Tax-time Phishing: A Global Problem

I don’t think anyone likes to do taxes… unless you’re an accountant. Maybe.

Collecting all the documents, knowing which ones are needed, completing them in time, and handing over payments is a headache for individuals and companies alike. Phishing threat actors know this and will try to take advantage.

The United States Internal Revenue Service provides lots of resources about recent and relevant phishing attacks and scams targeting American taxpayers. Their international counterparts in the United Kingdom and Australia also provide extensive resources on recent attacks impacting their taxpayers. One important aspect of the material provided by these organizations is the delineation between what communication can be expected from each taxation authority and what forms of communication should be considered suspicious. For example, the Internal Revenue Service states that, “The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.”

The most common social engineering tactics utilized by threat actors appeal to fear, uncertainty, and doubt—three things that, for some, go together with the tax filing season. Often, threat actors will use phishing narratives that threaten the recipient with legal action because they supposedly failed to properly file their taxes. Other techniques use reminders or “helpful hints” appealing to recipients’ uncertainty and desire to take the best route for doing their taxes. These messages are often used to deliver malware tools designed to steal personal and corporate information. However, other threat actors take a still-more direct route inspired by the CEO fraud and BEC attacks that have become very popular and very, very profitable. In these scenarios, the threat actors impersonate a VIP within a company or organization and simply request that someone in the company’s human resources department simply send a copy of all the income reporting forms for every employee in the company.

Both techniques embody an interesting intersection that belies how threat actors operate. Threat actors often seek to infect the largest number of users possible with their malware tools. This allows them to maximize their opportunities for monetizing their malware deployments whether the malware in use is designed to provide access to private information or to simply encrypt it and demand a ransom payment. One example identified by PhishMe Intelligence in December 2016 targets individuals by offering up unsolicited tax advice regarding retirement savings. Attacks like these, if directed to victims outside of a firm or organization, can be used to impact those victims as individuals only.

Figure 1 – Unsolicited tax advice has been observed as an avenue for delivering malware

Threat actors have recognized this and some have adjusted their strategy. As a result, they have introduced attacks that take advantage of the intersection of two contemporary techniques.

First, they employ elements of soft targeting, a strategy in which phishers cast a wide net using a narrative intended to appeal to a class of individual. A prolific example of soft targeting is the ever-present “resume” phishing theme intended to disproportionately impact human resources personnel. Similarly, many tax-themed phishing campaigns are designed to disproportionately impact financial and accounting professionals within companies so the threat actor can gain access to the greatest amount of sensitive information at once. Whether the attack is designed to deliver a tool to steal financial information or hold it for ransom, threat actors appeal to accounting professionals’ careful handling of tax matters.

Second, phishers blend their techniques with the CEO fraud or BEC strategies by imposing a fake demand that an accounting professional turn over a company’s W-2 information for “review” by an imposter company VIP. These fraudulent requests are directed to someone within the organization responsible for fulfilling the requirement that tax information be completed promptly and accurately. The threat actor is therefore linking together the pressure of responding to senior management with the pressure of completing taxation paperwork promptly. The result if a compelling narrative that the threat actor hopes will result in the turnover of sensitive information about a company’s employees—simply by asking for it.

An example of the former was used to deliver the Spora Ransomware in January 2017 using a lure informing the victim that a “loyalty” tax refund may be available to them. With the listed sender “IndustrialandCommercial[.]com”, this was intended to resemble an opportunity for the recipient to learn more about a tax break to which their company may be entitled.

Figure 2 – Other campaigns have attempted to pitch a tax break to recipients

 

These appeals are not unique to the United States. Threat actors have frequently abused the names and impersonated representatives of taxation authorities around the world. Examples collected by PhishMe Intelligence in just past two months include emails delivering malware through impersonation of Australian, Brazilian, Indian, and Italian tax authorities. Each example delivered some form of malware utility used to carry out the theft of sensitive information.

Figure 3 – Australian Tax Office impersonated to deliver malware

Figure 4 – Increased diversity in impersonated tax authorities over the past year

Figure 5 – Examples include full internationalization in language selection

 

While these threat actors all sought to deliver some malware tools to their victims, threat actors requesting sensitive information have been active this year as well. The rash of BEC and CEO fraud scams that netted criminals around the world more than 3 billion dollars and lost US victims just shy of a billion dollars as of June 2016 per FBI reporting. Emulating this technique, other threat actors target the private, personal information of companies’ employees by sending emails to custodians of W-2 information while impersonating a member of a company’s top-level management. These emails simply ask individuals to turn over to the criminal all the W-2 information for the company.

Like taxes, it’s clear these types of attacks are not going away anytime soon. However, through consistent training organizations can battle these types of threats and potentially lower their impact. It’s important to remember that the IRS will never ask you for any sensitive information in an email, and when in doubt, go directly to the IRS website instead of following links in emails.

Now, there are 3 things about which you can be sure: Death, Taxes and Phishing!

PhishMe Triage Integrates with Palo Alto Networks WildFire Cloud to Combat Phishing

Integration Pairs Efficient and Expedient Phishing Incident Response with Integrated Threat Analysis and Prevention

PhishMe® and Palo Alto Networks® technologies equip security teams with enhanced protection against phishing threats.

Conditioning employees to detect and report suspicious email is a strategy security leaders have adopted to protect the business and empower employees to become a defensive asset. PhishMe Triage™ ingests employee-reported suspicious email – allowing security teams to quickly assess and respond to threats. PhishMe Triage now integrates with Palo Alto Networks WildFire™ cloud-based threat analysis and prevention capabilities to provide an even more formidable approach to identifying and preventing potentially damaging phishing attacks.

When Phish Swim Through the ‘Net

As attackers continue to innovate, preventing successful execution of email with malicious intent will continue to be a challenge if it makes it to the inbox. Ransomware, business email compromise (BEC), malware infections, and credential-based theft all primarily stem from a single vector of compromise – phishing. A key defensive tactic is to condition employees to identify and report suspicious email to security teams for analysis. Yet, security teams need to be efficient and can’t afford to be bogged down with manual processing and analysis when responding to incidents. High functioning security teams must automate the ability to ingest, verify and enforce new protections for potential phishing attacks, all within their existing infrastructure.

Empowered Employees and Technology – Catchin’ Phish!

PhishMe Research has proven that employees who are conditioned to report suspicious email are assets, not liabilities, to the security posture of the business. Reporting suspicious email allows for additional technical and human analysis. Just a single employee reporting a malicious email is enough for security teams using the right resources to identify and disrupt the attacker before they are able to achieve their mission.

That one employee who has received proper conditioning to recognize and report suspicious email serves as an early warning system – tipping off the security team to an anomaly as soon as it hits the inbox!

PhishMe Triage receives reported suspicious email from employees and organizes and analyzes through its own security analytic engine as well as security partner integrations. These integrations allow security leaders to maximize their security technology investments and defenses. Triage identifies what is nefarious, and does it through automation rather than inundating security analysts with more reports to dissect.

Integrated PhishMe Phishing Analysis with Palo Alto Networks

Security teams who aspire to accelerate their phishing analysis can do so with the Palo Alto Networks WildFire API integration with PhishMe Triage. As email is reported to security teams operating PhishMe Triage, Palo Alto Networks WildFire customers can harness the integration capabilities to detect and prevent phishing cyberthreats.

Here’s a sample of how PhishMe and Palo Alto Networks are spotting threats that demand security teams’ attention.

