An Open Enrollment Reminder – Phishers Want Your HSA Money!

As the end of the year approaches, many companies are communicating with their employees about benefits and Health Savings Accounts via email. Criminals realize this and have decided to get in on the action!  More consumers than ever are using HSAs as a way to save pre-tax income for future medical expenses. A report released by Devenir Research shared that, as of August 2016, 18.2 million HSA accounts currently hold $34.7 billion in assets – a 22% growth over 2015, and projects that by the end of 2018, more than $50 billion will be on deposit in HSA accounts. That’s a tempting target for criminals, and, due to the increase in HSA-related emails, they are ready to use email-based phishing attacks to try to steal your account credentials.

HSA Phishing Attacks

PhishMe has observed a large spike in phishing traffic targeting HSA account userIDs and passwords, starting November 11, 2016, and continuing through today. More than seventy distinct phishing attacks have been observed since that date, targeting Health Savings Accounts at Optum Bank and Fidelity. Fortunately, both of these organizations have been very responsible with their response to phishing and have provided additional information to help protect their customers.

The most prominent Optum phishing attack we are seeing directs the user to a page that looks like this:

hsablog-1Optum customers are encouraged to familiarize themselves with the actual look of their HSA login page and, most importantly, to pay attention to the URL. In the phishing URLs reviewed by PhishMe, the website did not belong to Optum and in some cases didn’t even attempt to pretend to be Optum. The phishers know that most users do not look at the URL of each website they visit. Following are a few example URLs that users clicked on, thinking they were accessing their HSA:

  • twistshop.me/myuhcfinancial/optum/
  • opthsa.com/optumhealthfinancial/optum/
  • megaleft.com/optumhealth/optum/

OPTUM Financial Services provides great information about how to protect your account on this Account Security web page: www.optumhealthfinancial.com/protect-account.html. They encourage account holders who may have clicked a link or opened an attachment to call them, or, if you have NOT clicked the link or opened the attachment, to forward the email to assetprotection@optum.com.  Their account protection web page also provides a sample phishing email that may be similar to one you may receive.

PhishMe is also observing a large increase in phishing attacks imitating the Fidelity Health Savings Account. As with the Optum phish, the key to detecting these phishing web sites is inspection of the URL. In the example below, the web page looks very convincing, but the URL contains the domain name shoe-etc.com which is certainly not Fidelity’s main login page for HSA accounts!

Some of the suspicious URLs we’ve seen for Fidelity’s HSA accounts include the following:

  • myhrsa.com/mynetbenefit.fidelity/fidelity/
  • fidelitynetbenefit.shoe-etc.com/fidelity/
  • securemynb.fidelity.opthsa.com/fidelity/
  • ubs-money.com/netbenefitsfidelity/fidelity/

Fidelity also has a very helpful web page for letting its customers know about possible security problems. Suspicious emails that you receive can be sent to phishing@fidelity.com, and the Report an Online Security Issue web page at https://www.fidelity.com/security/report-an-issue  has telephone numbers and additional tips related to phishing.

And Malware, Too!

The PhishMe Intelligence team has also recorded health insurance social engineering attacks that delivered malware via spam messages. The most blatant of these was a high volume spam campaign observed on November 7, 2016.  Using the email subject line: Health Insurance, the email body read as follows:

The email attachment contained a zip file that used the word insurance and some random numbers as its name, such as:

  • insurance_39017dc45.zip
  • insurance_95341063.zip
  • insurance_bc9ebb1f.zip

These .zip files contained hostile JavaScript code for downloading and executing the Locky ransomware. Locky can encrypt all files on both your local machine and network drives, and these files can only be decrypted by paying a ransom to the criminal.

Conclusion

During this time when the corporate emails are likely to be full of reminders about Open Enrollment and Health Savings Accounts, regarding both spending your remaining balance and setting up the account for next year, be sure to not let the pressure prevent you from being cautious! As our friends at the Anti-Phishing Working Group like to say – Stop. Think. Connect.

Be sure to share this warning with your friends, and consider sharing it with your HR department as well.

Ransomware made up 97% of phishing emails so far in 2016, what about the rest? Learn more in our latest Q3 Malware Review.

A Warning on Christmas Delivery Scams

The time of year has once again arrived when post offices are busier than the freeway on a Friday evening. We buy gifts, online and in stores, and we send and expect packages to and from the far corners of the country, continent, and even the world.

Yet behind this frenzy of merriment skulk a series of dangers. Although Christmas is still more than a month away, scammers of this kind have already been active in various areas across the US. For a number of years, security experts have grown to expect a hike in the number of internet scams being spotted around the festive period, from fake deal websites to counterfeit greeting ecards. One example is becoming highly-popular among threat actors and is better positioned to trick even the most security-aware individual: failed delivery phishing scams.

