For the second time in as many months, networks around the world have been attacked using a worming ransomware that gains new infections by exploiting a recently-patched Windows SMB vulnerability among other proven techniques. What has been described a ransomware bearing significant similarities to the Petya encryption ransomware ravaged numerous companies and networks around the world with disproportionate impact in Ukraine and Eastern Europe but also inflicted harm to significant numbers of victims in Western Europe and North America.
The TrickBot financial crimes and botnet malware has seen mild usage since its introduction in late 2016. While it is able to emulate many of the features that made the Dyre trojan so successful, many aspects of its deployment left it rough around the edges. Examples of this roughness like persistence via a scheduled Windows task named “Bot” limited this malware’s evasion and anti-forensic capabilities. Furthermore, previous deliveries leveraged relatively simplistic techniques such as relying on executables in archives attached to phishing emails securing new infections. However, with some very minor refinements to both the malware resident and delivery processes, threat actors have evidenced a renewed drive to explore the possibilities this malware tool has to offer. The exploration of malware technologies and delivery processes are both trends that have been previously addressed in PhishMe® reporting and, as threat actors continue to turn to commoditized delivery methods, will continue to evolve.
TrickBot is a robust financial crimes and botnet trojan that shares a number of characteristics with the infamous Dyre banking trojan. Despite sharing similar functionality, TrickBot is an approximation of Dyre, not an exact copy. While this extends to the theft of online banking credentials, this botnet tool is flexible enough to provide threat actors with the ability to adapt and customize their intrusion based on information collected about machines infected by TrickBot.
One of the most tenacious and recurring delivery methodologies featured within the current threat landscape is the combination of PDF documents with an embedded Microsoft Word document. This document in turn contains macro scripting used to download and deobfuscate an XOR-ciphered executable payload. A number of current top-tier malware varieties have been deployed using this methodology. Criminals delivering the Jaff encryption ransomware and before it the Locky encryption ransomware both harnessed this technique as have the Dridex threat actors. This technique is popular because it provides some advantages over using a PDF or Word document with macros alone. The first and most obvious is the appearance it presents to its recipients. While awareness of Word documents with macros has proliferated in recent years due to its prolific use in phishing attacks, by adding just one step, unprepared users can be convinced to engage with the infection method.
Figure 1 – PDF reader requests permission to extract and open a Word document as seen with Jaff, Locky, and Dridex
This technique has now been employed as a means of delivering the TrickBot malware along with a renewed use of standalone Office documents with macro scripting. The phishing emails delivering these infection utilities featured no message content, no narrative, and in some cases, no subject line. This employs a different social engineering technique that, rather than relying on persuasive argumentation, appeals to the recipient’s curiosity.
|Attachment Filename||MD5 Hash|
Figure 2 – Example indicators from campaigns using this attack method
However, this renewed threat actor utilization also brings a very subtle refinement to the overall polish of the TrickBot deployment intended to improve its rate of successful infection as well as its likelihood to persist undetected on infected endpoints. The TrickBot malware relies on a Windows Task to ensure its persistence within infected environments. This task is defined by an XML file written to disk after TrickBot is initially run. Early examples of this persistence task were named “Bot” and would show up as such during audits of system tasks. However, this most recent iteration of task from “Bot” to the much less obvious “services update”. While this refinement may seem insignificant, it portends a much more serious approach on the part of the threat actor. One of these two filenames would look entirely out of place within an infected environment while the latter would be more reasonable–perhaps reasonable enough to escape detection.
Figure 3 – An excerpt from the “services update” Windows task
This renewed interest and exploration into distribution of the TrickBot malware comes with a handful of refinements in delivery and persistence. By harnessing a successful distribution methodology and refining their persistence mechanism, criminals using TrickBot are attempting to take their success using this botnet malware to another level. The challenge for security professionals is to develop a comprehensive defense against these improvements. The best approach is to combine tactical observations and atomic indicators with a strategic view of threat actors’ goals. Ultimately, defenders should not focus on just one attack vector or malware tool, but instead should anticipate the strategy threat actors use to accomplish their mission. In many cases, this mission is predicated upon the success of phishing emails.
Understanding how attackers craft and deploy these emails allows an organization to prepare and empower the email users within their organization. These users can then engage critically with those messages and, when a suspicious email is detected, report it to the security and incident responders defending the enterprise. These internal reports can then be compared to and combined with external sources to help network defenders overcome threats at a tactical level and apply those tactics as part of a greater strategy to overcome any phishing threat.
Learn about emerging trends and evolving threats in phishing malware with PhishMe’s Q1 Malware report, click here to download.
The WannaCry ransomware incident has galvanized global media coverage and dominated discussion among information security professionals since Friday, May 12. The speed with which this malware was able to spread within enterprise networks and how rapidly so many large organizations were impacted is unsettling. Yet, as the dust begins to settle, it is clear that this episode has left a number of lessons in its wake–lessons to be harnessed by defenders and their adversaries.