  • The analysis results produced by WildFire are strengthened when PhishMe Triage collects and prioritizes reported phishing attacks from PhishMe Reporter™ and maps useful indicators in the workflow.
  • Customers with a valid WildFire subscription simply enter their API credentials into Triage to enable analysis of file attachments automatically. PhishMe Triage supports customer environments who utilize WildFire in the cloud or an on-premise WF-500 appliance. When configured, these solutions quickly analyze and provide a detailed examination to help security teams determine which threats require immediate attention to remediate or prevent similar attacks.
  • Security teams simply choose the file-types they wish to have automatically analyzed at ingestion. The analysis results are then contained within PhishMe Triage and clustered to allow analysts to swiftly respond to the most critical.
  • PhishMe Triage scrutinizes suspicious email at ingestion and uses the WildFire API to send the file(s) to determine their cyberthreat verdict. Quickly, the analyst receives integration results back into PhishMe Triage with summary detail and a thorough human-readable report illustrating the threat’s characteristics.
  • With PhishMe Triage rule matching, reputation of the employee reporting, threat intelligence, and combined threat analysis from the WildFire cloud, analysts will be confident in their response and automation workflow action. Security teams can manually or programmatically categorize the threat to follow a workflow involving support for leading SIEM providers.

More about WildFire:

Palo Alto Networks WildFire™ cloud-based threat analysis and prevention service analyzes files and links and designates never-before-seen items for further investigation using static and dynamic analysis over multiple operating systems and application versions. If a sample is categorized as malicious, WildFire will automatically generate and populate a holistic set of new preventions to the Palo Alto Networks Next-Generation Security Platform and integration partners, minimizing the risk of infection from both known and unknown threats without any additional, manual action. WildFire correlates global, community-driven threat intelligence from multiple sources across networks, endpoints and clouds to immediately halt threats from spreading. WildFire’s architecture provides granular controls over what data will be submitted for analysis. Elements like file type and session data, as well as choosing the data path and regional WildFire cloud where the analysis and data storage will take place, are all configurable.

 

To learn more about the Palo Alto Networks Next-Generation Security Platform and WildFire, visit: https://www.paloaltonetworks.com/products/designing-for-prevention/security-platform.

To learn more about the PhishMe Triage, visit: http://phishme.com/product-services/triage.

For more information, download the full solution brief.

Got Any Good Phishing TIPs?

PhishMe Intelligence Integrates with Industry Leading Threat Intelligence Platforms (TIPs)

Swimming in a sea of threat intelligence indicators and services, security teams have been working towards effective ways to centralize, de-duplicate, and correlate massive amounts of threat data. The challenge is once this is done, acting on the what matters most. This requires intelligence, not just data.

This is why PhishMe has completed technical integrations with TIP partners Anomali™ and ThreatConnect®. These integrations offer security teams the ability to ingest and correlate phishing-specific indicators with easy-to-act-on impact ratings and contextual reports to make confident security and business decisions.

PhishMe Intelligence customers gain from our human-verified phishing intelligence. What does this mean? It means that our customers receive phishing indicators from daily criminal phishing campaigns such as compromised IP addresses, domains, URLs, hashes, and botnet and command and control infrastructure. These indicators and credible intelligence reports are meticulously maintained and verified by PhishMe security researchers. Customers receive expert phishing intelligence that connects indicators with threat actors’ infrastructure so that security teams can confidently act quickly and accurately in their investigations.

PhishMe precisely delivers timely indicators and intelligence about ransomware, business email compromise, credential-stealing phish, and other malware. It is the timeliness and accuracy that is so crucial because the longer it takes security teams to determine the impact and severity of the threat, the more time the attacker has to plot their next move and achieve their mission.

When PhishMe designates an indicator with a major impact rating, teams can heed this warning and confidently take action. PhishMe doesn’t just tell security teams what is malicious, we explain why something is malicious. This is the context that allows analysts to act on the data analyzed and enriched by trustworthy PhishMe researchers.

PhishMe also helps answer the never-ending question; “is this a threat to my business”? The Active Threat Reports are contextually-rich reports that illustrate threat actor tactics and the neighboring criminal infrastructure that supports their operation. The reports take “so what” about an indicator, and provide an inside-out view of the threat actor and tactics.

Security analysts spend less time deducing and more time executing.

Security teams invest in TIPs as a way of bringing multiple sources of data into a centralized location that can be correlated and then distributed to other systems as part of the workflow. Open source, paid subscription, and industry-specific intelligence exchanges, all provide a useful purpose in managing threats to the business. The difficulty is managing vast amounts of data and ensuring a low signal-to-noise ratio. As such, TIPs emerged to support the endless need for data analysis and decisive action.

PhishMe Intelligence product management and solution engineers collaborated with TIP providers to complete technical integrations suited for security teams accountable for defending the business.

Conclusion

TIPs emerged to help security analysts who are inundated with so much information and the need to centrally manage it. They’ve become a concentrated repository for security teams to ingest, de-duplicate, analyze, and act on the indicators received. PhishMe’s technical partnerships with Anomali and ThreatConnect, will help ensure that the quality of intelligence available is second to none when it comes to indicators of phishing. Phishing is the primary vector of compromise and oftentimes leads to data loss. Consuming human-vetted phishing intelligence into a TIP ensures security teams can be confident in the action they take to protect their business.

Sage and Locky Ransomware Now Sharing Delivery Infrastructure in Phishing Attacks

BY BRENDAN GRIFFIN AND GARY WARNER

Threat actors have demonstrated that despite the past two years’ explosion in new ransomware varieties, ransomware developers still believe that the market has not reached the point of saturation. Examples of encryption ransomware like Sage have made notable appearances on the phishing threat landscape in the early days of 2017, continuing the ransomware trend from 2016.

Kovter Ad Fraud Trojan Now Shipping with Locky Ransomware

Over the past couple of months, the PhishMe Research Team has observed Locky ransomware being distributed alongside the Kovter ad fraud trojan. We have looked at this malware distribution channel in the past, and since then, the threat actors have evolved from using a fake file encryption threat to using a well known and effective ransomware family: Locky. In this post we will examine the history of the Kovter actors’ experimentation with ransomware and walk through a sample campaign that our PhishMe Threat Intelligence Team captured.

Ransomware Evolution

The distributors behind Kovter have been experimenting with “ransomware” since as early as January 2016. We place the word in quotations marks because their first attempt at including code that demanded payment was ineffective. These initial attempts were malicious JS email attachments that would only change Windows file extensions on the victim’s computer to “.crypted”. Below is a screenshot of an early ransom note.

initial_ransomware_instructions

An example of the ransomware instructions seen in earlier attempts.

Then in March of 2016, we saw a shift to actual file encryption by utilizing XOR on the first 2048 bytes of the files. In April, the threat actors shifted again with the use of 7zip, a legitimate archiving utility, to encrypt files with a static key. The actors then in June 2016 started distributing a PHP interpreter with a script to encrypt the files. A fantastic writeup on the PHP method used by these actors can be found here. They finally shift to utilizing the full blown ransomware family, Locky, in late October 2016.

locky_encrypted_desktop

A desktop infected with Locky ransomware now being spread with Kovter.