UPS estimates that in the U.S., more than 630 million packages were delivered by shoppers during the holiday period last year, and FedEx predicts  317 million shipments between Black Friday and Christmas Eve. With all this holiday mail, not to mention everyone out and about to prepare for their celebrations, it is not surprising to find a “delivery failed” notice in your inbox. If the message concerns something needed by Christmas, the annoyance at having to re-organize a delivery can make us act rashly and even foolishly.

It is widely-known that the keys to successful social engineering are fear and greed.  When presented with compelling stimuli under these categories, criminals can count on a significant number of their potential victims briefly suspending their information security awareness training and clicking the link.  As Christmas approaches, certain malware families such as ASProx may have high-volume spikes, taking advantage of shoppers lowering their guard.  In December 2014, spammers used ASProx to deliver fear in the form of a Failed Delivery email from big, respected brands like CostCo, BestBuy, and Walmart.  Recall that PhishMe’s Gary Warner identified more than 600 hacked websites that were used as intermediaries to prevent detection by causing the spammed links to point to websites that had been “known to be good” until the morning of the attack.

So who should be on the lookout for these scams, and what can be done to protect Christmas shoppers?

Basically everyone, from individual consumers to massive businesses, should be on high alert. Though we should not let scammers turn shoppers into paranoid victims, being able to spot the details that reveal a scam can be the only thing standing between a scammer and your personal or company bank account details. While Christmas scams are thought of as dangerous, if the computer used to access these websites is a company or government computer, these scams can have a wide-ranging and long-term impact. And with nearly , this is a subject to take extremely seriously.

So be vigilant, and have a very merry (and scam-free) holiday season.

 

Did you know that 97% of phishing emails delivered in 2016 contained ransomware? Learn more by downloading our latest Q3 Malware Review.

SC Magazine Awards Recognize PhishMe as Finalist in Best IT Security-Related Training Platform Category for the Second Year in a Row

Fresh off our win in the same category last year, we’re thrilled that PhishMe Simulator has been chosen as a finalist once again in the 2017 SC Magazine Awards for Best IT Security-Related Training Platform. The award highlights companies and organizations that provide end-user awareness training programs for enterprises to ensure that employees are knowledgeable and supportive of IT security and risk management plans.

We’ve worked hard to live up to the honor of winning this prestigious award and many others such as being named a leader in the Gartner Magic Quadrant for Security Awareness Computer Based Training.

This industry recognition reinforces PhishMe’s commitment to delivering the best solutions to combat today’s top cyberthreats such as phishing emails and their malicious intent – whether malware, BEC or credential theft. These types of attacks show no signs of slowing down – and neither will PhishMe.   Just recently, Europol named ransomware the top cybercrime threat and our own PhishMe Q3 Malware Review showed that 97 percent of phishing emails now contain some form of ransomware.

As the reigning winner of this award, we have strived to spread our philosophy that Awareness is Not Enough. By leveraging our unique approach to phishing defense, our customers have been able to train their employees to be security assets instead of vulnerabilities by behaviorally conditioning them to identify and report threats. As such, we look forward to being considered by the judges as a finalist for another year in the training program category.

By empowering employees with the proper conditioning needed to detect and report malicious phishing emails, our users quickly and efficiently assess organizational risk, identify areas for additional improvement as well as provide security teams with effective intelligence that allows them to respond to incidents in a timely manner. In some cases, this type of conditioning has reduced a company’s overall susceptibility by more than 95 percent.

We’re excited to find out if we’ve made the cut again during the awards ceremony Tuesday, February 14 2017 at the Intercontinental San Francisco. Wish us luck!

 

To learn more about the SC Magazine Awards, visit https://www.scmagazine.com/awards/

Learn more about our multi-lingual, complimentary, computer based training – PhishMe CBFree.

Beware: Encryption Ransomware Varieties Pack an Extra Malware Punch

As the public becomes more and more aware of ransomware threats through journalistic outlets and the advice of security professionals, threat actors face more challenges in successfully monetizing the deployment of their tools. The longevity of ransomware as a viable criminal enterprise relies upon the continued innovation that ensures threat actors can deliver and monetize infected machines. Much of the innovation seen in 2016 was focused on defying the expectations for how ransomware is delivered such as steganographic embedding of ransomware binaries, other forms of file obfuscation, and requirements for command line argumentation. These were all put forward as ways to ensure victims are infected by the ransomware and put into a position where they may be compelled to pay the ransom and thereby monetize the infection for the threat actor.

While it is easy to be caught up in hype regarding the smallest alteration to ransomware behavior, sometimes a step back and a look at the ransomware business model is more helpful. While the alteration in the extension given to files encrypted by Locky may be easy fodder for blog posts, changes like the addition of the “.shit” extension is likely little more than a jab at information security researchers who have placed a significant amount of stock in the extension applied to encrypted files. Simply put—changing the file extension used by this malware doesn’t fundamentally change how the malware impacts victims. And most victims probably don’t care what extension is applied to their now-inaccessible documents. Most importantly, it does not impact how the threat actor intends to generate revenue from that new infection.

