Kovter Ad Fraud Trojan Now Shipping with Locky Ransomware

Over the past couple of months, the PhishMe Research Team has observed Locky ransomware being distributed alongside the Kovter ad fraud trojan. We have looked at this malware distribution channel in the past, and since then, the threat actors have evolved from using a fake file encryption threat to using a well known and effective ransomware family: Locky. In this post we will examine the history of the Kovter actors’ experimentation with ransomware and walk through a sample campaign that our PhishMe Threat Intelligence Team captured.

Ransomware Evolution

The distributors behind Kovter have been experimenting with “ransomware” since as early as January 2016. We place the word in quotations marks because their first attempt at including code that demanded payment was ineffective. These initial attempts were malicious JS email attachments that would only change Windows file extensions on the victim’s computer to “.crypted”. Below is a screenshot of an early ransom note.

initial_ransomware_instructions

An example of the ransomware instructions seen in earlier attempts.

Then in March of 2016, we saw a shift to actual file encryption by utilizing XOR on the first 2048 bytes of the files. In April, the threat actors shifted again with the use of 7zip, a legitimate archiving utility, to encrypt files with a static key. The actors then in June 2016 started distributing a PHP interpreter with a script to encrypt the files. A fantastic writeup on the PHP method used by these actors can be found here. They finally shift to utilizing the full blown ransomware family, Locky, in late October 2016.

locky_encrypted_desktop

A desktop infected with Locky ransomware now being spread with Kovter.

One analysis artifact that distinguishes Locky campaigns in the wild is the use of an affiliate identification number that gets hardcoded in to every Locky infector build. Locky affiliates 1 & 3 are the most commonly seen affiliate IDs in spam campaigns, albeit from the Necurs botnet (an x86 bootkit that contains spam modules). This differs from the Locky affiliates 23 & 24 that we are currently seeing being distributed with Kovter in that distribution relies on a botnet that utilizes compromised websites for spamming.

Sample Campaign

Spam messages containing lures that eventually download Kovter usually contain verbiage of missed package deliveries, as seen in the message sample below.

initial_lure

By viewing the headers of this malicious spam message, we can see that the message appears to be originating from a compromised Joomla website based on the directory structure of the sending script that the webserver prepended to the messages. Depending on server configuration, some webservers will add the lines seen in the snippet below when email is sent using the PHP mail() function call.

phpheaders

PHP email headers contain Joomla CMS path.

The ZIP archive attached to the email contains an obfuscated JScript file that is capable of downloading Kovter and the Locky ransomware loaders.

zipcontents

Zip attachment contains malicious JS downloader.

In an effort to defeat malware sandboxes, this initial JScript file sleeps for at least 5 minutes, then writes another obfuscated JScript file to the folder %TMP% and executes it using the WScript.Run method. The %TMP% is a Windows environment variable placeholder for the C:\Users\{user}\AppData\Local\Temp\ directory. The resulting, de-obfuscated JScript file runs the ping command in another effort to exceed sandbox timeouts, then downloads two binaries from gatheringmd[.]top, writing them to %TMP% and executes them, as seen in the code snippet below.

jsdeobs

De-obfuscated JScript that downloads two binaries and executes them both.

The Windows executable 24.exe downloaded from hxxp://gatheringmd[.]top/cb/l2[.]php is an NSIS-packed executable for the Kovter ad fraud trojan loader. Kovter is a “fileless” trojan that stores itself in the Windows registry for persistence and antivirus evasion. Upon execution, the trojan checks in with a command and control location that contains a URL path usually ending in upload.php or upload2.php, sending infected machine information such as the operating system version, service pack level, and the system architecture, and whether any known security programs were detected. Kovter will also check for and install the latest version of Internet Explorer Adobe Flash browser plugin, and .Net frameworks.

The Kovter trojan will then generate web traffic hidden from the victim’s desktop. The malware actors craft search terms, injecting them in to browser sessions with their malware that “clicks” on advertisements that generate revenue through pay-per-click models. We won’t dive too deep in to Kovter analysis since it has been well-documented already here (PDF) and here (PDF). Configuration data, seen in Table 1 below, is easily extracted from memory while the trojan is running.

Table 1: Kovter configuration for sample 0d01517ad68b4abacb2dce5b8a3bd1d0
cp1
(IP Addresses – please see Indicators of Compromise section below)
cp1cptm
30
cptmkey
a7887cc809cf0d4df17fc5dafd03e4e7 – MD5 of “smooth”
keypass
65537::20717578436666370206990156461786566788132748458910865354994919388630407187082788932551065567891365033974994995141358277530021944793516607142737605543772104350635734672485498640041982499636009940196953103877199811371834197299886690010229547993815721647414299018829914480336700775760032044922438942690008663278856440487164946050309668972730239620373400036156807226902415414689227139343695179004305146177952041410093920067335850237232148134221904306706694425837140102211178161590920721365317540938040383023194954613997204876850415109848188765254167924483000246775174171501733414326729845936854172715365200925796295269097
passdebug
False
debugelg
True
elgdl_sl
False
dl_slb_dll
False
b_dllnonul
hxxp://185.117.72[.]90/upload2[.]php
nonuldnet32
hxxp://download.microsoft[.]com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86[.]exe
dnet32dnet64
hxxp://download.microsoft[.]com/download/9/8/6/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64[.]exe
dnet64pshellxp
hxxp://download.microsoft[.]com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG[.]exe
pshellxppshellvistax32
hxxp://download.microsoft[.]com/download/A/7/5/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54/Windows6.0-KB968930-x86[.]msu
pshellvistax32pshellvistax64
hxxp://download.microsoft[.]com/download/3/C/8/3C8CF51E-1D9D-4DAA-AAEA-5C48D1CD055C/Windows6.0-KB968930-x64[.]msu
pshellvistax64pshell2k3x32
hxxp://download.microsoft[.]com/download/1/1/7/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30/WindowsServer2003-KB968930-x86-ENG[.]exe
pshell2k3x32pshell2k3x64
hxxp://download.microsoft[.]com/download/B/D/9/BD9BB1FF-6609-4B10-9334-6D0C58066AA7/WindowsServer2003-KB968930-x64-ENG[.]exe
pshell2k3x64cl_fv
20
cl_fvfl_fu
hxxps://fpdownload.macromedia[.]com/get/flashplayer/current/licensing/win/install_flash_player_22_active_x[.]exe
fl_fumainanti
DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:0:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:0:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16DDD17D:0:DD17Dal:hxxp://185.117.72[.]90/upload[.]php:al::mainanti

The other Windows executable 23.exe that is downloaded form hxxp://gatheringmd[.]top/ll/l1[.]php is the loader for Locky ransomware. Locky is written in Visuall C++ and contains hard-coded IP addresses for command and control callbacks, although some versions of Locky do not require the victim to have Internet connectivity to start the file encryption process. The following table includes the configuration data we found in this campaign.

Table 2: Locky configuration for sample f3d935f9884cb0dc8c9f22b44129a356
Affiliate ID
23
Key
RSA1
RSA Key ID
711
RSA Key Size
114 (bytes)
DGA Seed
90577
Execution Delay
None
Svchost Process Persistence
Disabled
Registry Persistence
Disabled
Ignore Russian Computers
Enabled
C2 Callback URL Path
/message.php
C2 Callback Servers
109.234.35[.]230 176.103.56[.]119

 

Conclusion

Distributors behind Kovter are constantly evolving their ransomware game. We can only speculate why these malware actors would “burn” their foothold on an infected machine where they have also placed profitable ad fraud code. Perhaps the return on investment is much higher with ransomware and preferable to standing up the infrastructure and money laundering channels required for conducting ad fraud. PhishMe Intelligence customers can view more details about this threat in ID 7409.