One analysis artifact that distinguishes Locky campaigns in the wild is the use of an affiliate identification number that gets hardcoded in to every Locky infector build. Locky affiliates 1 & 3 are the most commonly seen affiliate IDs in spam campaigns, albeit from the Necurs botnet (an x86 bootkit that contains spam modules). This differs from the Locky affiliates 23 & 24 that we are currently seeing being distributed with Kovter in that distribution relies on a botnet that utilizes compromised websites for spamming.

Sample Campaign

Spam messages containing lures that eventually download Kovter usually contain verbiage of missed package deliveries, as seen in the message sample below.

initial_lure

By viewing the headers of this malicious spam message, we can see that the message appears to be originating from a compromised Joomla website based on the directory structure of the sending script that the webserver prepended to the messages. Depending on server configuration, some webservers will add the lines seen in the snippet below when email is sent using the PHP mail() function call.

phpheaders

PHP email headers contain Joomla CMS path.

The ZIP archive attached to the email contains an obfuscated JScript file that is capable of downloading Kovter and the Locky ransomware loaders.

zipcontents

Zip attachment contains malicious JS downloader.

In an effort to defeat malware sandboxes, this initial JScript file sleeps for at least 5 minutes, then writes another obfuscated JScript file to the folder %TMP% and executes it using the WScript.Run method. The %TMP% is a Windows environment variable placeholder for the C:\Users\{user}\AppData\Local\Temp\ directory. The resulting, de-obfuscated JScript file runs the ping command in another effort to exceed sandbox timeouts, then downloads two binaries from gatheringmd[.]top, writing them to %TMP% and executes them, as seen in the code snippet below.

jsdeobs

De-obfuscated JScript that downloads two binaries and executes them both.

The Windows executable 24.exe downloaded from hxxp://gatheringmd[.]top/cb/l2[.]php is an NSIS-packed executable for the Kovter ad fraud trojan loader. Kovter is a “fileless” trojan that stores itself in the Windows registry for persistence and antivirus evasion. Upon execution, the trojan checks in with a command and control location that contains a URL path usually ending in upload.php or upload2.php, sending infected machine information such as the operating system version, service pack level, and the system architecture, and whether any known security programs were detected. Kovter will also check for and install the latest version of Internet Explorer Adobe Flash browser plugin, and .Net frameworks.

The Kovter trojan will then generate web traffic hidden from the victim’s desktop. The malware actors craft search terms, injecting them in to browser sessions with their malware that “clicks” on advertisements that generate revenue through pay-per-click models. We won’t dive too deep in to Kovter analysis since it has been well-documented already here (PDF) and here (PDF). Configuration data, seen in Table 1 below, is easily extracted from memory while the trojan is running.

Table 1: Kovter configuration for sample 0d01517ad68b4abacb2dce5b8a3bd1d0
cp1
(IP Addresses – please see Indicators of Compromise section below)
cp1cptm
30
cptmkey
a7887cc809cf0d4df17fc5dafd03e4e7 – MD5 of “smooth”
keypass
65537::20717578436666370206990156461786566788132748458910865354994919388630407187082788932551065567891365033974994995141358277530021944793516607142737605543772104350635734672485498640041982499636009940196953103877199811371834197299886690010229547993815721647414299018829914480336700775760032044922438942690008663278856440487164946050309668972730239620373400036156807226902415414689227139343695179004305146177952041410093920067335850237232148134221904306706694425837140102211178161590920721365317540938040383023194954613997204876850415109848188765254167924483000246775174171501733414326729845936854172715365200925796295269097
passdebug
False
debugelg
True
elgdl_sl
False
dl_slb_dll
False
b_dllnonul
hxxp://185.117.72[.]90/upload2[.]php
nonuldnet32
hxxp://download.microsoft[.]com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86[.]exe
dnet32dnet64
hxxp://download.microsoft[.]com/download/9/8/6/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64[.]exe
dnet64pshellxp
hxxp://download.microsoft[.]com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG[.]exe
pshellxppshellvistax32
hxxp://download.microsoft[.]com/download/A/7/5/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54/Windows6.0-KB968930-x86[.]msu
pshellvistax32pshellvistax64
hxxp://download.microsoft[.]com/download/3/C/8/3C8CF51E-1D9D-4DAA-AAEA-5C48D1CD055C/Windows6.0-KB968930-x64[.]msu
pshellvistax64pshell2k3x32
hxxp://download.microsoft[.]com/download/1/1/7/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30/WindowsServer2003-KB968930-x86-ENG[.]exe
pshell2k3x32pshell2k3x64
hxxp://download.microsoft[.]com/download/B/D/9/BD9BB1FF-6609-4B10-9334-6D0C58066AA7/WindowsServer2003-KB968930-x64-ENG[.]exe
pshell2k3x64cl_fv
20
cl_fvfl_fu
hxxps://fpdownload.macromedia[.]com/get/flashplayer/current/licensing/win/install_flash_player_22_active_x[.]exe
fl_fumainanti
DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:0:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:0:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16DDD17D:0:DD17Dal:hxxp://185.117.72[.]90/upload[.]php:al::mainanti

The other Windows executable 23.exe that is downloaded form hxxp://gatheringmd[.]top/ll/l1[.]php is the loader for Locky ransomware. Locky is written in Visuall C++ and contains hard-coded IP addresses for command and control callbacks, although some versions of Locky do not require the victim to have Internet connectivity to start the file encryption process. The following table includes the configuration data we found in this campaign.

Table 2: Locky configuration for sample f3d935f9884cb0dc8c9f22b44129a356
Affiliate ID
23
Key
RSA1
RSA Key ID
711
RSA Key Size
114 (bytes)
DGA Seed
90577
Execution Delay
None
Svchost Process Persistence
Disabled
Registry Persistence
Disabled
Ignore Russian Computers
Enabled
C2 Callback URL Path
/message.php
C2 Callback Servers
109.234.35[.]230 176.103.56[.]119

 

Conclusion

Distributors behind Kovter are constantly evolving their ransomware game. We can only speculate why these malware actors would “burn” their foothold on an infected machine where they have also placed profitable ad fraud code. Perhaps the return on investment is much higher with ransomware and preferable to standing up the infrastructure and money laundering channels required for conducting ad fraud. PhishMe Intelligence customers can view more details about this threat in ID 7409.

This specific email template is available in PhishMe Simulator to use in your own scenarios.

 

How susceptible is your organization to phishing threats? Download our latest Phishing Susceptibility and Resiliency Report to learn how reporting phishing can greatly improve your organization’s security posture.