Many of the changes seen in ransomware delivery through 2016 have supported the core of the business model by guaranteeing the maximal number of infections. Innovative means of bypassing controls, frustrating analysis, and creating difficulties for incident response were all created by defying certain expectations. These were all put forward as ways to ensure victims are infected by the ransomware and put into a position where they may be compelled to pay the ransom and thereby monetize the infection for the threat actor. However, as the public becomes more and more aware of ransomware threats through journalistic outlets and the advice of security professionals, threat actors face more challenges in successfully monetizing the deployment of their tools. The longevity of ransomware as a viable criminal enterprise relies upon the continued innovation that ensures threat actors can deliver and monetize infected machines.

One arena in which few ransomware developers have made forays is the capability to repurpose infected machines for other criminal endeavors. Widespread usage of ransomware as a first-step utility is still uncommon among the most prominent ransomware varieties as is the side-by-side delivery of other malware utilities via phishing email. However, this capability would be a simple addition to most ransomware varieties and would stand to create new and virtually-unlimited additional avenues for further monetization of infected machines beyond the collection of a ransom payment. One ransomware variety that has already begun to incorporate this functionality into its behavior is the Troldesh encryption ransomware.

Troldesh ransom note

Troldesh ransom note

An example of this ransomware was recently analyzed and was found to also deliver a content management system (CMS) login brute-force malware in addition to its core ransomware payload. This malware is designed to force its way into content management systems like WordPress and Joomla by guessing the login credentials. This is valuable to threat actors as it allows them to compromise those websites for any number of reasons including the posting of new malware payloads to be downloaded in later campaigns. Beyond giving threat actors access to the compromised websites, this malware also pushes the responsibility for those compromises away from the threat actor, giving them some level of deniability and distance from the attacks. However, the victim, whose computer is now being used to launch brute-force attacks on websites, must still pay the demanded ransom to regain access to the files that have been encrypted by Troldesh.

However, Troldesh is a ransomware that has a relatively low profile among ransomware varieties—especially in terms of its impact on English-speaking populations. However, another example was identified more recently that indicates that this one-two punch technique is also being used in conjunction with the Locky encryption ransomware—a malware that has a far wider reach and is more well-known.

A set of emails was found to deliver the Locky encryption ransomware alongside the Kovter malware. This pairing is notable as it represents an interesting set of malware utilities delivered to victims. In this case, the Kovter trojan allows the threat actor to maintain access and potentially deliver other malware to machines while also monetizing the infection through click-fraud activities. The messages analyzed by PhishMe Intelligence claimed to deliver a notification regarding the status of a package shipped via FedEx. The JavaScript application attached to these emails was designed to facilitate the download of both a Locky encryption ransomware binary and the additional Kovter sample. This setup harnesses the most successful ransomware of 2016 to provide a short path to financial gains while also including the ability for the threat actor to perform reconnaissance and perhaps even maintain access to the infected environment for extended periods of time.

FedEx phishing email delivering Locky and Poweliks

FedEx phishing email delivering Locky and Kovter

 

However, repurposing a victim’s computer to carry out the activities highlighted in these examples are just two examples of what a threat actor could do if additional malware or capabilities are incorporated into ransomware samples. Two factors could make a scenario like this have a significant impact on an individual or company. First, if a threat actor can place a ransomware sample within an environment and then expand their reach using additional malware samples, the threat actor has created two avenues for victimizing that individual or organization. The ransomware is most obvious component of this scenario, but the additional malware sample could be used for a much longer and more damaging operation with implications reaching far beyond the ransomware incident. Secondly, since the expectation is that the ransomware sample is the only avenue for monetization and the only malware involved in most ransomware incidents, an individual or organization may not seek out the additional malware and instead address only the obvious threat instead of the quieter and more longitudinal threat.

The prospect of ransomware featuring additional capabilities or acting as malware downloaders is troubling. It greatly complicates the threat landscape and adds burdens to information security professionals tasked with protecting organizations from both ransomware and other malware utilities. The good news, however, is that many organizations are already aware and empowered to address both ransomware and non-ransomware malware threats. Phishing email has been the most prominent avenue for the delivery of both these categories of malware utility and is an arena where organizations can form holistic defense plans. Holistic phishing defense includes the education and empowerment of all email users to identify and report phishing emails before engaging with the malware they deliver. The information security professionals within those organizations can then utilize that internal intelligence from user reports along with external intelligence to best identify and respond to not just the obvious threats like ransomware, but also the quieter and less-obvious malware threats as well.

The full report on this Troldesh sample used to deliver additional malware payloads is available to PhishMe Intelligence users here. The list below includes a number of IOCs related to this analysis.

