelligence that connects indicators with threat actors’ infrastructure so that security teams can confidently act quickly and accurately in their investigations.

PhishMe precisely delivers timely indicators and intelligence about ransomware, business email compromise, credential-stealing phish, and other malware. It is the timeliness and accuracy that is so crucial because the longer it takes security teams to determine the impact and severity of the threat, the more time the attacker has to plot their next move and achieve their mission.

When PhishMe designates an indicator with a major impact rating, teams can heed this warning and confidently take action. PhishMe doesn’t just tell security teams what is malicious, we explain why something is malicious. This is the context that allows analysts to act on the data analyzed and enriched by trustworthy PhishMe researchers.

PhishMe also helps answer the never-ending question; “is this a threat to my business”? The Active Threat Reports are contextually-rich reports that illustrate threat actor tactics and the neighboring criminal infrastructure that supports their operation. The reports take “so what” about an indicator, and provide an inside-out view of the threat actor and tactics.

Security analysts spend less time deducing and more time executing.

Security teams invest in TIPs as a way of bringing multiple sources of data into a centralized location that can be correlated and then distributed to other systems as part of the workflow. Open source, paid subscription, and industry-specific intelligence exchanges, all provide a useful purpose in managing threats to the business. The difficulty is managing vast amounts of data and ensuring a low signal-to-noise ratio. As such, TIPs emerged to support the endless need for data analysis and decisive action.

PhishMe Intelligence product management and solution engineers collaborated with TIP providers to complete technical integrations suited for security teams accountable for defending the business.

Conclusion

TIPs emerged to help security analysts who are inundated with so much information and the need to centrally manage it. They’ve become a concentrated repository for security teams to ingest, de-duplicate, analyze, and act on the indicators received. PhishMe’s technical partnerships with Anomali and ThreatConnect, will help ensure that the quality of intelligence available is second to none when it comes to indicators of phishing. Phishing is the primary vector of compromise and oftentimes leads to data loss. Consuming human-vetted phishing intelligence into a TIP ensures security teams can be confident in the action they take to protect their business.

Sage and Locky Ransomware Now Sharing Delivery Infrastructure in Phishing Attacks

BY BRENDAN GRIFFIN AND GARY WARNER

Threat actors have demonstrated that despite the past two years’ explosion in new ransomware varieties, ransomware developers still believe that the market has not reached the point of saturation. Examples of encryption ransomware like Sage have made notable appearances on the phishing threat landscape in the early days of 2017, continuing the ransomware trend from 2016.

PhishMe Reports Explosive Growth: Annual Run Rate Approaches $50 Million

Continued Growth Driven by Innovative Offerings and Strong Execution

 LEESBURG, VA January 31, 2017: PhishMe Inc., the leading provider of human phishing defense solutions, today announced another year of record growth, with Annual Run Rate (ARR) approaching $50 million. PhishMe’s more than 300 employees now serve 1,200 enterprise customers world-wide to defend against cybercriminals, hacktivists and state-sponsored hackers.

PhishMe is a Finalist in 4 Categories for the 13th Annual 2017 Info Security PG’s Global Excellence Awards

We are excited to announce that PhishMe has been selected as a finalist for the 13th Annual 2017 Info Security PG’s Global Excellence Awards in not just 1 but 4 different categories!

  • The first award is for Rohyt Belani, who has been honored as a “CEO of the Year” category winner of the 2017 Info Security Products Guide Global Excellence Awards for the second year in a row.
  • Fellow co-founder and CTO, Aaron Higbee, was honored as a finalist for the “CTO of the Year” category award.
  • PhishMe also was selected as a finalist for the “Best Security Service” and “Best Deployments in U.S.A.” award categories.

These prestigious global awards, put on by one of the industry’s leading information security research and advisory guide, recognize security and IT vendors with advanced, ground-breaking products and solutions that are helping set the bar higher for others in all areas of security and technologies.

“It is truly an honor to be recognized as a CEO of the Year by Info Security Products Guide for a second year in a row,” said Belani. “You are only as good as the people you surround yourself with. The real winners are the talented employees at PhishMe. These awards are proof of the hard work and dedication of every member of the PhishMe team.”

Belani and Higbee have led PhishMe from its infancy to a company with more than 200 employees and 892 percent growth in just 3 years, establishing themselves along the way as thought leaders in the cybersecurity industry. The company has secured several other major industry accolades including recognition in the 2016 SC Magazine Awards, Inc 5000 and the Deloitte Fast 500.

PhishMe’s world-class solution has emerged as a dominant force in the phishing threat management space with almost half of the Fortune 100 companies using its platform for attack identification, human-verified intelligence and incident response. The company’s achievements in 2016 have cemented its position as an innovator at the forefront of phishing defense technologies and laid the groundwork for further innovation in the coming years.