Indicators of Compromise

..:: Email Subject Lines
Courier was unable to deliver the parcel, ID{rand}
Delivery Notification, ID {rand}
Problem with parcel shipping, ID:{rand}
Problems with item delivery, n.{rand}
Shipment delivery problem #{rand}
Unable to deliver your item, #{rand}
We could not delivery your parcel, #{rand}
Fedex parcel #{rand} delivery problem
Notification status of your delivery (FedEx {rand})
Parcel ID{rand} delivery problems, please review
Parcel {rand} delivery notification, USPS
USPS parcel #{rand} delivery problem

 

..:: File Hashes
Filename
MD5 Checksum
Type
23.exe
f3d935f9884cb0dc8c9f22b44129a356
Locky
24.exe
0d01517ad68b4abacb2dce5b8a3bd1d0
Kovter
details_AneLU.zip
bb84729c02b898b7aeef6b65c119f0c4
Attachment
details_bkxeL.js
10c1be3b95fa013458081d19747bc0df
JSDownloader
details_cOBYkk.zip
cc095bc05e61a0b373671e6f80f72686
Attachment
details_CRFuvd.zip
c9cf8185d1168b0712e532a6a7d88fe9
Attachment
details_dFTHp.zip
5ad3fec19d0723532dea49a2ccc3ea9c
Attachment
details_FyReR.zip
f2284d51a3daffcb12ff91f57601c246
Attachment
details_LKXcNI.js
a811a54525161017e5ac1f85b83d2758
JSDownloader
details_MGStju.zip
ab5540f78e67fd196c1be1dfd3612947
Attachment
details_mSplK.js
cdacbaf9b13333ac264b798797432391
JSDownloader
details_pKvHWv.js
17d0d6d8176e01e92f74b9ce08ba188b
JSDownloader
details_PpxpD.zip
320151d35fd61ef1b17f8fe921c4beef
Attachment
details_rqpOqK.zip
f30d21a5c882dbdb011b361a5cba67a4
Attachment
details_shHih.js
111af7977728443aa268479a87c29656
JSDownloader
details_XCFvfh.js
b4179c5a075fed9b606e9b7f068dca4c
JSDownloader
details_XHZms.zip
c3e012a26c9fee9ff72bddf413f74f52
Attachment
details_YAVSi.zip
e0cabfc058cc4d6ff2419743a79f6b1a
Attachment
details_ZHewkz.zip
f7a7d41def5a90ed504581edf719c079
Attachment
details_zZcSMY.js
d2096cc86d4d89904316caca5b2242f9
JSDownloader
doc-details_cLOFYn.js
035caab39c0cbe55e59a78ce6cb8e3f7
JSDownloader
doc-details_CPwxGO.js
ab4ed724a82100735195d8767afec999
JSDownloader
doc-details_dNqBy.js
81a37ce8dc207d6adfe99fe4f29790ac
JSDownloader
doc-details_FUCxwj.js
963fa75b2d36b525df79c89bb6674c57
JSDownloader
doc-details_gfSxM.zip
f79543458f14e4fd05077f497e5b3b6c
Attachment
doc-details_hKuupX.js
72940493157e8313f53f40ecb0cc8999
JSDownloader
doc-details_hZpjC.js
acf53f8fedb0c9e7c717f17b24c2bd40
JSDownloader
doc-details_LamGu.js
a76c99d8e8e1fb61c80751a3b86b0161
JSDownloader
doc-details_qHpxP.zip
f5e55dd9c3f1258792940e6d44ff69e6
Attachment
doc-details_xMSZnv.zip
4615a66cff28ab1993d1cf1767012fa2
Attachment
doc-details_ysKya.zip
5af53a61146d95ff3cd4906998d5a3dc
Attachment
docinformation_chckfG.zip
53da2b40b05311ebf1c96d1390e498c5
Attachment
docinformation_eiBUR.js
0fdbf59914be1d61b2ebea804681a06d
JSDownloader
docinformation_fobWte.zip
de92d06890c4c036059805eb76cf6932
Attachment
docinformation_gFsaxs.js
f3bb12d7fd0512075154b68f748b106c
JSDownloader
docinformation_hYBnW.js
fa99be4f0cf635cf5ab27c8d9cdb737c
JSDownloader
docinformation_jwmOKD.zip
397985be48b08034596b74f3258f4be8
Attachment
docinformation_KxARw.js
5b4dd2f0077cb49626ea0fc4b28042e6
JSDownloader
docinformation_LyIGo.zip
f137879fd5f1b616e5468f2940a72670
Attachment
docinformation_tfFVrb.zip
a1e2571d4a9a9adc0e43a844e24f4b9a
Attachment
docinformation_UKqiN.js
d27d0caa0998f3d55a3742410849af0e
JSDownloader
docinformation_vvfUNP.zip
68c80b0764dae51a444798e84b7d567c
Attachment
document_aCBltX.zip
7835b9b6460756b69421b4ad9ee4d460
Attachment
document_bgFtst.js
33a195f89bc70f47d0b3531b6929cacc
JSDownloader
document_gDhkHi.js
1a0897eb182ce799950844870003bffb
JSDownloader
document_GZrswr.zip
6b51f7dc3d01e1e1d80e663251e826c0
Attachment
document_NpkFE.js
c17fd226efc58df20d61e98799728b9e
JSDownloader
document_Rgvjf.js
060d4ecd9101dec77ef2ff932682660c
JSDownloader
document_xSdOeE.zip
85a93ae756b903c27dc348a566a05bda
Attachment
info_aaRda.js
d3902306e1a94fa58670c93db5565a9e
JSDownloader
info_EkuERW.zip
489ec3212a4ff602a0d44296913468c3
Attachment
info_LUTTy.js
90023223eb47013711919de9dcd5dd07
JSDownloader
info_SCfca.zip
8ef1cc722479c09ab067be9caa130113
Attachment
info_wKfhS.zip
07362becf09c43f14ff6bd112c117176
Attachment
letter_cjJeHL.zip
7b72a9ceec70a30b0dbb7cc0a4b2e202
Attachment
letter_DsrtV.zip
1715cc68bd8fc453415ecf39ede93cd6
Attachment
letter_kNYHrR.zip
3d698ce90f48b585bd932521c065cda6
Attachment
letter_OjWlc.zip
3a13e6f6846a5a1722e8b266ceae8dd6
Attachment
letter_QnBTi.zip
4cbc25dcbf08de24ee87bcc119f6c16f
Attachment
letter_RfVviz.zip
0cfc0aec33a7bdbffa53895c9cd7fb57
Attachment
letter_VuHASr.js
100a19a7278820886461ca509ec1c993
JSDownloader
letter_YKkPE.js
ed12fead265edfe0152f27dae6078212
JSDownloader
post_info_asgHE.zip
d60c838a51236ac585013a8f807b7569
Attachment
post_info_bwJbDR.js
e47f9353f491581e46e46647a357c93c
JSDownloader
post_info_CeZZu.js
a363de2b167ac355a0f93888b5e04a6b
JSDownloader
post_info_cGuqm.zip
cdee553957fb83a40f7b14eba0a41ed0
Attachment
post_info_CsbYG.zip
f5af5b7834bda884188490452c2c85e6
Attachment
post_info_CzRrE.zip
1567ed8c60a92e2ff8678432ad083a4d
Attachment
post_info_FvdXc.js
b50585cc02304fc4e3238b4d2e071178
JSDownloader
post_info_KsELg.js
0b28a46cd55c859e2bc42d5ed48a3f0d
JSDownloader
post_info_MSGDE.js
e0f23f5e0403c2a3de0cfde2fe89938d
JSDownloader
post_info_pJtOt.js
e8e093060c70372ef942f89633d9bd0c
JSDownloader
post_info_tuOxpr.js
8da38959402c894db8e55b01fd6ffb6b
JSDownloader
post_info_xXWwy.js
be900919c08a6f9e15dbc88f9a8bc91f
JSDownloader
warning-letter_equIH.zip
31ae173517f1c3b95c2eae4e7b546c9a
Attachment
warning-letter_IcDwG.js
7afa14b7941098c48d88ba8befa926cc
JSDownloader
warning-letter_IoBWF.js
412d93a1600236b226784e6011399dc2
JSDownloader
warning-letter_ojIjtc.zip
749a7c139690a6b527800fbccd4066f9
Attachment
warning-letter_PNEIi.zip
dc6f872e1f5caea1d29a48b9f183de40
Attachment
warning-letter_rAvJv.js
dfe0d32610330f32747da3551b3b722f
JSDownloader
warning-letter_ShAAZ.zip
e9d953fb3dc52364d71674c3b1aa8b9d
Attachment
warning-letter_swXcEq.js
3987c2d03042dee1bf5f90127dc8dc0d
JSDownloader
warning-letter_tjTfks.zip
992b864fa761ff7ae3ae114f1c0b3237
JSDownloader
warning-letter_ZHsTF.js
8078316a13c0139c4b8472dc53cff718
JSDownloader
warning-letter_ZoikPb.zip
316b7e8bb7bb773aa8a6ad47c6953e4f
Attachment
watch_it_CdJex.js
5ae36d68911396dd7c0bf9ef674e25d0
JSDownloader
watch_it_dZpLi.zip
f5ddcfb1545a1af403131d115cf04ce6
JSDownloader
watch_it_GCzQN.js
be44dd6023c9ea40e82369272bb933d2
JSDownloader
watch_it_JNHNs.zip
d997419f7348c2e45e3fff33ed66985f
Attachment
watch_it_KgDcbd.zip
80fc86862e21d7022743b1b388334bbe
Attachment
watch_it_lRqvTG.js
7ac74145aa485acf711df23e2d3ed6ec
JSDownloader
watch_it_odoRqP.js
2dfe5e49862d57ac1f5c510f0568afd2
JSDownloader
watch_it_sOqdK.js
b0cd17c7ecddfc176adb089948f5703e
JSDownloader
watch_it_udGEp.zip
3277afcde8d2dd473d3da61c0a4b0b61
Attachment
watch_it_VuCwU.js
35f36d821794c5951dd4a29fd326b379
JSDownloader
watch_it_WeOiwi.js
8f3e35cead2b76bfb0bfbeb9783101c1
JSDownloader
watch_it_wiaSit.js
1c5a1719337b72562a9e09f51c44b088
JSDownloader
watch_it_wJInBR.zip
eb34a9e90d3ec4a8e358d69a006ebf2c
Attachment
watch_it_WkuTs.js
a9cdf2f2e946f32bde8054167c49f025
JSDownloader
watch_it_YKqLr.zip
ecc2e62e42ea24134b9522e2c3b4df5e
Attachment