JavaScript email attachment:

7bce43f183ea15474f31544713c6edbc

Payload location:

phuketfreeday[.]com/resource/images/flags/oble5/par/systemdll[.]exe

Troldesh binary:

62b4d2fa7d3281486836385bd3f6cd02

Troldesh command and control host:

a4ad4ip2xzclh6fd[.]onion

Content Management System Brute-force bot executable:

7f2c0adb3ead048b6a4512b2495f5e43

Content Management System Brute-force bot command and control host:

x4ethdcumddzwbxc[.]onion

The Locky and Kovter samples are described in this Active Threat Report and related IOCs are listed below.

Locky encryption ransomware sample:

f3d935f9884cb0dc8c9f22b44129a356

Locky hardcoded C2 locations:

hxxp://176.103.56[.]119/message.php

hxxp://109.234.35[.]230/message.php

 Kovter sample:

0d01517ad68b4abacb2dce5b8a3bd1d0

Kovter command and control resource:

hxxp://185.117.72[.]90/upload.php

 

Curious to learn more about our ransomware findings? Check out our Q2 Malware Review where we identified key trends in malware and ransomware in the threat landscape.

Unscrupulous Locky Threat Actors Impersonate US Office of Personnel Management to Deliver Ransomware

Update 2016-11-11:

It is important to PhishMe to avoid hyperbolic conclusions whenever possible. In the interest of clarifying some conclusions that have been drawn from this blog post, it is important to keep in mind the nature of Locky distribution and how this malware is delivered to victims. We consider it a serious responsibility to report on very real threats in a way that lends itself to our credibility as well that the credibility of all information security professionals.

PhishMe has no reason to believe that this set of emails was delivered only to victims of the OPM incident nor to government employees as part of a spear phishing attack.

The email addresses associated with the OPM breach have not been actively circulated.  As such, it is incredibly unlikely that the threat actors have any detailed knowledge of who will be receiving these emails. Furthermore, PhishMe has not received any confirmation that anyone impacted by the OPM incident has received a copy of these emails. Many people who were not affected by the OPM incident and are not affiliated with the U.S. government also received copies of these messages and are also put at a very real risk by this ransomware.

***

A continuing truth about the Locky encryption ransomware is that its users will take advantage of any avenue that they believe will secure them a higher infection rate but still utilize predictable themes. This time, the threat actors have chosen to impersonate the US Office of Personnel Management in one of their latest attempts to infect people with this ransomware. As we have noted in previous reporting, Locky has set the tone for 2016 with its outstanding success as an encryption ransomware utility. As we approach the end of the year, this ransomware continues to be a fixture on the phishing threat landscape.

One key example of this malware’s phishing narratives is a set of emails analyzed by PhishMe Intelligence this morning that cite the purported detection of “suspicious movements” in the victim’s bank account that were detected by the US Office of Personnel Management.

opm-ransomware-nov-2016

Screenshot of phishing message impersonating OPM

The ZIP archives attached to these messages contains a hostile JavaScript application used to download and run a sample of the Locky encryption ransomware.

This phishing narrative comes with a few notable implications. First, emails that are designed to appear as if they were sent by the OPM and the threat actors hope that these are more likely to appeal to government workers and employees of government contractors. Secondly, the threat actors may also how that these messages are also more likely to appeal to individuals who have been subject to a loss of personal information as a result of the high-profile OPM breach.

If either of these implications bear any truth, the Locky threat actors once again demonstrate their unscrupulous nature and willingness to exploit the misfortune of others at any step in their delivery and infection process. However, absent the reference to the Office of Personnel management, this set of emails would be just another set of phishing emails delivering Locky featuring strange word choice such as “suspicious movements” and “out account”.

These emails reinforce the fact that overcoming the phishing threat and the ransomware it delivers is not some insurmountable task. Instead, user education and the bolstering of incident response practices can give organizations the edge over threat actors.

Indicators of compromise related to this set of Locky emails are verbose—323 unique JavaScript application attachments were identified with the capability to download obfuscated Locky payloads from 78 distinct payload locations. These locations are listed below.