We look forward to seeing you all at RSA Conference in San Francisco, where we have two different booths: S1715 in the South Expo and N4601 in the North Expo.

 

To learn more about the 2017 Info Security PG’s Global Excellence Awards, visit http://www.infosecurityproductsguide.com/world/.

Employee reporting of suspicious emails substantially outweighs susceptibility to attacks

Following a thorough analysis of 40 million phishing simulation emails, PhishMe’s latest research measures global susceptibility and resilience to phishing threats

 LEESBURG, VA December 13th, 2016: PhishMe Inc., the leading provider of human phishing defense solutions, today released its 2016 Enterprise Phishing Susceptibility and Resiliency Report, which illustrates employee susceptibility to phishing emails and resilience improvements when engaged in security reporting. With phishing still the most common cyber-attack vector leading to data breach, the report analyzes the most successful triggers, themes and emotional motivators leading employees to fall for phishing emails, as well as how reporting can drive a decrease in time to attack detection from days to minutes.

The PhishMe research teams analyzed data compiled from over 40 million phishing simulations performed between January 2015 and July 2016. Responses were gathered from a sample of over 1,000 PhishMe customers across the globe, including Fortune 500 and public sector organizations from 23 industry verticals. Published today, PhishMe’s 2016 Enterprise Phishing Susceptibility and Resiliency Report identified the following insights:

  • Business context phishing simulation emails still the most challenging: Office communications and finance-related themes generated the highest susceptibility rates, with 19.9 percent and 18.6 percent respectively, driven by sentiments of curiosity, fear and urgency.
  • Reporting outweighs susceptibility to phishing: Over a relatively short amount of time, reporting rates bypass susceptibility rates when at least 80% of the company has been conditioned to identify and empowered to report suspicious emails.
  • Active reporting can significantly decrease breach detection times: Samples analyzed show reporting of suspicious emails reduced security team response time to approximately 1.2 hours over the currently industry average of 146 days to detect a security breach.

PhishMe’s analysis revealed that business or office-related phishing emails proved to be the most effective simulations, as well as the most difficult for users to recognize and report. Phishing emails with sentiments of curiosity, fear and urgency scored the highest percentage in average response rates, suggesting that employees are at risk of increased susceptibility to phishing campaigns that include an emotional pull, even at a subconscious level.

“Our analysis shows that continued exposure to simulations lowers the chance of an employee falling for a phishing email – the key being consistent exposure,” stated Aaron Higbee, Co-Founder and CTO at PhishMe. “Once employees are conditioned to identify phishing attacks, our data shows that reporting them to the IT Security team starts to outweigh organizational susceptibility.  It only takes one employee to report a targeted attack to give incident response teams a chance to stop a potential data breach. Armed with this new data, we hope that more CISOs focus their attention on the ratio of Report-To-Click instead of dwelling on susceptibility metrics.”

The 2016 Enterprise Phishing Susceptibility and Resiliency Report also analyzes variances in phishing simulation response by themes, emotional triggers, and average response rates per industry. In looking at one particular type of phishing email type, the “file from scanner” scenario generated the highest number of response rates in the transportation sector at 49 percent, followed by healthcare at 31 percent and insurance at 30 percent. On the other hand, the non-profit sector scored the lowest response rate, at a 5 percent.

“Understanding what motivates your employees to open or fall for a phish is a critical step in building their resiliency to attacks and enabling faster incident response” continued Higbee “At its core, a phishing simulation program allows organizations to assess, measure, educate and empower all employees about phishing threats while creating a wider net of human sensors to help reduce the risk of a full-blown data breach.”.

 

To download a full copy of the 2016 Enterprise Phishing Susceptibility and Resiliency Report, click here.

A Warning on Christmas Delivery Scams

The time of year has once again arrived when post offices are busier than the freeway on a Friday evening. We buy gifts, online and in stores, and we send and expect packages to and from the far corners of the country, continent, and even the world.

Yet behind this frenzy of merriment skulk a series of dangers. Although Christmas is still more than a month away, scammers of this kind have already been active in various areas across the US. For a number of years, security experts have grown to expect a hike in the number of internet scams being spotted around the festive period, from fake deal websites to counterfeit greeting ecards. One example is becoming highly-popular among threat actors and is better positioned to trick even the most security-aware individual: failed delivery phishing scams.

UPS estimates that in the U.S., more than 630 million packages were delivered by shoppers during the holiday period last year, and FedEx predicts  317 million shipments between Black Friday and Christmas Eve. With all this holiday mail, not to mention everyone out and about to prepare for their celebrations, it is not surprising to find a “delivery failed” notice in your inbox. If the message concerns something needed by Christmas, the annoyance at having to re-organize a delivery can make us act rashly and even foolishly.