 

..:: 2nd Stage Downloads
gatheringmd[.]top
post-us-post[.]com
46_22_220_32:80 23_94_62_145:80 81_22_255_154:80 107_182_132_63:80 23_94_62_145:80 107_182_132_63:80 200_63_47_104:80 146_0_77_17:80 185_159_37_58:80

 

..:: Kovter C2
148_40_209_32:443 46_137_116_87:55583 22_73_46_193:80 14_154_83_169:80 114_88_78_247:80 213_3_143_182:443 35_221_138_66:443 110_111_98_226:8080 196_247_15_241:443 78_255_84_160:443 174_19_1_252:443 193_210_13_80:80 197_114_101_80:80 62_189_35_159:443 232_100_152_247:443 81_69_85_164:80 253_83_248_253:8080 3_190_33_15:80 168_212_129_14:80 53_76_226_88:80 65_79_26_56:40287 107_125_248_16:443 245_98_91_242:80 93_177_208_107:443 121_64_65_135:443 117_211_70_204:80 122_170_4_36:443 140_117_148_158:443 202_56_225_2:443 27_49_39_8:80 203_115_105_245:80 89_205_122_234:443 203_130_238_149:443 190_225_246_67:443 49_231_177_206:443 182_180_65_173:443 83_221_198_77:80 197_45_165_116:443 199_13_13_225:443 176_76_193_169:80 36_158_188_126:80 109_218_67_61:80 3_182_133_67:80 233_183_17_47:80 206_246_145_219:80 213_140_36_150:8080 127_186_211_59:80 100_167_18_166:80 88_169_155_220:8080 198_163_233_245:53859 184_235_184_147:80 141_32_231_36:443 102_221_40_161:80 139_73_39_50:80 126_218_200_91:80 161_33_105_138:443 144_66_2_72:80 197_212_244_173:8080 19_213_113_180:31441 252_18_46_42:59404 9_241_234_207:80 12_56_29_34:80 94_35_16_52:443 41_149_219_114:55592 177_226_92_155:443 88_172_13_130:8080 22_115_39_228:80 50_29_34_83:80 128_118_243_179:8080 215_220_243_179:80 155_100_49_247:80 80_172_28_209:22358 68_14_23_73:27750 51_107_147_23:80 10_158_103_224:21315 90_148_200_244:80 236_246_8_60:58866 36_13_138_86:443 152_108_154_216:80 5_107_180_239:443 190_142_217_159:80 52_51_208_40:80 201_21_34_209:80 196_244_93_79:80 174_230_181_72:80 84_77_42_9:443 157_199_202_119:80 210_170_153_163:80 196_108_230_229:8080 55_169_50_147:80 66_223_50_137:39390 133_214_199_142:443 101_85_221_219:80 176_133_85_83:443 25_191_61_253:80 167_47_7_159:37972 72_126_220_209:443 98_167_227_239:80 72_69_152_35:443 167_84_156_254:31354 91_59_106_88:80 18_135_180_177:443 251_47_14_204:80 112_116_47_96:80 119_164_199_154:80 17_66_247_172:443 100_8_122_206:80 40_223_230_220:80 24_215_191_38:80 11_149_25_58:443 176_152_16_75:31249 32_140_52_204:80 152_211_70_103:443 110_70_26_74:80 49_33_150_86:8080 161_234_222_218:443 39_139_120_54:8080 180_86_98_232:8080 45_128_245_115:80 224_45_66_42:26359 115_75_153_200:80 58_179_237_21:80 21_159_10_74:80 189_160_214_166:80 4_38_183_118:443 223_86_58_34:80 62_148_201_215:80 217_17_17_199:80 162_219_197_172:80 58_106_196_16:80 134_19_54_62:80 67_30_222_124:80 94_186_211_39:80 49_255_162_65:80 199_227_162_140:443 199_198_249_140:80 9_18_232_63:8080 114_129_109_80:80 173_183_127_212:46778 175_212_234_239:80 177_211_61_62:443 4_4_92_143:80 101_161_194_163:8080 37_93_132_34:28109 50_217_135_6:80 54_218_12_38:80 189_249_177_251:80 181_255_183_68:80 28_229_155_191:8080 206_227_51_83:8080 59_132_223_193:80 1_247_100_13:80 216_202_23_138:80 114_63_197_42:443 157_69_104_57:80 62_8_232_112:80
hxxp://185.117.72[.]90/upload[.]php
hxxp://185.117.72[.]90/upload2[.]php

 

With apologies to Led Zeppelin fans: The (BEC) Song (Still) Remains the Same

Almost three months have passed since I last updated you on the Business Email Compromise scam, also known as the CEO Fraud scam. Though the volume of these attacks remains high, the information security community has continued to collaborate well regarding this type of fraud, preempting the transfer of millions of dollars and identifying numerous mules in control of bank accounts around the world.

Just last week, yet another phisher tried to phish PhishMe. Our CTO, Aaron Higbee, reported on early attempts in September 2015 when he also described the use of PhishMe Reporter to phish-back and collect details of the phisher’s IP address and user-agent.