This specific email template is available in PhishMe Simulator to use in your own scenarios.

 

How susceptible is your organization to phishing threats? Download our latest Phishing Susceptibility and Resiliency Report to learn how reporting phishing can greatly improve your organization’s security posture.

Indicators of Compromise

..:: Email Subject Lines
Courier was unable to deliver the parcel, ID{rand}
Delivery Notification, ID {rand}
Problem with parcel shipping, ID:{rand}
Problems with item delivery, n.{rand}
Shipment delivery problem #{rand}
Unable to deliver your item, #{rand}
We could not delivery your parcel, #{rand}
Fedex parcel #{rand} delivery problem
Notification status of your delivery (FedEx {rand})
Parcel ID{rand} delivery problems, please review
Parcel {rand} delivery notification, USPS
USPS parcel #{rand} delivery problem

 

..:: File Hashes
Filename
MD5 Checksum
Type
23.exe
f3d935f9884cb0dc8c9f22b44129a356
Locky
24.exe
0d01517ad68b4abacb2dce5b8a3bd1d0
Kovter
details_AneLU.zip
bb84729c02b898b7aeef6b65c119f0c4
Attachment
details_bkxeL.js
10c1be3b95fa013458081d19747bc0df
JSDownloader
details_cOBYkk.zip
cc095bc05e61a0b373671e6f80f72686
Attachment
details_CRFuvd.zip
c9cf8185d1168b0712e532a6a7d88fe9
Attachment
details_dFTHp.zip
5ad3fec19d0723532dea49a2ccc3ea9c
Attachment
details_FyReR.zip
f2284d51a3daffcb12ff91f57601c246
Attachment
details_LKXcNI.js
a811a54525161017e5ac1f85b83d2758
JSDownloader
details_MGStju.zip
ab5540f78e67fd196c1be1dfd3612947
Attachment
details_mSplK.js
cdacbaf9b13333ac264b798797432391
JSDownloader
details_pKvHWv.js
17d0d6d8176e01e92f74b9ce08ba188b
JSDownloader
details_PpxpD.zip
320151d35fd61ef1b17f8fe921c4beef
Attachment
details_rqpOqK.zip
f30d21a5c882dbdb011b361a5cba67a4
Attachment
details_shHih.js
111af7977728443aa268479a87c29656
JSDownloader
details_XCFvfh.js
b4179c5a075fed9b606e9b7f068dca4c
JSDownloader
details_XHZms.zip
c3e012a26c9fee9ff72bddf413f74f52
Attachment
details_YAVSi.zip
e0cabfc058cc4d6ff2419743a79f6b1a
Attachment
details_ZHewkz.zip
f7a7d41def5a90ed504581edf719c079
Attachment
details_zZcSMY.js
d2096cc86d4d89904316caca5b2242f9
JSDownloader
doc-details_cLOFYn.js
035caab39c0cbe55e59a78ce6cb8e3f7
JSDownloader
doc-details_CPwxGO.js
ab4ed724a82100735195d8767afec999
JSDownloader
doc-details_dNqBy.js
81a37ce8dc207d6adfe99fe4f29790ac
JSDownloader
doc-details_FUCxwj.js
963fa75b2d36b525df79c89bb6674c57
JSDownloader
doc-details_gfSxM.zip
f79543458f14e4fd05077f497e5b3b6c
Attachment
doc-details_hKuupX.js
72940493157e8313f53f40ecb0cc8999
JSDownloader
doc-details_hZpjC.js
acf53f8fedb0c9e7c717f17b24c2bd40
JSDownloader
doc-details_LamGu.js
a76c99d8e8e1fb61c80751a3b86b0161
JSDownloader
doc-details_qHpxP.zip
f5e55dd9c3f1258792940e6d44ff69e6
Attachment
doc-details_xMSZnv.zip
4615a66cff28ab1993d1cf1767012fa2
Attachment
doc-details_ysKya.zip
5af53a61146d95ff3cd4906998d5a3dc
Attachment
docinformation_chckfG.zip
53da2b40b05311ebf1c96d1390e498c5
Attachment
docinformation_eiBUR.js
0fdbf59914be1d61b2ebea804681a06d
JSDownloader
docinformation_fobWte.zip
de92d06890c4c036059805eb76cf6932
Attachment
docinformation_gFsaxs.js
f3bb12d7fd0512075154b68f748b106c
JSDownloader
docinformation_hYBnW.js
fa99be4f0cf635cf5ab27c8d9cdb737c
JSDownloader
docinformation_jwmOKD.zip
397985be48b08034596b74f3258f4be8
Attachment
docinformation_KxARw.js
5b4dd2f0077cb49626ea0fc4b28042e6
JSDownloader
docinformation_LyIGo.zip
f137879fd5f1b616e5468f2940a72670
Attachment
docinformation_tfFVrb.zip
a1e2571d4a9a9adc0e43a844e24f4b9a
Attachment
docinformation_UKqiN.js
d27d0caa0998f3d55a3742410849af0e
JSDownloader
docinformation_vvfUNP.zip
68c80b0764dae51a444798e84b7d567c
Attachment
document_aCBltX.zip
7835b9b6460756b69421b4ad9ee4d460
Attachment
document_bgFtst.js
33a195f89bc70f47d0b3531b6929cacc
JSDownloader
document_gDhkHi.js
1a0897eb182ce799950844870003bffb
JSDownloader
document_GZrswr.zip
6b51f7dc3d01e1e1d80e663251e826c0
Attachment
document_NpkFE.js
c17fd226efc58df20d61e98799728b9e
JSDownloader
document_Rgvjf.js
060d4ecd9101dec77ef2ff932682660c
JSDownloader
document_xSdOeE.zip
85a93ae756b903c27dc348a566a05bda
Attachment
info_aaRda.js
d3902306e1a94fa58670c93db5565a9e
JSDownloader
info_EkuERW.zip
489ec3212a4ff602a0d44296913468c3
Attachment
info_LUTTy.js
90023223eb47013711919de9dcd5dd07
JSDownloader
info_SCfca.zip
8ef1cc722479c09ab067be9caa130113
Attachment
info_wKfhS.zip
07362becf09c43f14ff6bd112c117176
Attachment
letter_cjJeHL.zip
7b72a9ceec70a30b0dbb7cc0a4b2e202
Attachment
letter_DsrtV.zip
1715cc68bd8fc453415ecf39ede93cd6
Attachment
letter_kNYHrR.zip
3d698ce90f48b585bd932521c065cda6
Attachment
letter_OjWlc.zip
3a13e6f6846a5a1722e8b266ceae8dd6
Attachment
letter_QnBTi.zip
4cbc25dcbf08de24ee87bcc119f6c16f
Attachment
letter_RfVviz.zip
0cfc0aec33a7bdbffa53895c9cd7fb57
Attachment
letter_VuHASr.js
100a19a7278820886461ca509ec1c993
JSDownloader
letter_YKkPE.js
ed12fead265edfe0152f27dae6078212
JSDownloader
post_info_asgHE.zip
d60c838a51236ac585013a8f807b7569
Attachment
post_info_bwJbDR.js
e47f9353f491581e46e46647a357c93c
JSDownloader
post_info_CeZZu.js
a363de2b167ac355a0f93888b5e04a6b
JSDownloader
post_info_cGuqm.zip
cdee553957fb83a40f7b14eba0a41ed0
Attachment
post_info_CsbYG.zip
f5af5b7834bda884188490452c2c85e6
Attachment
post_info_CzRrE.zip
1567ed8c60a92e2ff8678432ad083a4d
Attachment
post_info_FvdXc.js
b50585cc02304fc4e3238b4d2e071178
JSDownloader
post_info_KsELg.js
0b28a46cd55c859e2bc42d5ed48a3f0d
JSDownloader
post_info_MSGDE.js
e0f23f5e0403c2a3de0cfde2fe89938d
JSDownloader
post_info_pJtOt.js
e8e093060c70372ef942f89633d9bd0c
JSDownloader
post_info_tuOxpr.js
8da38959402c894db8e55b01fd6ffb6b
JSDownloader
post_info_xXWwy.js
be900919c08a6f9e15dbc88f9a8bc91f
JSDownloader
warning-letter_equIH.zip
31ae173517f1c3b95c2eae4e7b546c9a
Attachment
warning-letter_IcDwG.js
7afa14b7941098c48d88ba8befa926cc
JSDownloader
warning-letter_IoBWF.js
412d93a1600236b226784e6011399dc2
JSDownloader
warning-letter_ojIjtc.zip
749a7c139690a6b527800fbccd4066f9
Attachment
warning-letter_PNEIi.zip
dc6f872e1f5caea1d29a48b9f183de40
Attachment
warning-letter_rAvJv.js
dfe0d32610330f32747da3551b3b722f
JSDownloader
warning-letter_ShAAZ.zip
e9d953fb3dc52364d71674c3b1aa8b9d
Attachment
warning-letter_swXcEq.js
3987c2d03042dee1bf5f90127dc8dc0d
JSDownloader
warning-letter_tjTfks.zip
992b864fa761ff7ae3ae114f1c0b3237
JSDownloader
warning-letter_ZHsTF.js
8078316a13c0139c4b8472dc53cff718
JSDownloader
warning-letter_ZoikPb.zip
316b7e8bb7bb773aa8a6ad47c6953e4f
Attachment
watch_it_CdJex.js
5ae36d68911396dd7c0bf9ef674e25d0
JSDownloader
watch_it_dZpLi.zip
f5ddcfb1545a1af403131d115cf04ce6
JSDownloader
watch_it_GCzQN.js
be44dd6023c9ea40e82369272bb933d2
JSDownloader
watch_it_JNHNs.zip
d997419f7348c2e45e3fff33ed66985f
Attachment
watch_it_KgDcbd.zip
80fc86862e21d7022743b1b388334bbe
Attachment
watch_it_lRqvTG.js
7ac74145aa485acf711df23e2d3ed6ec
JSDownloader
watch_it_odoRqP.js
2dfe5e49862d57ac1f5c510f0568afd2
JSDownloader
watch_it_sOqdK.js
b0cd17c7ecddfc176adb089948f5703e
JSDownloader
watch_it_udGEp.zip
3277afcde8d2dd473d3da61c0a4b0b61
Attachment
watch_it_VuCwU.js
35f36d821794c5951dd4a29fd326b379
JSDownloader
watch_it_WeOiwi.js
8f3e35cead2b76bfb0bfbeb9783101c1
JSDownloader
watch_it_wiaSit.js
1c5a1719337b72562a9e09f51c44b088
JSDownloader
watch_it_wJInBR.zip
eb34a9e90d3ec4a8e358d69a006ebf2c
Attachment
watch_it_WkuTs.js
a9cdf2f2e946f32bde8054167c49f025
JSDownloader
watch_it_YKqLr.zip
ecc2e62e42ea24134b9522e2c3b4df5e
Attachment