hxxp://cgrs168[.]com/xmej0mc

hxxp://acrilion[.]ru/84m9t

hxxp://geethikabedcollege[.]com/766epkuj

hxxp://thisnspeel[.]com/766epkuj

hxxp://thisnspeel[.]com/3ypojyl

hxxp://flurrbinh[.]net/7wi66hp

hxxp://vexerrais[.]net/6sbdh

hxxp://3-50-90[.]ru/u4y5t

hxxp://corinnenewton[.]ca/ctlt8b

hxxp://agorarestaurant[.]ro/cg06f

hxxp://abercrombiesales[.]com/nmuch

hxxp://flurrbinh[.]net/3nrgpb

hxxp://dmamart[.]com/c5l2p

hxxp://codanuscorp[.]com/ay5v52r

hxxp://cafedelrey[.]es/snby1c

hxxp://vexerrais[.]net/84fwijj

hxxp://dessde[.]com/zcwaya

hxxp://villaamericana[.]net/84fwijj

hxxp://ayurvedic[.]by/b9kk9k

hxxp://dowfrecap[.]net/3muv

hxxp://odinmanto[.]com/57evyr

hxxp://centinel[.]ca/wkr1j6n

hxxp://berrysbarber[.]com/q6qsnfpf

hxxp://antivirus[.]co[.]th/jukwebgk

hxxp://odinmanto[.]com/7gplz

hxxp://www[.]cutillas[.]fr/lmc80sdb

hxxp://365aiwu[.]net/hbdo

hxxp://comovan[.]t5[.]com[.]br/byev5nd

hxxp://alpermetalsanayi[.]com/vuvls

hxxp://bielpak[.]pl/a79a64h

hxxp://dowfrecap[.]net/7qd7rck

hxxp://babuandanji[.]jp/lq9kay

hxxp://pastelesallegro[.]mx/ex67ri

hxxp://archmod[.]com/sapma

hxxp://drkitchen[.]ca/y5jllxe

hxxp://earthboundpermaculture[.]org/okez95b

hxxp://eroger[.]be/918p2q

hxxp://avon2you[.]ru/ayz1waqm

hxxp://handsomegroup[.]com/ae2y1hr

hxxp://vexerrais[.]net/3nx3w

hxxp://cosmobalance[.]com/jsqlt0g

hxxp://assetcomputers[.]com[.]au/lkfpyww

hxxp://odinmanto[.]com/2rw

hxxp://dinglihn[.]com/zg3pnsj

hxxp://thisnspeel[.]com/2qrn06f

hxxp://adriandomini[.]com[.]ar/bq62dx

hxxp://inzt[.]net/lbrisge

hxxp://elektronstore[.]it/z298ejb

hxxp://donrigsby[.]com/nts0mk

hxxp://bjshicheng[.]com/blewwab

hxxp://ck[.]co[.]th/r2k6i

hxxp://abclala[.]com/r2kvg

hxxp://lashouli[.]com/rq4xoq

hxxp://flurrbinh[.]net/0nbir

hxxp://competc[.]ca/qrc9n

hxxp://dowfrecap[.]net/6f9tho

hxxp://chaturk[.]com/mxaxemv

hxxp://odinmanto[.]com/0cz2zwz

hxxp://dowfrecap[.]net/0d08tp

hxxp://dekoral[.]eu/twnyr1s

hxxp://chandrphen[.]com/h4b1k

hxxp://drmulchandani[.]com/d6ymtf

hxxp://edrian[.]com/dfc33k

hxxp://fibrotek[.]com/deoq

hxxp://vexerrais[.]net/1jk8n

hxxp://accenti[.]mx/nryojp

hxxp://cheedellahousing[.]com/h24ph

hxxp://elleart[.]nl/gn3pim

hxxp://edubit[.]eu/b6ye94wv

hxxp://bst[.]tw/gnjeebt

hxxp://85[.]92[.]144[.]157/y8giadzn

hxxp://thisnspeel[.]com/04u77s

hxxp://dunyam[.]ru/jge1b3e

hxxp://flurrbinh[.]net/6mz3c5q

hxxp://eldamennska[.]is/h4yim

hxxp://bepxep[.]com/mo05j

hxxp://dwcell[.]com/dph861ws

hxxp://apidesign[.]ca/ijau8q2z

However, only four hardcoded command and control hosts were found to be supporting this Locky instance. They are listed below.

hxxp://195.123.211[.]229/message[.]php

hxxp://188.65.211[.]181/message[.]php

hxxp://185.102.136[.]127/message[.]php

hxxp://185.67.0[.]102/message[.]php

Furthermore, a single payment site where the ransomware victim can pay the Bitcoin ransom in exchange for a purported decryption application was identified.

mwddgguaa5rj7b54[.]onion

 

The full PhishMe Intelligence report on this Locky analysis is available to PhishMe Intelligence clients here.

Never miss another phishing threat! Sign up for our complimentary Threat Alerts subscription service today.

Learn more about Locky and other ransomware threats at PhishMe’s Global Ransomware Resource Center.

Rohyt Belani Named a Technology Finalist in DC Inno’s 50 on Fire Awards

We are thrilled to announce that our Co-Founder and CEO Rohyt Belani has been named a finalist in the technology category for DC Inno’s 50 on Fire Awards. These are awards recognize the top 50 movers and shakers in Washington, D.C. across a variety of business verticals and practice, honored for their innovation, energy and contributions to their respective fields while making a big impact on the Washington, D.C. area.

Finalists have been carefully selected by DC Inno staff based on their 2016 editorial coverage of news and announcements, followed by an expert judging panel who will whittle down the top 50 honorees honored this year.

DC Inno recognizes professionals across a wide range of industry verticals, including: Community, Design, Education, Government & Advocacy, Healthcare & Medicine, Investment, Lifestyle, Marketing & Advertising, and Technology.