It is widely-known that the keys to successful social engineering are fear and greed.  When presented with compelling stimuli under these categories, criminals can count on a significant number of their potential victims briefly suspending their information security awareness training and clicking the link.  As Christmas approaches, certain malware families such as ASProx may have high-volume spikes, taking advantage of shoppers lowering their guard.  In December 2014, spammers used ASProx to deliver fear in the form of a Failed Delivery email from big, respected brands like CostCo, BestBuy, and Walmart.  Recall that PhishMe’s Gary Warner identified more than 600 hacked websites that were used as intermediaries to prevent detection by causing the spammed links to point to websites that had been “known to be good” until the morning of the attack.

So who should be on the lookout for these scams, and what can be done to protect Christmas shoppers?

Basically everyone, from individual consumers to massive businesses, should be on high alert. Though we should not let scammers turn shoppers into paranoid victims, being able to spot the details that reveal a scam can be the only thing standing between a scammer and your personal or company bank account details. While Christmas scams are thought of as dangerous, if the computer used to access these websites is a company or government computer, these scams can have a wide-ranging and long-term impact. And with nearly , this is a subject to take extremely seriously.

So be vigilant, and have a very merry (and scam-free) holiday season.

 

Did you know that 97% of phishing emails delivered in 2016 contained ransomware? Learn more by downloading our latest Q3 Malware Review.

SC Magazine Awards Recognize PhishMe as Finalist in Best IT Security-Related Training Platform Category for the Second Year in a Row

Fresh off our win in the same category last year, we’re thrilled that PhishMe Simulator has been chosen as a finalist once again in the 2017 SC Magazine Awards for Best IT Security-Related Training Platform. The award highlights companies and organizations that provide end-user awareness training programs for enterprises to ensure that employees are knowledgeable and supportive of IT security and risk management plans.

We’ve worked hard to live up to the honor of winning this prestigious award and many others such as being named a leader in the Gartner Magic Quadrant for Security Awareness Computer Based Training.

This industry recognition reinforces PhishMe’s commitment to delivering the best solutions to combat today’s top cyberthreats such as phishing emails and their malicious intent – whether malware, BEC or credential theft. These types of attacks show no signs of slowing down – and neither will PhishMe.   Just recently, Europol named ransomware the top cybercrime threat and our own PhishMe Q3 Malware Review showed that 97 percent of phishing emails now contain some form of ransomware.

As the reigning winner of this award, we have strived to spread our philosophy that Awareness is Not Enough. By leveraging our unique approach to phishing defense, our customers have been able to train their employees to be security assets instead of vulnerabilities by behaviorally conditioning them to identify and report threats. As such, we look forward to being considered by the judges as a finalist for another year in the training program category.

By empowering employees with the proper conditioning needed to detect and report malicious phishing emails, our users quickly and efficiently assess organizational risk, identify areas for additional improvement as well as provide security teams with effective intelligence that allows them to respond to incidents in a timely manner. In some cases, this type of conditioning has reduced a company’s overall susceptibility by more than 95 percent.

We’re excited to find out if we’ve made the cut again during the awards ceremony Tuesday, February 14 2017 at the Intercontinental San Francisco. Wish us luck!

 

To learn more about the SC Magazine Awards, visit https://www.scmagazine.com/awards/

Learn more about our multi-lingual, complimentary, computer based training – PhishMe CBFree.

Ransomware Delivered by 97% of Phishing Emails by end of Q3 2016 Supporting Booming Cybercrime Industry

PhishMe Q3 Malware Review finds encryption ransomware has hit record levels, while ‘quiet malware’ remains a significant threat

 LEESBURG, VA November 17, 2016: PhishMe Inc., the leading provider of human phishing defense solutions, released findings today that show the amount of phishing emails containing a form of ransomware grew to 97.25 percent during the third quarter of 2016 from 92% in Q1. Remaining at the forefront is the Locky encryption ransomware, which has introduced a number of techniques to resist detection during the infection process.

Published today, PhishMe’s Q3 2016 Malware Review identified three major trends previously recorded throughout 2016, but have come to full fruition in the last few months:

  • Locky continues to dominate: While numerous encryption ransomware varieties have been identified in 2016, Locky has demonstrated adaptability and longevity
  • Ransomware encryption: The proportion of phishing emails analyzed that delivered some form of ransomware has grown to 97.25 percent, leaving only 2.75 percent of phishing emails to deliver all other forms of malware utilities
  • Increase in deployment of ‘quiet malware’: PhishMe identified an increase in the deployment of remote access Trojan malware like jRAT, suggesting that these threat actors intend to remain within their victims’ networks for a long time

During the third quarter of 2016, PhishMe Intelligence conducted 689 malware analyses, showing a significant increase over the 559 analyses conducted during Q2 2016. Research reveals that the increase is due, in large part, to the consistent deployment of the Locky encryption ransomware. Locky executables were the most commonly-identified file type during the third quarter, with threat actors constantly evolving the ransomware to focus on keeping this malware’s delivery process as effective as possible.

