VIDEO UPDATE: Wire Fraud Phisher attempts to phish PhishMe, instead gets phished by PhishMe

(VIDEO UPDATE LINK: Defending Against Phishing Attacks: Case Studies and Human Defenses by Jim Hansen
• A human centric method of defense
• Attack case studies & attacker technique analysis
• Proactive simulation methods: educating workforces & detecting / thwarting attacks) 

(^ say that title ten time fast)

Every year PhishMe Simulator sends millions of phishing emails to its 500+ enterprise customers’ employees worldwide. PhishMe is hands down the most robust and sophisticated phishing platform in existence. To say that we are a little obsessive about Phishing is a bit of an understatement. In fact, we are sitting on innovations in phishing that the bad guys have yet to figure out.

The difference in PhishMe emails versus the bad guys, is that ours are carefully crafted to deliver a memorable experience. Our experiences are masterfully designed to change human behavior to avoid phishing. So what happens when one of our own employees is on the receiving end of a wire fraud phish? Read on…

Dyre Configuration Dumper

It’s been over a year since Dyre first appeared, and with a rise of infections in 2015, it doesn’t look like the attackers are stopping anytime soon. At PhishMe we’ve been hit with a number of Dyre attacks this week, so to make analysis a little easier, I tossed together a quick python script that folks can use for dumping the configurations for Dyre.

Forget About IOCs… Start Thinking About IOPs!

For those who may have lost track of time, it’s 2015, and phishing is still a thing. Hackers are breaking into networks, stealing millions of dollars, and the current state of the Internet is pretty grim.

We are surrounded with large-scale attacks, and as incident responders, we are often overwhelmed, which creates the perception that the attackers are one step ahead of us. This is how most folks see the attackers, as being a super villain who only knows evil, breathes evil, and only does new evil things to trump the last evil thing.

This perception leads to us receiving lots of questions about the latest attack methods. Portraying our adversaries as being extremely sophisticated, powerful foes makes for a juicy narrative, but the reality is that attackers are not as advanced as they are made out to be.

Updated Dyre, Dropped by Office Macros

Whenever attackers make a shift in tactics, techniques, and protocol (TTP), we like to make note of it to help both customers and the rest of the Internet community. We recently analyzed a sample that started out appearing to be Dridex, but quickly turned into a headache leading to Dyre that featured some notable differences to past Dyre samples. One PhishMe user was targeted to their personal account, and here’s a copy of the phishing email:

Figure 1 -- Phishing email

Figure 1 — Phishing email

Once opened, we’re presented with the very familiar story of “please enable this macro so you can get infected”. This time, they do give a few more instructions to the user, saying that the data is “encoded” and macros need to be enabled to read the text.

Detecting a Dridex Variant that Evades Anti-virus

Attackers constantly tweak their malware to avoid detection. The latest iteration of Dridex we’ve analyzed provides a great example of malware designed to evade anti-virus, sandboxing, and other detection technologies.

How did we get our hands on malware that went undetected by A/V? Since this malware (like the majority of malware) was delivered via a phishing email, we received the sample from a user reporting the phishing email using Reporter.

The Return of NJRat

NJRat is a remote-access Trojan that has been used for the last few years. We haven’t heard much about NJRat since April 2014, but some samples we’ve recently received show that this malware is making a comeback. ( For some background on NJRat,  a 2013 report from Fidelis Cybersecurity Solutions at General Dynamics detailed indicators, domains, and TTP’s in conjunction with cyber-attacks using NJRat.)

Dridex Code Breaking – Modify the Malware to Bypass the VM Bypass

Post Updated on March 25

The arrival of spring brings many good things, but it’s also prime season for tax-themed phishing emails. A partner of ours recently reported an email with the subject “Your Tax rebate” that contained an attachment with Dridex and password-protected macros to hinder analysis. If you read this blog, this story should sound familiar, but this particular strain took new precautions, such as adding a longer password and using VM detection inside of the code.

Decoding ZeuS Disguised as an .RTF File

While going through emails that were reported by our internal users using Reporter, I came across a particularly nasty looking phishing email that had a .doc attachment. At first when I detonated the sample in my VM, it seemed that the attackers weaponized the attachment incorrectly. After extracting and decoding the shellcode, I discovered a familiar piece of malware that has been used for some time.

Dridex – Password Bypass, Extracting Macros, and Rot13

When attackers decide to password protect something, it can be very frustrating as an analyst, because we are often left with few options to find out what they are protecting. If this happens, we can always try to straight up brute force the password, but unless the attackers use something like 1q2w3e4r, we’re up a creek without an oar. If it’s an MD5 hash of a password, we have many more options to crack it. In the case of xls files, we have the option to essentially “wipe out” the password and give it our own password. In a recent wave of Dridex phishing emails, this is what we saw. Here’s the phishing email sent to one PhishMe employee:

The Evolution of Upatre and Dyre

Over the last few months, we’ve been tracking Dyre and reporting changes to the malware on this blog.  Dyre’s latest iteration shows  yet another shift in tactics – one that combines characteristics of Dyre with Upatre code to create a new downloader… Figures 1, 2, 3 and 4 shows three different emails, all with the same content but with different malicious links, which we we’ll use interchangeably in our examples.