 

..:: 2nd Stage Downloads
gatheringmd[.]top
post-us-post[.]com
46_22_220_32:80 23_94_62_145:80 81_22_255_154:80 107_182_132_63:80 23_94_62_145:80 107_182_132_63:80 200_63_47_104:80 146_0_77_17:80 185_159_37_58:80

 

..:: Kovter C2
148_40_209_32:443 46_137_116_87:55583 22_73_46_193:80 14_154_83_169:80 114_88_78_247:80 213_3_143_182:443 35_221_138_66:443 110_111_98_226:8080 196_247_15_241:443 78_255_84_160:443 174_19_1_252:443 193_210_13_80:80 197_114_101_80:80 62_189_35_159:443 232_100_152_247:443 81_69_85_164:80 253_83_248_253:8080 3_190_33_15:80 168_212_129_14:80 53_76_226_88:80 65_79_26_56:40287 107_125_248_16:443 245_98_91_242:80 93_177_208_107:443 121_64_65_135:443 117_211_70_204:80 122_170_4_36:443 140_117_148_158:443 202_56_225_2:443 27_49_39_8:80 203_115_105_245:80 89_205_122_234:443 203_130_238_149:443 190_225_246_67:443 49_231_177_206:443 182_180_65_173:443 83_221_198_77:80 197_45_165_116:443 199_13_13_225:443 176_76_193_169:80 36_158_188_126:80 109_218_67_61:80 3_182_133_67:80 233_183_17_47:80 206_246_145_219:80 213_140_36_150:8080 127_186_211_59:80 100_167_18_166:80 88_169_155_220:8080 198_163_233_245:53859 184_235_184_147:80 141_32_231_36:443 102_221_40_161:80 139_73_39_50:80 126_218_200_91:80 161_33_105_138:443 144_66_2_72:80 197_212_244_173:8080 19_213_113_180:31441 252_18_46_42:59404 9_241_234_207:80 12_56_29_34:80 94_35_16_52:443 41_149_219_114:55592 177_226_92_155:443 88_172_13_130:8080 22_115_39_228:80 50_29_34_83:80 128_118_243_179:8080 215_220_243_179:80 155_100_49_247:80 80_172_28_209:22358 68_14_23_73:27750 51_107_147_23:80 10_158_103_224:21315 90_148_200_244:80 236_246_8_60:58866 36_13_138_86:443 152_108_154_216:80 5_107_180_239:443 190_142_217_159:80 52_51_208_40:80 201_21_34_209:80 196_244_93_79:80 174_230_181_72:80 84_77_42_9:443 157_199_202_119:80 210_170_153_163:80 196_108_230_229:8080 55_169_50_147:80 66_223_50_137:39390 133_214_199_142:443 101_85_221_219:80 176_133_85_83:443 25_191_61_253:80 167_47_7_159:37972 72_126_220_209:443 98_167_227_239:80 72_69_152_35:443 167_84_156_254:31354 91_59_106_88:80 18_135_180_177:443 251_47_14_204:80 112_116_47_96:80 119_164_199_154:80 17_66_247_172:443 100_8_122_206:80 40_223_230_220:80 24_215_191_38:80 11_149_25_58:443 176_152_16_75:31249 32_140_52_204:80 152_211_70_103:443 110_70_26_74:80 49_33_150_86:8080 161_234_222_218:443 39_139_120_54:8080 180_86_98_232:8080 45_128_245_115:80 224_45_66_42:26359 115_75_153_200:80 58_179_237_21:80 21_159_10_74:80 189_160_214_166:80 4_38_183_118:443 223_86_58_34:80 62_148_201_215:80 217_17_17_199:80 162_219_197_172:80 58_106_196_16:80 134_19_54_62:80 67_30_222_124:80 94_186_211_39:80 49_255_162_65:80 199_227_162_140:443 199_198_249_140:80 9_18_232_63:8080 114_129_109_80:80 173_183_127_212:46778 175_212_234_239:80 177_211_61_62:443 4_4_92_143:80 101_161_194_163:8080 37_93_132_34:28109 50_217_135_6:80 54_218_12_38:80 189_249_177_251:80 181_255_183_68:80 28_229_155_191:8080 206_227_51_83:8080 59_132_223_193:80 1_247_100_13:80 216_202_23_138:80 114_63_197_42:443 157_69_104_57:80 62_8_232_112:80
hxxp://185.117.72[.]90/upload[.]php
hxxp://185.117.72[.]90/upload2[.]php