Read more about the 50 on Fire Awards on the DC Inno Blog.

Did you know that PhishMe was recently named one of the 50 Fastest Growing Private Companies of 2016 by the Washington Business Journal? Check out our recent press release to learn more.

Viotto Keylogger: Freemium Keylogger for the Skids

The PhishMe Research team recently received a campaign escalated by one or our analysts. We’ll explore the campaign delivery, malicious attachments, and analysis of the malicious attachments, and we’ll provide a simple method for extracting the credentials being used for this keylogger family’s data exfiltration.

Campaign

The PhishMe Triage platform allows SOC analysts to identify, analyze, and respond to email threats that have targeted their organization. For this particular campaign, the suspicious email had an ARJ archive attachment, which contained a Windows PE32 executable.

lureAlthough Windows OS does not natively open archive files with the ARJ extension, a number of third-party applications, such as 7zip, will be able to extract these rarely-used archives. The content of the archive is a single PE32 executable name “DOCUMENT-71956256377.pdf.exe” which is a packed Viotto Keylogger sample, intentionally named with a double extension to entice victims to click and execute the malware.

archive_screenshot

Malicious attachment contains executable.

Since this malware was written in VB6, we can decompile the unpacked, malicious binaries to verify our classification. By viewing the VB6 forms, we can see that the hidden Form1 contains the name of Viotto Keylogger:

decompiledforms

Decompiled VB6 forms.

Now that we have seen an example of how this malware propagates in the wild, let’s examine the family itself. When an analyst has access to a malware’s builder (an application that enables the easy customization of malware samples), we can save precious reverse engineering time by analyzing its capabilities and features to better understand how this malware behaves.

Builder

Most of the indicators that comprise a Viotto Keylogger infection can be set at build time when the actor creates the stub (the malware sample that infects a victim’s computer). In the public version 3.0.2 of the builder, the malicious actor can specify where the keylogger’s logs will be stored, the installation method for persistence, and the delivery method of the logs via SMTP and/or FTP. In the paid, private version of the builder, the actor is able to control even more settings, such as encrypting the Keylogger logs with RC4 with a hardcoded key and enabling a Screen Capture feature that periodically sends screenshots of the victim’s desktop back to the actor. Another feature included in both versions that is not highlighted in the builder’s options is the ability to capture all text copied to the victim’s clipboard.

mainscreen

VKL Builder’s main screen.

The storage location option for the keylogger log files can be set by the malicious actor at build time. They also have the ability to specify a custom log filename and to set hidden file attributes. The log files can be saved in the following locations on the infected machine’s disk:

  • Root (C:\)
  • Windows (C:\Windows)
  • System32 (C:\Windows\System32)
  • Program Files (C:\Program Files)
  • Application Path (copied where originally executed)
  • Temp (C:\Users\{username}\AppData\Local\Temp)
  • AppData (C:\Users\{username}\AppData\Roaming)
logfileoption

Options where keylogger logs will be stored.

Persistence

As described above, depending on the settings enabled during built time of the stub, the actor has the ability to enable infection persistence through reboots of the infected machine. The actor can also select the option to save a copy of the executable which has the same file system options as the log file storage locations. The copy of this executable can then be executed during Windows’ start up events for persistence through computer restarts. Although multiple instances of the stub can be launched by selecting any combination of startup entries, the stub ensures it’s the only process currently running by checking the mutex (a program object lock used to avoid multiple instances of the same malware from running). The default mutex is “ViottoLogger”; however, this setting can also be changed in the builder. The following startup registry keys are viable options:

  • Current User\Run (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
  • Local Machine\Run (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
  • Winlogon\Shell (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell)
  • Winlogon\Userinit (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit)
  • Explorer\Run (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run)
persistenceoptions

Windows startup persistence options.

Keylogger Data Exfil

Viotto Keylogger is capable of sending the recorded keystrokes, clipboard contents, and screenshots to the perpetrator in an email (via SMTP) or to a file server (via FTP). The email option can be delivered to open relays that do not require authentication or to accounts that require authentication over SMTP using Transport Layer Security (TLS). By utilizing TLS, the account credentials and email contents will be encrypted in transit. Most of the VB6 code in this keylogger was copied from sources freely available on the internet, as indicated in the builder’s About screen:

builderabout

Extracting Exfil Credentials

Skids wishing to use this malware creator be forewarned: your email and FTP credentials can be easily obtained! Although most of these samples in the wild will be packed, a quick and easy way to extract the malware actor’s credentials being used for victim data exfiltration is by analyzing the application’s process memory. Analysts are not only able to extract this information on the same machine utilizing a program such as Process Hacker, but personally, I prefer keeping my memory analysis tools outside of the infected machine by analyzing full VM RAM dumps with either the Rekall or Volatility memory analysis frameworks. We can also extract the malware sample’s configuration, including any SMTP/ FTP exfil credentials, statically. The malware sample’s configuration is stored plaintext in the Resources section of the stub:

resourcedecom

The decompiled FindResource section loads the stub configuration.