Since that time, we have seen repeated attempts against our CFO, Sam Hahn, where he receives messages impersonating our CEO, Rohyt Belani. These messages seek to engage Sam in an exchange regarding an urgent request to make a wire transfer.  Of course, such wires would be fraudulent, but, amazingly, the phish-back technique almost always works.  It has resulted in the identification of as many as five mule accounts at five different banks for one potential transaction.

The Song

With this latest attempt against PhishMe, the phisher has apparently used social media and/or search engine results to identify the name and email address of a staff accountant who reports to Sam Hahn, bypassing Sam’s renowned phish-spotting skills.  But the phisher’s email message landed with another trained reporter at PhishMe, who submitted the message as Suspicious, using the PhishMe Reporter button.  The report fed into our internal PhishMe Triage where we could quickly see that the accountant has a high Reputation Score, indicating that she is good at spotting truly-suspicious messages.  We knew that we should have a look right away at her report, shown in Figure 1 below.  The subject line of the message was the accountant’s first name, and the salutation included her first name.

Figure 1  Initial message from BEC phisher

Then our incident response plan kicked in, and we asked the accountant to reply with an offer to help, as seen in Figure 2 below, where he responded right away with his plea for money to cover a secret international acquisition.  (Ah!  The Intrigue!)

Figure 2  BEC phisher makes plea for a wire transfer

In her response to that second message, our astute accountant indicated that she would need someone else to sign off on the wire transfer, “since it is an international wire.”  She actually copied our incident response team, which later provided a wire “confirmation link” to the phisher.  Figure 3 below shows the third message from the phisher, where he sent wire instructions to the accountant.

Figure 3  The BEC phisher sends wire transfer instructions

Once the mule account was revealed, it was reported to the bank, and our accountant’s associate sent a “confirmation link” that, when clicked by the phisher, revealed the phisher’s physical location.  From the phisher’s point of view, the link re-directed to the login page for the bank hosting the mule account.

The phisher must have been convinced that the wire transfer had been made because the next morning, twenty hours after the initial request, he came back for more.  In Figure 4 below, you can see where he hit up our accountant’s associate (really, our incident response team member) for a double dip.

Figure 4  The BEC phisher returns the next day to request more money

The final part of that thread included instructions for a $165,590 wire, details of an account at a second bank, and a request for a confirmation.

The Investigation

Beyond reporting this to the U.S. government’s Internet Crime Complaint Center at www.ic3.gov, our researchers wanted to dig deeper and document this phisher’s other activity.  It turns out that the lookalike domain name phislhme.com was registered at 1&1 Internet SE on December 15th –the same day as the first spam message to PhishMe, using the email address garyrabine@rabinagroup.com.  When we initially looked into whether that same email address had been used to register other domain names, we found 69 other idomain names, all registered within the previous week and all seeming to be misspellings of domain names in use by real companies.

We took the list of domain names and guessed at which real company each domain was meant to imitate.  We then notified the administrative contacts of record for those legitimate domain names.  Though there was a handful of bounced messages, four companies replied with appreciation, and, so far, one has responded that their company had also received a BEC phishing email.

We checked back again this week to see how many domain names have been registered with 1&1 by this threat actor, and now there is a total of 156 domains.  We notified 1&1 on December 19th and requested that all the names be de-activated.  (see list at this link)

Takeaways

Though the song remains the same, phishers are constantly evolving their tactics to lead to more success.  In this recent attack, the phisher did not use the word “urgent” or “wire” in the subject line of the email message.  He also opted not to try for the CFO again; he likely found our accountant’s name and email address online and contacted her instead, possibly in hopes that she would feel a sense of urgency to which our CFO has become inured.  Then, when we saw the plea for money, we knew a bit more about why the phisher may have opted to avoid our CFO—it was a secret deal that only the “CEO” could know about.

We also want you to understand that this does not just affect large companies.  Because this scam has been going on for years, some of the larger targets have already been hit, and some have learned very hard lessons.  And with over 150 companies of all sizes spoofed by this one phisher and almost a full day between the two wire requests we received, we think this phisher is very busy.

PhishMe also wants everyone to understand how simple but effective these scams can be.  Learn how to spot them, and make sure your employees are great reporters.  Your staff needs to know that raising a red flag to the appropriate team can make all the difference in the world to your company, preventing the loss of hundreds of thousands of dollars and helping us stamp out this fraud.

Fortifying Defenses with Human-Verified Phishing Intelligence

Mining Phish in the IOCs

PhishMe® and Palo Alto Networks® are providing security teams with the ability to ingest human-verified phishing intelligence in a standard format that can be automatically enforced as new protections for the Palo Alto Networks Next-Generation Security Platform through the MineMeld application. Through this integration, PhishMe and Palo Alto Networks are providing a powerful approach to identifying and preventing potentially damaging phishing attacks.

The challenge of operationalizing threat intelligence

Ransomware, business email compromise (BEC), malware infections, and credential-based theft all primarily stem from a single vector of compromise – phishing. Operationalizing threat intelligence, especially when it comes to phishing, continues to weigh on the minds of businesses regardless of size. Security teams require the ability to ingest, verify and enforce new protections for potential phishing attacks, all within their existing infrastructure.

Where are the Phish?

PhishMe extends beyond a traditional data feed. Customers receive phishing intelligence. What’s the difference? Intelligence, vs. traditional data.

Information without context is data. Intelligence is information with context, and context is what security teams require in order to have confidence in their decisions.

Intelligence customers receive indicators specific to phishing and their criminal command and control (C2) and botnet infrastructure associated with malware families like Locky, Dyre, and Cerber. This is then backed up by threat intelligence reports with verbose context that provides security teams with insight into attacker TTPs.

PhishMe identifies what is nefarious, but more importantly, why, and what it means.

Integration Tackle Box for PhishMe and Palo Alto Networks

Security teams who wish to easily complement their Palo Alto Networks Next-Generation Security Platform’s security policies with PhishMe Intelligence will need an instance of MineMeld (version 0.9.26 and above) and PhishMe Intelligence API credentials (contact PhishMe for trial access http://phishme.com/product-services/live-demo). MineMeld will ingest intelligence from PhishMe, and can automatically feed new prevention controls to Palo Alto Networks devices, without adding heavy operational burden.

Configuring MineMeld with PhishMe

The following is a step-by-step guide to configure MineMeld in order to ingest PhishMe Intelligence phishing URLs, aggregate them, and construct into an output capable of preventing malicious URLs in security policies within PAN-OS devices. Before we dive into the configuration of MineMeld, it is important to review the three key concepts behind the application:

  • Miners: responsible for retrieving indicators from configured sources of intelligence and data feeds. Miners will bring in new indicators on a configurable, periodic basis, and also age-out any indicators that are no longer needed.
  • Processor: The processor node will aggregate the data obtained by the Miner and conforms the data to IPv4, Ipv6, URLs, or domains. Once aggregated, the data is sent to the output nodes.
  • Output: The output nodes gather data from the processor node and convert the data into a format that is capable of being consumed by PAN-OS (and other non-PAN-OS external services)

PhishMe Intelligence Miner Node

(Image of Miner Node with API credential example and phishme.intelligence prototype)

Processor Node

(Image of Processor Node using the stdlib.aggregatorURL prototype and the PM_Intel input from the configured Miner)

Output Node

(Image of Output Node using the stdlib.feedHCRedWithValue prototype and the agg_URL_all input from the configured Processor)

Configuration Graph Summary

The configuration graph is a summary exhibiting the flow of PhishMe Intelligence. The miner collects intelligence, aggregates, and the output node structures the data to be usefully applied to prevent phishing.