 

With apologies to Led Zeppelin fans: The (BEC) Song (Still) Remains the Same

Almost three months have passed since I last updated you on the Business Email Compromise scam, also known as the CEO Fraud scam.   Though the volume of these attacks remains high, the information security community has continued to collaborate well regarding this type of fraud, preempting the transfer of millions of dollars and identifying numerous mules in control of bank accounts around the world.

Just last week, yet another phisher tried to phish PhishMe.  Our CTO, Aaron Higbee, reported on early attempts in September 2015 when he also described the use of PhishMe Reporter to phish-back and collect details of the phisher’s IP address and user-agent.

Since that time, we have seen repeated attempts against our CFO, Sam Hahn, where he receives messages impersonating our CEO, Rohyt Belani.  These messages seek to engage Sam in an exchange regarding an urgent request to make a wire transfer.  Of course, such wires would be fraudulent, but, amazingly, the phish-back technique almost always works.  It has resulted in the identification of as many as five mule accounts at five different banks for one potential transaction.

The Song

With this latest attempt against PhishMe, the phisher has apparently used social media and/or search engine results to identify the name and email address of a staff accountant who reports to Sam Hahn, bypassing Sam’s renowned phish-spotting skills.  But the phisher’s email message landed with another trained reporter at PhishMe, who submitted the message as Suspicious, using the PhishMe Reporter button.  The report fed into our internal PhishMe Triage where we could quickly see that the accountant has a high Reputation Score, indicating that she is good at spotting truly-suspicious messages.  We knew that we should have a look right away at her report, shown in Figure 1 below.  The subject line of the message was the accountant’s first name, and the salutation included her first name.

Figure 1  Initial message from BEC phisher

Then our incident response plan kicked in, and we asked the accountant to reply with an offer to help, as seen in Figure 2 below, where he responded right away with his plea for money to cover a secret international acquisition.  (Ah!  The Intrigue!)

Figure 2  BEC phisher makes plea for a wire transfer

In her response to that second message, our astute accountant indicated that she would need someone else to sign off on the wire transfer, “since it is an international wire.”  She actually copied our incident response team, which later provided a wire “confirmation link” to the phisher.  Figure 3 below shows the third message from the phisher, where he sent wire instructions to the accountant.

Figure 3  The BEC phisher sends wire transfer instructions

Once the mule account was revealed, it was reported to the bank, and our accountant’s associate sent a “confirmation link” that, when clicked by the phisher, revealed the phisher’s physical location.  From the phisher’s point of view, the link re-directed to the login page for the bank hosting the mule account.

The phisher must have been convinced that the wire transfer had been made because the next morning, twenty hours after the initial request, he came back for more.  In Figure 4 below, you can see where he hit up our accountant’s associate (really, our incident response team member) for a double dip.

Figure 4  The BEC phisher returns the next day to request more money

The final part of that thread included instructions for a $165,590 wire, details of an account at a second bank, and a request for a confirmation.

The Investigation

Beyond reporting this to the U.S. government’s Internet Crime Complaint Center at www.ic3.gov, our researchers wanted to dig deeper and document this phisher’s other activity.  It turns out that the lookalike domain name phislhme.com was registered at 1&1 Internet SE on December 15th –the same day as the first spam message to PhishMe, using the email address garyrabine@rabinagroup.com.  When we initially looked into whether that same email address had been used to register other domain names, we found 69 other idomain names, all registered within the previous week and all seeming to be misspellings of domain names in use by real companies.

We took the list of domain names and guessed at which real company each domain was meant to imitate.  We then notified the administrative contacts of record for those legitimate domain names.  Though there was a handful of bounced messages, four companies replied with appreciation, and, so far, one has responded that their company had also received a BEC phishing email.

We checked back again this week to see how many domain names have been registered with 1&1 by this threat actor, and now there is a total of 156 domains.  We notified 1&1 on December 19th and requested that all the names be de-activated.  (see list at this link)

Takeaways

Though the song remains the same, phishers are constantly evolving their tactics to lead to more success.  In this recent attack, the phisher did not use the word “urgent” or “wire” in the subject line of the email message.  He also opted not to try for the CFO again; he likely found our accountant’s name and email address online and contacted her instead, possibly in hopes that she would feel a sense of urgency to which our CFO has become inured.  Then, when we saw the plea for money, we knew a bit more about why the phisher may have opted to avoid our CFO—it was a secret deal that only the “CEO” could know about.

We also want you to understand that this does not just affect large companies.  Because this scam has been going on for years, some of the larger targets have already been hit, and some have learned very hard lessons.  And with over 150 companies of all sizes spoofed by this one phisher and almost a full day between the two wire requests we received, we think this phisher is very busy.

PhishMe also wants everyone to understand how simple but effective these scams can be.  Learn how to spot them, and make sure your employees are great reporters.  Your staff needs to know that raising a red flag to the appropriate team can make all the difference in the world to your company, preventing the loss of hundreds of thousands of dollars and helping us stamp out this fraud.

Fortifying Defenses with Human-Verified Phishing Intelligence

Mining Phish in the IOCs

PhishMe® and Palo Alto Networks® are providing security teams with the ability to ingest human-verified phishing intelligence in a standard format that can be automatically enforced as new protections for the Palo Alto Networks Next-Generation Security Platform through the MineMeld application. Through this integration, PhishMe and Palo Alto Networks are providing a powerful approach to identifying and preventing potentially damaging phishing attacks.

The challenge of operationalizing threat intelligence

Ransomware, business email compromise (BEC), malware infections, and credential-based theft all primarily stem from a single vector of compromise – phishing. Operationalizing threat intelligence, especially when it comes to phishing, continues to weigh on the minds of businesses regardless of size. Security teams require the ability to ingest, verify and enforce new protections for potential phishing attacks, all within their existing infrastructure.

Where are the Phish?

PhishMe extends beyond a traditional data feed. Customers receive phishing intelligence. What’s the difference? Intelligence, vs. traditional data.

Information without context is data. Intelligence is information with context, and context is what security teams require in order to have confidence in their decisions.

Intelligence customers receive indicators specific to phishing and their criminal command and control (C2) and botnet infrastructure associated with malware families like Locky, Dyre, and Cerber. This is then backed up by threat intelligence reports with verbose context that provides security teams with insight into attacker TTPs.