“Locky will be remembered alongside 2013’s CryptoLocker as a top-tier ransomware tool that fundamentally altered the way security professionals view the threat landscape,” explained Aaron Higbee, CTO and Co-founder, PhishMe. “Not only does Locky distribution dwarf all other malware from 2016, it towers above all other ransomware varieties. Our research has shown that the quarter-over-quarter number of analyses has been on a steady increase, since the malware’s introduction at the beginning of 2016, and thanks to its adaptability, is showing no signs of slowing down.”

While ransomware dominates the headlines, the Q3 PhishMe Malware Review reveals that other forms of malicious software delivered using remote access Trojans, keyloggers and botnets still represent a significant hazard in 2016. Unlike ransomware, so-called ‘quiet malware’ is designed to avoid detection while maintaining a presence within the affected organization for extended periods of time. While only 2.75 percent of phishing emails delivered non-ransomware malware, the diversity of unique malware samples delivered by these emails far exceeded that of the more numerous ransomware delivery campaigns.

Rohyt Belani, CEO and Co-founder of PhishMe added, “The rapid awareness and attention on ransomware has forced threat actors to pivot and iterate their tactics on both payload and delivery tactics. This sustained tenacity shows that awareness of phishing and threats is not enough. Our research shows that without a phishing defense strategy, organizations are susceptible to not just the voluminous phishing emails used to deliver ransomware, but also the smaller and less-visible sets of emails used to deliver the same malware that has been deployed for years. Only by preparing for these attacks is it possible to empower users to act as both human sensors for detecting attacks and partners in preventing threat actors from succeeding.”

To download a full copy of the Q3 2016 Malware Review, click here.

 

Connect with PhishMe Online

 About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

PhishMe Ranked No. 152 Fastest Growing Company in North America on Deloitte’s 2016 Technology Fast 500™

Company Attributes Massive Revenue Growth to its Unique Approach to Preventing and Mitigating Cyber Attacks

Leesburg, VA – November 17, 2016 – PhishMe, a global provider of phishing defense and intelligence solutions for the enterprise, today announced it ranked No. 152 on Deloitte’s Technology Fast 500™, a ranking of the 500 fastest growing technology, media, telecommunications, life sciences and energy tech companies in North America based on revenue growth. PhishMe grew 564.1 percent over the last three years, as enterprises implement its suite of products to mitigate cybersecurity threats.

“The  unprecedented increase in frequency and damage caused by cyberattacks in the recent past has created a demand for innovative defensive solutions that can adapt to the attackers changing tools and techniques,” said Rohyt Belani, PhishMe CEO. “Our dogged focus on innovation followed through with strong execution have supported the company’s explosive growth over the last three years. We are honored to be recognized on this coveted list by Deloitte.”

“Today, when every organization can be a tech company, the most effective businesses not only foster the courage to explore change, but also encourage creativity in using and applying existing assets in new ways, as resourcefully as possible,” said Sandra Shirai, principal, Deloitte Consulting LLP and U.S. technology, media and telecommunications industry leader. “This ingenious approach to innovation calls for the encouragement of curiosity and collaboration both within and outside the office walls.”

“This year’s Fast 500 winners showcase that when organizations are open to diverse perspectives and insights, they are able to create an environment for their employees and customers to see the possibilities and ingenious solutions that might lie ahead,” added Jim Atwell, national managing partner of the emerging growth company practice, Deloitte & Touche LLP. “Entrepreneurial environments foster change and innovation within businesses, and we look forward to watching these companies continue to drive change across all sectors.”

PhishMe, Inc. previously ranked number 99 as a Technology Fast 500™ award winner for 2015. Overall, 2016 Technology Fast 500™ companies achieved revenue growth ranging from 121 percent to 66,661 percent from 2012 to 2015, with median growth of 290 percent.

About Deloitte’s 2016 Technology Fast 500™

Deloitte’s Technology Fast 500 provides a ranking of the fastest growing technology, media, telecommunications, life sciences and energy tech companies – both public and private – in North America. Technology Fast 500 award winners are selected based on percentage fiscal year revenue growth from 2012 to 2015.

In order to be eligible for Technology Fast 500 recognition, companies must own proprietary intellectual property or technology that is sold to customers in products that contribute to a majority of the company’s operating revenues. Companies must have base-year operating revenues of at least $50,000 USD, and current-year operating revenues of at least $5 million USD. Additionally, companies must be in business for a minimum of four years and be headquartered within North America.

As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.