(Example of PhishMe Intelligence aggregated and with output URL data for PAN-OS)

Log Detail with URL Indicator and High Confidence rating of 100

The image below represents an example of URL intelligence received in the MineMeld log. This snippet specifies a malware payload from an OfficeMacro and TrickBot (similar to Dyre) family. If they choose to, analysts can then use the URL to the Threat Report with executive and technical details that explain more about the malware.

The above summarization of the MineMeld setup portrays how easy it is to take very relevant and useful information and structure it so that it can be operationalized with other security investments. Far too often teams have underutilized technical resources or processes that place a strain on the workforce. MineMeld reduces the human burden and provides security teams with the ability to create actionable prevention-based controls.

Phishing Intelligence Operationalized = PhishOps!

Let’s review an example of how to operationalize these indicators of phishing (IoPs) and apply them to a Palo Alto Networks security policy to deny egress traffic to these phishing URLs.

Create New Object in PAN-OS

From the Objects tab, select External Dynamic Lists from the navigational pane. Analysts just need to provide the relevant information to pull in the list of URLs from MineMeld.

(Example of External Dynamic List linking to URL list from MineMeld)

Apply to PAN-OS Security Policy

With the External Dynamic List defined, security policies can now be created based on acceptable criteria. In the case below, inside sources browsing externally and matching the PhishMe Intelligence URLs will be denied.

(Example policy to deny inside to outside web-browsing against PhishMe Intelligence URLs)

FINito! Wrapping up

A similar process can be repeated like the above, with IP lists and domains, and applied according to phishing threats facing the business. The way MineMeld handles the data received makes applying it to Palo Alto Networks Next-Generation Security Platform very effective. Security teams will need to determine where they want to apply the policies once MineMeld has compiled the data.

The phishing threat is alive and very well and the ability for security teams to maximize their investments and operationalize with low administrative overhead should be enticing to tackle the threat.

 

More about MineMeld:

MineMeld, by Palo Alto Networks, is an extensible threat intelligence processing framework and the ‘multi-tool’ of threat indicator feeds. Based on an extremely flexible engine, MineMeld can be used to collect, aggregate and filter indicators from a variety of sources and make them available for consumption to peers or to the Palo Alto Networks Next-Generation Security Platforms.

To learn more about the Palo Alto Networks Next-Generation Security Platform, visit: https://www.paloaltonetworks.com/products/designing-for-prevention/security-platform

To learn more about the PhishMe Intelligence, visit:  http://phishme.com/product-services/phishing-intelligence/.  

 

An Open Enrollment Reminder – Phishers Want Your HSA Money!

As the end of the year approaches, many companies are communicating with their employees about benefits and Health Savings Accounts via email. Criminals realize this and have decided to get in on the action!  More consumers than ever are using HSAs as a way to save pre-tax income for future medical expenses. A report released by Devenir Research shared that, as of August 2016, 18.2 million HSA accounts currently hold $34.7 billion in assets – a 22% growth over 2015, and projects that by the end of 2018, more than $50 billion will be on deposit in HSA accounts. That’s a tempting target for criminals, and, due to the increase in HSA-related emails, they are ready to use email-based phishing attacks to try to steal your account credentials.

HSA Phishing Attacks

PhishMe has observed a large spike in phishing traffic targeting HSA account userIDs and passwords, starting November 11, 2016, and continuing through today. More than seventy distinct phishing attacks have been observed since that date, targeting Health Savings Accounts at Optum Bank and Fidelity. Fortunately, both of these organizations have been very responsible with their response to phishing and have provided additional information to help protect their customers.

The most prominent Optum phishing attack we are seeing directs the user to a page that looks like this:

hsablog-1Optum customers are encouraged to familiarize themselves with the actual look of their HSA login page and, most importantly, to pay attention to the URL. In the phishing URLs reviewed by PhishMe, the website did not belong to Optum and in some cases didn’t even attempt to pretend to be Optum. The phishers know that most users do not look at the URL of each website they visit. Following are a few example URLs that users clicked on, thinking they were accessing their HSA:

  • twistshop.me/myuhcfinancial/optum/
  • opthsa.com/optumhealthfinancial/optum/
  • megaleft.com/optumhealth/optum/

OPTUM Financial Services provides great information about how to protect your account on this Account Security web page: www.optumhealthfinancial.com/protect-account.html. They encourage account holders who may have clicked a link or opened an attachment to call them, or, if you have NOT clicked the link or opened the attachment, to forward the email to assetprotection@optum.com.  Their account protection web page also provides a sample phishing email that may be similar to one you may receive.

PhishMe is also observing a large increase in phishing attacks imitating the Fidelity Health Savings Account. As with the Optum phish, the key to detecting these phishing web sites is inspection of the URL. In the example below, the web page looks very convincing, but the URL contains the domain name shoe-etc.com which is certainly not Fidelity’s main login page for HSA accounts!

Some of the suspicious URLs we’ve seen for Fidelity’s HSA accounts include the following:

  • myhrsa.com/mynetbenefit.fidelity/fidelity/
  • fidelitynetbenefit.shoe-etc.com/fidelity/
  • securemynb.fidelity.opthsa.com/fidelity/
  • ubs-money.com/netbenefitsfidelity/fidelity/

Fidelity also has a very helpful web page for letting its customers know about possible security problems. Suspicious emails that you receive can be sent to phishing@fidelity.com, and the Report an Online Security Issue web page at https://www.fidelity.com/security/report-an-issue  has telephone numbers and additional tips related to phishing.

And Malware, Too!

The PhishMe Intelligence team has also recorded health insurance social engineering attacks that delivered malware via spam messages. The most blatant of these was a high volume spam campaign observed on November 7, 2016.  Using the email subject line: Health Insurance, the email body read as follows:

The email attachment contained a zip file that used the word insurance and some random numbers as its name, such as:

  • insurance_39017dc45.zip
  • insurance_95341063.zip
  • insurance_bc9ebb1f.zip

These .zip files contained hostile JavaScript code for downloading and executing the Locky ransomware. Locky can encrypt all files on both your local machine and network drives, and these files can only be decrypted by paying a ransom to the criminal.

Conclusion

During this time when the corporate emails are likely to be full of reminders about Open Enrollment and Health Savings Accounts, regarding both spending your remaining balance and setting up the account for next year, be sure to not let the pressure prevent you from being cautious! As our friends at the Anti-Phishing Working Group like to say – Stop. Think. Connect.

Be sure to share this warning with your friends, and consider sharing it with your HR department as well.

Ransomware made up 97% of phishing emails so far in 2016, what about the rest? Learn more in our latest Q3 Malware Review.

Viotto Keylogger: Freemium Keylogger for the Skids

The PhishMe Research team recently received a campaign escalated by one or our analysts. We’ll explore the campaign delivery, malicious attachments, and analysis of the malicious attachments, and we’ll provide a simple method for extracting the credentials being used for this keylogger family’s data exfiltration.

Campaign

The PhishMe Triage platform allows SOC analysts to identify, analyze, and respond to email threats that have targeted their organization. For this particular campaign, the suspicious email had an ARJ archive attachment, which contained a Windows PE32 executable.

lureAlthough Windows OS does not natively open archive files with the ARJ extension, a number of third-party applications, such as 7zip, will be able to extract these rarely-used archives. The content of the archive is a single PE32 executable name “DOCUMENT-71956256377.pdf.exe” which is a packed Viotto Keylogger sample, intentionally named with a double extension to entice victims to click and execute the malware.

archive_screenshot

Malicious attachment contains executable.