PhishMe identifies what is nefarious, but more importantly, why, and what it means.

Integration Tackle Box for PhishMe and Palo Alto Networks

Security teams who wish to easily complement their Palo Alto Networks Next-Generation Security Platform’s security policies with PhishMe Intelligence will need an instance of MineMeld (version 0.9.26 and above) and PhishMe Intelligence API credentials (contact PhishMe for trial access http://phishme.com/product-services/live-demo). MineMeld will ingest intelligence from PhishMe, and can automatically feed new prevention controls to Palo Alto Networks devices, without adding heavy operational burden.

Configuring MineMeld with PhishMe

The following is a step-by-step guide to configure MineMeld in order to ingest PhishMe Intelligence phishing URLs, aggregate them, and construct into an output capable of preventing malicious URLs in security policies within PAN-OS devices. Before we dive into the configuration of MineMeld, it is important to review the three key concepts behind the application:

  • Miners: responsible for retrieving indicators from configured sources of intelligence and data feeds. Miners will bring in new indicators on a configurable, periodic basis, and also age-out any indicators that are no longer needed.
  • Processor: The processor node will aggregate the data obtained by the Miner and conforms the data to IPv4, Ipv6, URLs, or domains. Once aggregated, the data is sent to the output nodes.
  • Output: The output nodes gather data from the processor node and convert the data into a format that is capable of being consumed by PAN-OS (and other non-PAN-OS external services)

PhishMe Intelligence Miner Node

(Image of Miner Node with API credential example and phishme.intelligence prototype)

Processor Node

(Image of Processor Node using the stdlib.aggregatorURL prototype and the PM_Intel input from the configured Miner)

Output Node

(Image of Output Node using the stdlib.feedHCRedWithValue prototype and the agg_URL_all input from the configured Processor)

Configuration Graph Summary

The configuration graph is a summary exhibiting the flow of PhishMe Intelligence. The miner collects intelligence, aggregates, and the output node structures the data to be usefully applied to prevent phishing.

(Example of PhishMe Intelligence aggregated and with output URL data for PAN-OS)

Log Detail with URL Indicator and High Confidence rating of 100

The image below represents an example of URL intelligence received in the MineMeld log. This snippet specifies a malware payload from an OfficeMacro and TrickBot (similar to Dyre) family. If they choose to, analysts can then use the URL to the Threat Report with executive and technical details that explain more about the malware.

The above summarization of the MineMeld setup portrays how easy it is to take very relevant and useful information and structure it so that it can be operationalized with other security investments. Far too often teams have underutilized technical resources or processes that place a strain on the workforce. MineMeld reduces the human burden and provides security teams with the ability to create actionable prevention-based controls.

Phishing Intelligence Operationalized = PhishOps!

Let’s review an example of how to operationalize these indicators of phishing (IoPs) and apply them to a Palo Alto Networks security policy to deny egress traffic to these phishing URLs.

Create New Object in PAN-OS

From the Objects tab, select External Dynamic Lists from the navigational pane. Analysts just need to provide the relevant information to pull in the list of URLs from MineMeld.

(Example of External Dynamic List linking to URL list from MineMeld)

Apply to PAN-OS Security Policy

With the External Dynamic List defined, security policies can now be created based on acceptable criteria. In the case below, inside sources browsing externally and matching the PhishMe Intelligence URLs will be denied.

(Example policy to deny inside to outside web-browsing against PhishMe Intelligence URLs)

FINito! Wrapping up

A similar process can be repeated like the above, with IP lists and domains, and applied according to phishing threats facing the business. The way MineMeld handles the data received makes applying it to Palo Alto Networks Next-Generation Security Platform very effective. Security teams will need to determine where they want to apply the policies once MineMeld has compiled the data.

The phishing threat is alive and very well and the ability for security teams to maximize their investments and operationalize with low administrative overhead should be enticing to tackle the threat.

 

More about MineMeld:

MineMeld, by Palo Alto Networks, is an extensible threat intelligence processing framework and the ‘multi-tool’ of threat indicator feeds. Based on an extremely flexible engine, MineMeld can be used to collect, aggregate and filter indicators from a variety of sources and make them available for consumption to peers or to the Palo Alto Networks Next-Generation Security Platforms.

To learn more about the Palo Alto Networks Next-Generation Security Platform, visit: https://www.paloaltonetworks.com/products/designing-for-prevention/security-platform

To learn more about the PhishMe Intelligence, visit:  http://phishme.com/product-services/phishing-intelligence/.  

 

Employee reporting of suspicious emails substantially outweighs susceptibility to attacks

Following a thorough analysis of 40 million phishing simulation emails, PhishMe’s latest research measures global susceptibility and resilience to phishing threats

 LEESBURG, VA December 13th, 2016: PhishMe Inc., the leading provider of human phishing defense solutions, today released its 2016 Enterprise Phishing Susceptibility and Resiliency Report, which illustrates employee susceptibility to phishing emails and resilience improvements when engaged in security reporting. With phishing still the most common cyber-attack vector leading to data breach, the report analyzes the most successful triggers, themes and emotional motivators leading employees to fall for phishing emails, as well as how reporting can drive a decrease in time to attack detection from days to minutes.

The PhishMe research teams analyzed data compiled from over 40 million phishing simulations performed between January 2015 and July 2016. Responses were gathered from a sample of over 1,000 PhishMe customers across the globe, including Fortune 500 and public sector organizations from 23 industry verticals. Published today, PhishMe’s 2016 Enterprise Phishing Susceptibility and Resiliency Report identified the following insights:

  • Business context phishing simulation emails still the most challenging: Office communications and finance-related themes generated the highest susceptibility rates, with 19.9 percent and 18.6 percent respectively, driven by sentiments of curiosity, fear and urgency.
  • Reporting outweighs susceptibility to phishing: Over a relatively short amount of time, reporting rates bypass susceptibility rates when at least 80% of the company has been conditioned to identify and empowered to report suspicious emails.
  • Active reporting can significantly decrease breach detection times: Samples analyzed show reporting of suspicious emails reduced security team response time to approximately 1.2 hours over the currently industry average of 146 days to detect a security breach.

PhishMe’s analysis revealed that business or office-related phishing emails proved to be the most effective simulations, as well as the most difficult for users to recognize and report. Phishing emails with sentiments of curiosity, fear and urgency scored the highest percentage in average response rates, suggesting that employees are at risk of increased susceptibility to phishing campaigns that include an emotional pull, even at a subconscious level.

“Our analysis shows that continued exposure to simulations lowers the chance of an employee falling for a phishing email – the key being consistent exposure,” stated Aaron Higbee, Co-Founder and CTO at PhishMe. “Once employees are conditioned to identify phishing attacks, our data shows that reporting them to the IT Security team starts to outweigh organizational susceptibility.  It only takes one employee to report a targeted attack to give incident response teams a chance to stop a potential data breach. Armed with this new data, we hope that more CISOs focus their attention on the ratio of Report-To-Click instead of dwelling on susceptibility metrics.”

The 2016 Enterprise Phishing Susceptibility and Resiliency Report also analyzes variances in phishing simulation response by themes, emotional triggers, and average response rates per industry. In looking at one particular type of phishing email type, the “file from scanner” scenario generated the highest number of response rates in the transportation sector at 49 percent, followed by healthcare at 31 percent and insurance at 30 percent. On the other hand, the non-profit sector scored the lowest response rate, at a 5 percent.