The PhishMe Research team also wrote a Python script to extract the Viotto Keylogger configuration from an unpacked sample:

configextractor

Conclusion

The recent sighting of the freely-available Viotto Keylogger in the wild reminds us that cybercrime has a low barrier to entry and that tools built years ago continue to be used to exploit unsuspecting users. PhishMe Simulator trains and encourages users to recognize and report the type of email messages that are delivering this threat. The next step is to act on those reports, and PhishMe Triage enables your team to sift through all reports and quickly and efficiently act on the ones that pose a threat to your organization. Click here to learn more.

 

Related SHA256 Hashes

271781975987737466077146acc7309b6d1e794e2ead0876e0a204f0fb1169ef
6fee7e06eff76397354455665919aa53ee62957f3ef5a47aa16558f7799937ad
7961671bc61cb4c0df3d81dff85f707be2fc666708e5fba626c328e6a6bfcd17
7d74f30b5a663972d9984ef8cb8dbfba478a4968e1d626e39c4fb8a80385f37b
91b30f5368a1c102d496e82099cb6222551131f74607e1a694b0ff3ed3c04cfd
9640db7cfb5e083c58166905386c5472cf38823364ff719ad3e59c6fbeb696b3
e75684f5e16cf6476726b0c2b51f760035746742334238c13172e4fe73970ff2
f8b1cd7524a5183fe7aa3abb0aae7e660c201df095a1df83e139cecad145a253

 

Miscellaneous

Download the Viotto Keylogger yara rule or the configuration extractor.

 

PhishMe Announces Phishing Program Excellence Award Winners

Palo Alto Networks, AVANGRID, and others honored at Submerge 2016 for their innovative work in phishing prevention.

Leesburg, VA – October 14,  2016 – PhishMe, a global provider of phishing defense and intelligence solutions for the enterprise, has announced the winners of the PhishMe Excellence Awards at Submerge 2016, its inaugural phishing and defense summit and user conference. PhishMe chose the winners for their innovative, successful programs designed to combat phishing attacks and protect their enterprise from the risks of malware infiltration and fraud loss.

An anonymous panel of judges comprised of PhishMe product experts, industry leaders and security professionals reviewed the applications and designated the following companies winners across a number of different categories.

  • AVANGRID, Inc. a diversified energy and utility company, received the Phishing Defense Program of the Year, for consistently demonstrating the most effective all-around, top-performing phishing defense program with superior performance in detection, alerting, reporting, training, participation and results.
  • Palo Alto Networks, the next-generation security company, received the Most Innovative Phishing Defense Program Award, which recognized the company’s ability to think outside the box to leverage fresh approaches to achieve optimal training effectiveness and boost company-wide cyber education participation.
  • Additionally, PhishMe recognized industry leaders for achievements in the field of incident response, honoring the team that demonstrated superior overall process of responding to phishing threats in the Incident Response Team of the Year category, and the PhishMe Community Trailblazer of the Year, an award created to recognize the PhishMe user who has gone above and beyond in their phishing defense efforts.

Co-founders Rohyt Belani, PhishMe CEO, and Aaron Higbee, PhishMe CTO, presented the awards to the winners on-stage at the PhishMe Submerge Conference in Orlando, Florida. More than 100 phishing defense professionals attended this inaugural conference, which provided them with opportunities to learn from industry experts while networking with peers and other PhishMe users from all over the world.

After the award ceremony, Belani commented, “I would like to extend my huge congratulations to our winners and to all those who applied for the PhishMe Excellence Awards this year. The quality of the submissions was outstanding and a credit to the entire industry. I’m highly encouraged to see the commitment companies and individuals exhibit in protecting their businesses against increasingly sophisticated phishing attacks. PhishMe is very proud to be part of such a remarkable and growing community and we look forward to seeing everyone next year at Submerge 2017.”

For more information about the PhishMe Submerge Conference and the PhishMe Excellence Awards, please follow this link.

 

Connect with PhishMe Online

 

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

Media Contacts:

Name

Wes Anderson

Cohn & Wolfe US for PhishMe

Phone: 323.602.1080

Email: phishme@cohnwolfe.com

 

Francesco Tius

AxiCom UK for PhishMe

Phone: +44 (0)20 8392 4061

Email: phishme@Axicom.com[/vc_column_text][/vc_column][/vc_row]

Behavioral Conditioning, Not Awareness, Is the Answer to Phishing

BY AARON HIGBEE AND SCOTT GREAUX

You don’t stop phishing attacks by raising user awareness. A recent study conducted by a German university confirms what we at PhishMe have known all along: Focusing on awareness isn’t the point. The real solution is behavioral conditioning.