Since this malware was written in VB6, we can decompile the unpacked, malicious binaries to verify our classification. By viewing the VB6 forms, we can see that the hidden Form1 contains the name of Viotto Keylogger:

decompiledforms

Decompiled VB6 forms.

Now that we have seen an example of how this malware propagates in the wild, let’s examine the family itself. When an analyst has access to a malware’s builder (an application that enables the easy customization of malware samples), we can save precious reverse engineering time by analyzing its capabilities and features to better understand how this malware behaves.

Builder

Most of the indicators that comprise a Viotto Keylogger infection can be set at build time when the actor creates the stub (the malware sample that infects a victim’s computer). In the public version 3.0.2 of the builder, the malicious actor can specify where the keylogger’s logs will be stored, the installation method for persistence, and the delivery method of the logs via SMTP and/or FTP. In the paid, private version of the builder, the actor is able to control even more settings, such as encrypting the Keylogger logs with RC4 with a hardcoded key and enabling a Screen Capture feature that periodically sends screenshots of the victim’s desktop back to the actor. Another feature included in both versions that is not highlighted in the builder’s options is the ability to capture all text copied to the victim’s clipboard.

mainscreen

VKL Builder’s main screen.

The storage location option for the keylogger log files can be set by the malicious actor at build time. They also have the ability to specify a custom log filename and to set hidden file attributes. The log files can be saved in the following locations on the infected machine’s disk:

  • Root (C:\)
  • Windows (C:\Windows)
  • System32 (C:\Windows\System32)
  • Program Files (C:\Program Files)
  • Application Path (copied where originally executed)
  • Temp (C:\Users\{username}\AppData\Local\Temp)
  • AppData (C:\Users\{username}\AppData\Roaming)
logfileoption

Options where keylogger logs will be stored.

Persistence

As described above, depending on the settings enabled during built time of the stub, the actor has the ability to enable infection persistence through reboots of the infected machine. The actor can also select the option to save a copy of the executable which has the same file system options as the log file storage locations. The copy of this executable can then be executed during Windows’ start up events for persistence through computer restarts. Although multiple instances of the stub can be launched by selecting any combination of startup entries, the stub ensures it’s the only process currently running by checking the mutex (a program object lock used to avoid multiple instances of the same malware from running). The default mutex is “ViottoLogger”; however, this setting can also be changed in the builder. The following startup registry keys are viable options:

  • Current User\Run (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
  • Local Machine\Run (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
  • Winlogon\Shell (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell)
  • Winlogon\Userinit (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit)
  • Explorer\Run (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run)
persistenceoptions

Windows startup persistence options.

Keylogger Data Exfil

Viotto Keylogger is capable of sending the recorded keystrokes, clipboard contents, and screenshots to the perpetrator in an email (via SMTP) or to a file server (via FTP). The email option can be delivered to open relays that do not require authentication or to accounts that require authentication over SMTP using Transport Layer Security (TLS). By utilizing TLS, the account credentials and email contents will be encrypted in transit. Most of the VB6 code in this keylogger was copied from sources freely available on the internet, as indicated in the builder’s About screen:

builderabout

Extracting Exfil Credentials

Skids wishing to use this malware creator be forewarned: your email and FTP credentials can be easily obtained! Although most of these samples in the wild will be packed, a quick and easy way to extract the malware actor’s credentials being used for victim data exfiltration is by analyzing the application’s process memory. Analysts are not only able to extract this information on the same machine utilizing a program such as Process Hacker, but personally, I prefer keeping my memory analysis tools outside of the infected machine by analyzing full VM RAM dumps with either the Rekall or Volatility memory analysis frameworks. We can also extract the malware sample’s configuration, including any SMTP/ FTP exfil credentials, statically. The malware sample’s configuration is stored plaintext in the Resources section of the stub:

resourcedecom

The decompiled FindResource section loads the stub configuration.

The PhishMe Research team also wrote a Python script to extract the Viotto Keylogger configuration from an unpacked sample:

configextractor

Conclusion

The recent sighting of the freely-available Viotto Keylogger in the wild reminds us that cybercrime has a low barrier to entry and that tools built years ago continue to be used to exploit unsuspecting users. PhishMe Simulator trains and encourages users to recognize and report the type of email messages that are delivering this threat. The next step is to act on those reports, and PhishMe Triage enables your team to sift through all reports and quickly and efficiently act on the ones that pose a threat to your organization. Click here to learn more.

 

Related SHA256 Hashes

271781975987737466077146acc7309b6d1e794e2ead0876e0a204f0fb1169ef
6fee7e06eff76397354455665919aa53ee62957f3ef5a47aa16558f7799937ad
7961671bc61cb4c0df3d81dff85f707be2fc666708e5fba626c328e6a6bfcd17
7d74f30b5a663972d9984ef8cb8dbfba478a4968e1d626e39c4fb8a80385f37b
91b30f5368a1c102d496e82099cb6222551131f74607e1a694b0ff3ed3c04cfd
9640db7cfb5e083c58166905386c5472cf38823364ff719ad3e59c6fbeb696b3
e75684f5e16cf6476726b0c2b51f760035746742334238c13172e4fe73970ff2
f8b1cd7524a5183fe7aa3abb0aae7e660c201df095a1df83e139cecad145a253

 

Miscellaneous

Download the Viotto Keylogger yara rule or the configuration extractor.

 

The PhishMe Advantage – ROI

Return on Investment

Measuring the return on investment (ROI) from your PhishMe solution is simple and easy. The most obvious and significant impact is the dramatic reduction you will see in the overall risk of a phishing attack both getting past your perimeter protection and your skilled users but there are other ways to measure your investment:

Monetary ROI

Customers can realize monetary ROI from PhishMe by reducing their overall risk to phishing and other security threats. Adversaries have successfully employed phishing tactics to steal intellectual property, personally identifiable information, and other sensitive information that can harm an organization’s competitive advantage and reputation.

The costs of a data breach vary and can range from hundreds of thousands to billions of dollars. The costs of incident response and mitigation will be, at a minimum, a few hundred thousand to millions of dollars. While the loss of intellectual property and sensitive information can have a severe financial and legal impact on an organization.

PhishMe’s solutions lower the likelihood of users being susceptible to various security risks while also increasing your IT Security team’s ability to quickly and accurately identify and mitigate an attack in progress. PhishMe’s experience sending simulated phishing attacks to over 20 million unique users has shown that prior to training, organizations show a reduction in repeat “clicker” susceptibility to phishing of 95%.  Download our Phishing Susceptibility Report for the full details.

Time ROI

There is also the opportunity cost view of measuring the ROI from PhishMe. Specifically, this includes the amount of time and resources your IT organization must commit when responding to user reports of falling for phishing attacks, resetting passwords, slow computer performance caused by malware, and unwinding the damage caused by such incidents. The internal cost to identify, respond, triage and recover compromised systems can place an unbearable strain on the IT service organization. Most firms find that cutting the need for this effort by 50% to 80% results in significant savings of time, labor and energy, all of which can be focused on core business operations that can help your business grow.

PhishMe’s innovative training solutions will save your entire organization time and resources while increasing employee productivity. On average, PhishMe simulated training exercises conducted periodically takes 1/30th as much time as traditional computer-based training (CBT).