“Understanding what motivates your employees to open or fall for a phish is a critical step in building their resiliency to attacks and enabling faster incident response” continued Higbee “At its core, a phishing simulation program allows organizations to assess, measure, educate and empower all employees about phishing threats while creating a wider net of human sensors to help reduce the risk of a full-blown data breach.”.

 

To download a full copy of the 2016 Enterprise Phishing Susceptibility and Resiliency Report, click here.

An Open Enrollment Reminder – Phishers Want Your HSA Money!

As the end of the year approaches, many companies are communicating with their employees about benefits and Health Savings Accounts via email. Criminals realize this and have decided to get in on the action!  More consumers than ever are using HSAs as a way to save pre-tax income for future medical expenses. A report released by Devenir Research shared that, as of August 2016, 18.2 million HSA accounts currently hold $34.7 billion in assets – a 22% growth over 2015, and projects that by the end of 2018, more than $50 billion will be on deposit in HSA accounts. That’s a tempting target for criminals, and, due to the increase in HSA-related emails, they are ready to use email-based phishing attacks to try to steal your account credentials.

HSA Phishing Attacks

PhishMe has observed a large spike in phishing traffic targeting HSA account userIDs and passwords, starting November 11, 2016, and continuing through today. More than seventy distinct phishing attacks have been observed since that date, targeting Health Savings Accounts at Optum Bank and Fidelity. Fortunately, both of these organizations have been very responsible with their response to phishing and have provided additional information to help protect their customers.

The most prominent Optum phishing attack we are seeing directs the user to a page that looks like this:

hsablog-1Optum customers are encouraged to familiarize themselves with the actual look of their HSA login page and, most importantly, to pay attention to the URL. In the phishing URLs reviewed by PhishMe, the website did not belong to Optum and in some cases didn’t even attempt to pretend to be Optum. The phishers know that most users do not look at the URL of each website they visit. Following are a few example URLs that users clicked on, thinking they were accessing their HSA:

  • twistshop.me/myuhcfinancial/optum/
  • opthsa.com/optumhealthfinancial/optum/
  • megaleft.com/optumhealth/optum/

OPTUM Financial Services provides great information about how to protect your account on this Account Security web page: www.optumhealthfinancial.com/protect-account.html. They encourage account holders who may have clicked a link or opened an attachment to call them, or, if you have NOT clicked the link or opened the attachment, to forward the email to assetprotection@optum.com.  Their account protection web page also provides a sample phishing email that may be similar to one you may receive.

PhishMe is also observing a large increase in phishing attacks imitating the Fidelity Health Savings Account. As with the Optum phish, the key to detecting these phishing web sites is inspection of the URL. In the example below, the web page looks very convincing, but the URL contains the domain name shoe-etc.com which is certainly not Fidelity’s main login page for HSA accounts!

Some of the suspicious URLs we’ve seen for Fidelity’s HSA accounts include the following:

  • myhrsa.com/mynetbenefit.fidelity/fidelity/
  • fidelitynetbenefit.shoe-etc.com/fidelity/
  • securemynb.fidelity.opthsa.com/fidelity/
  • ubs-money.com/netbenefitsfidelity/fidelity/

Fidelity also has a very helpful web page for letting its customers know about possible security problems. Suspicious emails that you receive can be sent to phishing@fidelity.com, and the Report an Online Security Issue web page at https://www.fidelity.com/security/report-an-issue  has telephone numbers and additional tips related to phishing.

And Malware, Too!

The PhishMe Intelligence team has also recorded health insurance social engineering attacks that delivered malware via spam messages. The most blatant of these was a high volume spam campaign observed on November 7, 2016.  Using the email subject line: Health Insurance, the email body read as follows:

The email attachment contained a zip file that used the word insurance and some random numbers as its name, such as:

  • insurance_39017dc45.zip
  • insurance_95341063.zip
  • insurance_bc9ebb1f.zip

These .zip files contained hostile JavaScript code for downloading and executing the Locky ransomware. Locky can encrypt all files on both your local machine and network drives, and these files can only be decrypted by paying a ransom to the criminal.

Conclusion

During this time when the corporate emails are likely to be full of reminders about Open Enrollment and Health Savings Accounts, regarding both spending your remaining balance and setting up the account for next year, be sure to not let the pressure prevent you from being cautious! As our friends at the Anti-Phishing Working Group like to say – Stop. Think. Connect.

Be sure to share this warning with your friends, and consider sharing it with your HR department as well.

Ransomware made up 97% of phishing emails so far in 2016, what about the rest? Learn more in our latest Q3 Malware Review.

A Warning on Christmas Delivery Scams

The time of year has once again arrived when post offices are busier than the freeway on a Friday evening. We buy gifts, online and in stores, and we send and expect packages to and from the far corners of the country, continent, and even the world.

Yet behind this frenzy of merriment skulk a series of dangers. Although Christmas is still more than a month away, scammers of this kind have already been active in various areas across the US. For a number of years, security experts have grown to expect a hike in the number of internet scams being spotted around the festive period, from fake deal websites to counterfeit greeting ecards. One example is becoming highly-popular among threat actors and is better positioned to trick even the most security-aware individual: failed delivery phishing scams.

UPS estimates that in the U.S., more than 630 million packages were delivered by shoppers during the holiday period last year, and FedEx predicts  317 million shipments between Black Friday and Christmas Eve. With all this holiday mail, not to mention everyone out and about to prepare for their celebrations, it is not surprising to find a “delivery failed” notice in your inbox. If the message concerns something needed by Christmas, the annoyance at having to re-organize a delivery can make us act rashly and even foolishly.

It is widely-known that the keys to successful social engineering are fear and greed.  When presented with compelling stimuli under these categories, criminals can count on a significant number of their potential victims briefly suspending their information security awareness training and clicking the link.  As Christmas approaches, certain malware families such as ASProx may have high-volume spikes, taking advantage of shoppers lowering their guard.  In December 2014, spammers used ASProx to deliver fear in the form of a Failed Delivery email from big, respected brands like CostCo, BestBuy, and Walmart.  Recall that PhishMe’s Gary Warner identified more than 600 hacked websites that were used as intermediaries to prevent detection by causing the spammed links to point to websites that had been “known to be good” until the morning of the attack.

So who should be on the lookout for these scams, and what can be done to protect Christmas shoppers?

Basically everyone, from individual consumers to massive businesses, should be on high alert. Though we should not let scammers turn shoppers into paranoid victims, being able to spot the details that reveal a scam can be the only thing standing between a scammer and your personal or company bank account details. While Christmas scams are thought of as dangerous, if the computer used to access these websites is a company or government computer, these scams can have a wide-ranging and long-term impact. And with nearly , this is a subject to take extremely seriously.

So be vigilant, and have a very merry (and scam-free) holiday season.

 

Did you know that 97% of phishing emails delivered in 2016 contained ransomware? Learn more by downloading our latest Q3 Malware Review.

SC Magazine Awards Recognize PhishMe as Finalist in Best IT Security-Related Training Platform Category for the Second Year in a Row

Fresh off our win in the same category last year, we’re thrilled that PhishMe Simulator has been chosen as a finalist once again in the 2017 SC Magazine Awards for Best IT Security-Related Training Platform. The award highlights companies and organizations that provide end-user awareness training programs for enterprises to ensure that employees are knowledgeable and supportive of IT security and risk management plans.