The study, conducted by Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, used 1,700 students to simulate spear phishing attacks. An August 31 Ars Technica article published preliminary results of the study showing at least 50% of students clicked simulated phishes, even though they understood the risks.

With its headline, “So Much for Counter-phishing Training: Half of People Click Anything Sent to Them,” the article appears to suggest training is pointless. But we see it differently. While the article confirms what our own research has revealed – that awareness isn’t the problem – the proper conclusion to draw isn’t that training is futile. PhishMe tends to agree with this sentiment and encourages organizations to focus on conditioning their employees to identify and report security risks.

We focus our training on conditioning human behavior, and the results speak for themselves. Our customers spend 22 seconds reviewing phishing education, and yet their susceptibility to phishing decreases significantly. Why? It’s the experience we put them through that changes behavior. Even when they are aware of the risks, as studies show, they are susceptible to opening email from unknown users and clicking suspicious links. But conditioned through the real-world examples we provide in our simulations, users are much less likely to click.

Enterprise Relevance

The FAU study focused on students, who were sent emails and Facebook messages with links purporting to be for photos from a New Year’s Eve party held a week before the study. “Links sent resolved to a webpage with the message ‘access denied,’ but the site logged the clicks by each student.”

It’s dangerous to use research results conducted on a student population to Enterprise workers. We have several problems with the approach as described. For starters, it wasn’t created by people in the trenches who understand real-world threats, but by academics in a computer science department. We already know the bait used by the study’s authors works on students, as well as consumers, but is far less effective with enterprise users. Yet, readers of the Ars Technica article are concluding the study’s results apply to enterprise environments.

We know that because we’ve started to get messages with their reactions. So we feel an obligation to point out the study didn’t use a realistic scenario, from an enterprise point of view. Real-world enterprise phishes are more likely to be emails pretending to be files from a scanner, a document with a job evaluation, or a message that someone has signed for a package addressed to the user.

There’s also a difference of perspective between students and enterprise users. Students, whose primary experience with computing revolves around mobile devices such as tablets and smartphones, don’t worry about cyber risks. Clicking a link from a smartphone isn’t going to compromise the device because such devices are nearly impervious to attacks. But click the link from a computer, and the story is quite different.

It also appears the FAU study focused only on clicking links, but phishing threats aren’t limited to one vector. Others include data entry, password credentials, clicking attachments, and email conversations that don’t involve links or attachments. Replicating some of these vectors in a real-world simulation is a bigger challenge than the method used by the study.

Focus on Reporting

A PhishMe-commissioned study found 94% of office workers know what phishing is and the risk it presents to organizations. The study also found that 94% of office workers know how to report suspicious emails in their organization. And that’s where the focus of training needs to be – reporting. When users are conditioned to report suspicious email, even if they do so after already clicking on it – maybe they had a lapse – the reporting is still valuable because it helps your security operations teams.

Learning to identify suspicious emails through conditioning is far more effective than general efforts to raise awareness. PhishMe simulator provides customers with templates that include the exact content used by threat actors.  By deriving content from our Phishing Intelligence platform we provide experiences that are relevant to enterprise users.   This method allows customers to condition users to spot potential phishes, avoid interacting with them, and report them to their security teams.

While we appreciate the FAU’s study’s confirmation of what our own research has shown about awareness, we fear it may lead enterprises to make decisions based on the erroneous conclusion that training doesn’t matter. This perspective could lead to the compromise of a network with disastrous results. To avoid such an outcome, we at PhishMe stand ready to work with any academic institution or researcher that could benefit from our experience in the trenches to produce meaningful research about phishing.

PhishMe Shortlisted as Finalist in Two Categories at Coveted 2016 Computing Security Awards

We are proud to confirm that PhishMe has been named as a finalist in two categories at the 2016 Computing Security Awards. PhishMe Simulator is shortlisted for ‘Anti Phishing Solution of the Year’ and ‘The Human Factor Award’ at a ceremony set to take place at London’s Cumberland Hotel on October 13th, 2016.

The Computing Security Awards champions the solutions and providers that help to keep organizations secure. Shortlisted for two distinct categories, PhishMe has been recognized not only for developing innovative human phishing defense and intelligence solutions, but also for its services to help organizations reduce phishing risk and susceptibility of human error-related data breaches.

With over 20 million employees trained in 160 countries, PhishMe Simulator has been proven to reduce the threat of employees falling victim to advanced cyber-attacks by up to 95%. The shortlisting at the Computing Security Awards is a credit to the hard work of the PhishMe research teams who use real phishing emails to create timely examples and content focused on today’s greatest threats such as Business Email Compromise (BEC) and Ransomware, transforming the entire workforce into an empowered line of defense against phishing.

Voting is open to the public so don’t forget to lend your support for us here and you can share on Twitter @PhishMe to help spread the word! The winners will be announced on 13 October at the Cumberland Hotel in Marble Arch, London.

Computing Security Awards Finalist