We’ve worked hard to live up to the honor of winning this prestigious award and many others such as being named a leader in the Gartner Magic Quadrant for Security Awareness Computer Based Training.

This industry recognition reinforces PhishMe’s commitment to delivering the best solutions to combat today’s top cyberthreats such as phishing emails and their malicious intent – whether malware, BEC or credential theft. These types of attacks show no signs of slowing down – and neither will PhishMe.   Just recently, Europol named ransomware the top cybercrime threat and our own PhishMe Q3 Malware Review showed that 97 percent of phishing emails now contain some form of ransomware.

As the reigning winner of this award, we have strived to spread our philosophy that Awareness is Not Enough. By leveraging our unique approach to phishing defense, our customers have been able to train their employees to be security assets instead of vulnerabilities by behaviorally conditioning them to identify and report threats. As such, we look forward to being considered by the judges as a finalist for another year in the training program category.

By empowering employees with the proper conditioning needed to detect and report malicious phishing emails, our users quickly and efficiently assess organizational risk, identify areas for additional improvement as well as provide security teams with effective intelligence that allows them to respond to incidents in a timely manner. In some cases, this type of conditioning has reduced a company’s overall susceptibility by more than 95 percent.

We’re excited to find out if we’ve made the cut again during the awards ceremony Tuesday, February 14 2017 at the Intercontinental San Francisco. Wish us luck!

 

To learn more about the SC Magazine Awards, visit https://www.scmagazine.com/awards/

Learn more about our multi-lingual, complimentary, computer based training – PhishMe CBFree.

Ransomware Delivered by 97% of Phishing Emails by end of Q3 2016 Supporting Booming Cybercrime Industry

PhishMe Q3 Malware Review finds encryption ransomware has hit record levels, while ‘quiet malware’ remains a significant threat

 LEESBURG, VA November 17, 2016: PhishMe Inc., the leading provider of human phishing defense solutions, released findings today that show the amount of phishing emails containing a form of ransomware grew to 97.25 percent during the third quarter of 2016 from 92% in Q1. Remaining at the forefront is the Locky encryption ransomware, which has introduced a number of techniques to resist detection during the infection process.

Published today, PhishMe’s Q3 2016 Malware Review identified three major trends previously recorded throughout 2016, but have come to full fruition in the last few months:

  • Locky continues to dominate: While numerous encryption ransomware varieties have been identified in 2016, Locky has demonstrated adaptability and longevity
  • Ransomware encryption: The proportion of phishing emails analyzed that delivered some form of ransomware has grown to 97.25 percent, leaving only 2.75 percent of phishing emails to deliver all other forms of malware utilities
  • Increase in deployment of ‘quiet malware’: PhishMe identified an increase in the deployment of remote access Trojan malware like jRAT, suggesting that these threat actors intend to remain within their victims’ networks for a long time

During the third quarter of 2016, PhishMe Intelligence conducted 689 malware analyses, showing a significant increase over the 559 analyses conducted during Q2 2016. Research reveals that the increase is due, in large part, to the consistent deployment of the Locky encryption ransomware. Locky executables were the most commonly-identified file type during the third quarter, with threat actors constantly evolving the ransomware to focus on keeping this malware’s delivery process as effective as possible.

“Locky will be remembered alongside 2013’s CryptoLocker as a top-tier ransomware tool that fundamentally altered the way security professionals view the threat landscape,” explained Aaron Higbee, CTO and Co-founder, PhishMe. “Not only does Locky distribution dwarf all other malware from 2016, it towers above all other ransomware varieties. Our research has shown that the quarter-over-quarter number of analyses has been on a steady increase, since the malware’s introduction at the beginning of 2016, and thanks to its adaptability, is showing no signs of slowing down.”

While ransomware dominates the headlines, the Q3 PhishMe Malware Review reveals that other forms of malicious software delivered using remote access Trojans, keyloggers and botnets still represent a significant hazard in 2016. Unlike ransomware, so-called ‘quiet malware’ is designed to avoid detection while maintaining a presence within the affected organization for extended periods of time. While only 2.75 percent of phishing emails delivered non-ransomware malware, the diversity of unique malware samples delivered by these emails far exceeded that of the more numerous ransomware delivery campaigns.

Rohyt Belani, CEO and Co-founder of PhishMe added, “The rapid awareness and attention on ransomware has forced threat actors to pivot and iterate their tactics on both payload and delivery tactics. This sustained tenacity shows that awareness of phishing and threats is not enough. Our research shows that without a phishing defense strategy, organizations are susceptible to not just the voluminous phishing emails used to deliver ransomware, but also the smaller and less-visible sets of emails used to deliver the same malware that has been deployed for years. Only by preparing for these attacks is it possible to empower users to act as both human sensors for detecting attacks and partners in preventing threat actors from succeeding.”

To download a full copy of the Q3 2016 Malware Review, click here.

 

Connect with PhishMe Online

 About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

PhishMe Ranked No. 152 Fastest Growing Company in North America on Deloitte’s 2016 Technology Fast 500™

Company Attributes Massive Revenue Growth to its Unique Approach to Preventing and Mitigating Cyber Attacks

Leesburg, VA – November 17, 2016 – PhishMe, a global provider of phishing defense and intelligence solutions for the enterprise, today announced it ranked No. 152 on Deloitte’s Technology Fast 500™, a ranking of the 500 fastest growing technology, media, telecommunications, life sciences and energy tech companies in North America based on revenue growth. PhishMe grew 564.1 percent over the last three years, as enterprises implement its suite of products to mitigate cybersecurity threats.

“The  unprecedented increase in frequency and damage caused by cyberattacks in the recent past has created a demand for innovative defensive solutions that can adapt to the attackers changing tools and techniques,” said Rohyt Belani, PhishMe CEO. “Our dogged focus on innovation followed through with strong execution have supported the company’s explosive growth over the last three years. We are honored to be recognized on this coveted list by Deloitte.”

“Today, when every organization can be a tech company, the most effective businesses not only foster the courage to explore change, but also encourage creativity in using and applying existing assets in new ways, as resourcefully as possible,” said Sandra Shirai, principal, Deloitte Consulting LLP and U.S. technology, media and telecommunications industry leader. “This ingenious approach to innovation calls for the encouragement of curiosity and collaboration both within and outside the office walls.”

“This year’s Fast 500 winners showcase that when organizations are open to diverse perspectives and insights, they are able to create an environment for their employees and customers to see the possibilities and ingenious solutions that might lie ahead,” added Jim Atwell, national managing partner of the emerging growth company practice, Deloitte & Touche LLP. “Entrepreneurial environments foster change and innovation within businesses, and we look forward to watching these companies continue to drive change across all sectors.”

PhishMe, Inc. previously ranked number 99 as a Technology Fast 500™ award winner for 2015. Overall, 2016 Technology Fast 500™ companies achieved revenue growth ranging from 121 percent to 66,661 percent from 2012 to 2015, with median growth of 290 percent.

About Deloitte’s 2016 Technology Fast 500™

Deloitte’s Technology Fast 500 provides a ranking of the fastest growing technology, media, telecommunications, life sciences and energy tech companies – both public and private – in North America. Technology Fast 500 award winners are selected based on percentage fiscal year revenue growth from 2012 to 2015.

In order to be eligible for Technology Fast 500 recognition, companies must own proprietary intellectual property or technology that is sold to customers in products that contribute to a majority of the company’s operating revenues. Companies must have base-year operating revenues of at least $50,000 USD, and current-year operating revenues of at least $5 million USD. Additionally, companies must be in business for a minimum of four years and be headquartered within North America.

As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

Beware: Encryption Ransomware Varieties Pack an Extra Malware Punch

As the public becomes more and more aware of ransomware threats through journalistic outlets and the advice of security professionals, threat actors face more challenges in successfully monetizing the deployment of their tools. The longevity of ransomware as a viable criminal enterprise relies upon the continued innovation that ensures threat actors can deliver and monetize infected machines. Much of the innovation seen in 2016 was focused on defying the expectations for how ransomware is delivered such as steganographic embedding of ransomware binaries, other forms of file obfuscation, and requirements for command line argumentation. These were all put forward as ways to ensure victims are infected by the ransomware and put into a position where they may be compelled to pay the ransom and thereby monetize the infection for the threat actor.

While it is easy to be caught up in hype regarding the smallest alteration to ransomware behavior, sometimes a step back and a look at the ransomware business model is more helpful. While the alteration in the extension given to files encrypted by Locky may be easy fodder for blog posts, changes like the addition of the “.shit” extension is likely little more than a jab at information security researchers who have placed a significant amount of stock in the extension applied to encrypted files. Simply put—changing the file extension used by this malware doesn’t fundamentally change how the malware impacts victims. And most victims probably don’t care what extension is applied to their now-inaccessible documents. Most importantly, it does not impact how the threat actor intends to generate revenue from that new infection.

Many of the changes seen in ransomware delivery through 2016 have supported the core of the business model by guaranteeing the maximal number of infections. Innovative means of bypassing controls, frustrating analysis, and creating difficulties for incident response were all created by defying certain expectations. These were all put forward as ways to ensure victims are infected by the ransomware and put into a position where they may be compelled to pay the ransom and thereby monetize the infection for the threat actor. However, as the public becomes more and more aware of ransomware threats through journalistic outlets and the advice of security professionals, threat actors face more challenges in successfully monetizing the deployment of their tools. The longevity of ransomware as a viable criminal enterprise relies upon the continued innovation that ensures threat actors can deliver and monetize infected machines.

One arena in which few ransomware developers have made forays is the capability to repurpose infected machines for other criminal endeavors. Widespread usage of ransomware as a first-step utility is still uncommon among the most prominent ransomware varieties as is the side-by-side delivery of other malware utilities via phishing email. However, this capability would be a simple addition to most ransomware varieties and would stand to create new and virtually-unlimited additional avenues for further monetization of infected machines beyond the collection of a ransom payment. One ransomware variety that has already begun to incorporate this functionality into its behavior is the Troldesh encryption ransomware.

Troldesh ransom note

Troldesh ransom note

An example of this ransomware was recently analyzed and was found to also deliver a content management system (CMS) login brute-force malware in addition to its core ransomware payload. This malware is designed to force its way into content management systems like WordPress and Joomla by guessing the login credentials. This is valuable to threat actors as it allows them to compromise those websites for any number of reasons including the posting of new malware payloads to be downloaded in later campaigns. Beyond giving threat actors access to the compromised websites, this malware also pushes the responsibility for those compromises away from the threat actor, giving them some level of deniability and distance from the attacks. However, the victim, whose computer is now being used to launch brute-force attacks on websites, must still pay the demanded ransom to regain access to the files that have been encrypted by Troldesh.

However, Troldesh is a ransomware that has a relatively low profile among ransomware varieties—especially in terms of its impact on English-speaking populations. However, another example was identified more recently that indicates that this one-two punch technique is also being used in conjunction with the Locky encryption ransomware—a malware that has a far wider reach and is more well-known.

A set of emails was found to deliver the Locky encryption ransomware alongside the Kovter malware. This pairing is notable as it represents an interesting set of malware utilities delivered to victims. In this case, the Kovter trojan allows the threat actor to maintain access and potentially deliver other malware to machines while also monetizing the infection through click-fraud activities. The messages analyzed by PhishMe Intelligence claimed to deliver a notification regarding the status of a package shipped via FedEx. The JavaScript application attached to these emails was designed to facilitate the download of both a Locky encryption ransomware binary and the additional Kovter sample. This setup harnesses the most successful ransomware of 2016 to provide a short path to financial gains while also including the ability for the threat actor to perform reconnaissance and perhaps even maintain access to the infected environment for extended periods of time.

FedEx phishing email delivering Locky and Poweliks

FedEx phishing email delivering Locky and Kovter

 

However, repurposing a victim’s computer to carry out the activities highlighted in these examples are just two examples of what a threat actor could do if additional malware or capabilities are incorporated into ransomware samples. Two factors could make a scenario like this have a significant impact on an individual or company. First, if a threat actor can place a ransomware sample within an environment and then expand their reach using additional malware samples, the threat actor has created two avenues for victimizing that individual or organization. The ransomware is most obvious component of this scenario, but the additional malware sample could be used for a much longer and more damaging operation with implications reaching far beyond the ransomware incident. Secondly, since the expectation is that the ransomware sample is the only avenue for monetization and the only malware involved in most ransomware incidents, an individual or organization may not seek out the additional malware and instead address only the obvious threat instead of the quieter and more longitudinal threat.

The prospect of ransomware featuring additional capabilities or acting as malware downloaders is troubling. It greatly complicates the threat landscape and adds burdens to information security professionals tasked with protecting organizations from both ransomware and other malware utilities. The good news, however, is that many organizations are already aware and empowered to address both ransomware and non-ransomware malware threats. Phishing email has been the most prominent avenue for the delivery of both these categories of malware utility and is an arena where organizations can form holistic defense plans. Holistic phishing defense includes the education and empowerment of all email users to identify and report phishing emails before engaging with the malware they deliver. The information security professionals within those organizations can then utilize that internal intelligence from user reports along with external intelligence to best identify and respond to not just the obvious threats like ransomware, but also the quieter and less-obvious malware threats as well.

The full report on this Troldesh sample used to deliver additional malware payloads is available to PhishMe Intelligence users here. The list below includes a number of IOCs related to this analysis.

JavaScript email attachment:

7bce43f183ea15474f31544713c6edbc

Payload location:

phuketfreeday[.]com/resource/images/flags/oble5/par/systemdll[.]exe

Troldesh binary:

62b4d2fa7d3281486836385bd3f6cd02

Troldesh command and control host:

a4ad4ip2xzclh6fd[.]onion

Content Management System Brute-force bot executable:

7f2c0adb3ead048b6a4512b2495f5e43

Content Management System Brute-force bot command and control host:

x4ethdcumddzwbxc[.]onion

The Locky and Kovter samples are described in this Active Threat Report and related IOCs are listed below.

Locky encryption ransomware sample:

f3d935f9884cb0dc8c9f22b44129a356

Locky hardcoded C2 locations:

hxxp://176.103.56[.]119/message.php

hxxp://109.234.35[.]230/message.php

 Kovter sample:

0d01517ad68b4abacb2dce5b8a3bd1d0

Kovter command and control resource:

hxxp://185.117.72[.]90/upload.php

 

Curious to learn more about our ransomware findings? Check out our Q2 Malware Review where we identified key trends in malware and ransomware in the threat landscape.