While this attack is an expansive topic that will continue to evolve as more discoveries are made about the impact, origin, and spread of the WannaCry ransomware, it is also important to keep in mind that WannaCry is one of three major incidents to arise in the past month. Lessons provided by WannaCry are only deepened by the additional context of the fake Google Docs malicious cloud application incident of May 4, 2017 and the introduction of the Jaff encryption ransomware on May 11, 2017. First and most obvious, both Jaff and WannaCry show that the ransomware business model is far from obsolete. There is still a great deal of value to threat actors in holding data for ransom. Second, the novel attack vectors for WannaCry and the fake Google Docs cloud application show that innovation in leveraging new attack surfaces is happening among threat actors. The challenge for defenders is to internalize these revelations and develop an agile security posture that incorporates defense against existing risks and emergent attack vectors.
The explosive growth of ransomware in 2016 marked a dramatic shift in how many threat actors monetize phishing attacks. While certain ransomware tools were delivered using other mechanisms, tools like Locky and Cerber set the tone for the ransomware business model. These ransomware tools were delivered by massive numbers of phishing email to reach the largest number of victims. This business model has been once again put into action by the Jaff encryption ransomware following its debut just one week ago on May 11, 2017. However, the worm functionality demonstrated by WannaCry puts a unique spin on that model by reducing the infrastructure and resource expenditure necessary for the threat actor to maximize their ability to infect new hosts. The goal for both Jaff and WannaCry threat actors is still to reach as many victims as possible to maximize the number of potential ransom payments, lending credence to the notion that ransomware is far from obsolete as an avenue for online crime.
While the propagation mechanisms of the fake “Google Docs” application that made headlines on May 4, 2017 and the WannaCry ransomware worm differ dramatically, both show that virulence is an important aspect of their overall strategy. Furthermore, each of these incidents shows a significant level of innovation by harnessing relatively new attack vectors. The fake “Google Docs” incident took advantage of users’ reliance on cloud services to propagate while WannaCry leveraged a vulnerability only recently disclosed and made public. However effective these attacks were in their own right, the long-term impact will be the future attacks inspired by these innovations. Whether the payload is a ransomware or some other category of malware, threat actors are watching and learning from these attacks. Furthermore, neither innovation is exclusive of the use phishing email as a means for making a “first contact” with a victim as was the case with the fake “Google Docs” application. By combining these promising innovations with a tried-and-trusted attack vector, threat actors will continue to gain access to enterprise data and hold it for ransom.
The high profile events of the past month have provided some indication that threat actors are quickening the pace of innovation and looking to combine these innovations with existing attack models. Both phishing and the ransomware tools delivered via phishing emails have proven very successful for threat actors and continued use of both can be expected. However, as threat actors learn from events like those from the past month it can be expected that they will attempt to implement their own versions using creative re-combinations of these techniques to launch attacks of their own.
To anticipate and mitigate these new attack vectors, those tasked with defending enterprises must adapt their security posture to changing paradigms. It is important to ensure there are agile defense and response processes that incorporate protections for multiple attack surfaces and at various stages of the attack life cycle. This effort begins with the basics of regular patching and network hygiene. It also requires the anticipatory education and empowerment of email users to engage with messages critically and act on suspicions, reporting potentially-malicious emails to the enterprise’s defenders. These internal reports can then be compared to external observations and intelligence reporting to identify the most immediate risks to an organization. The threat landscape is evolving, but in the face of robust, holistic, and human-centered defense strategies, attackers can be overcome.
Learn why more than half of the Fortune 100 trusts PhishMe® for end-to-end phishing mitigation. Request a free demo today, no obligations, no software to install.
Adding another entry to the ever-growing list of encryption ransomware, the Jaff Ransomware made its debut onto the threat landscape with large sets of phishing emails on May 11, 2017 – one day before the sensational impact of the WannaCry ransomware attack. However, the risks posed by the Jaff ransomware should not be overlooked. This, too, is a robust ransomware that leverages some of the most prolifically-used delivery mechanisms in phishing email and embodies characteristics associated with other very successful malware.
The ransomware that defined much of the phishing threat landscape in 2016 raged back into prominence on April 21, 2017 with multiple sets of phishing email messages. Harkening back to narratives used throughout 2016, these messages leveraged simple, easily-recognizable, but perennially-effective phishing lures to convince recipients to open the attached file.
Threat actors using the Dridex botnet malware received a great deal of attention recently for their purported utilization of content exploiting a previously un-patched vulnerability in Microsoft Word. This exploit, which took advantage of unexpected behavior in the handling of certain document types, was reportedly used to deliver the Dridex botnet malware via documents attached to phishing emails. However, the bulk of Dridex campaigns leverage far more common delivery techniques that abuse the functionality that already exists in Microsoft Office and Adobe Reader rather than deploying some complex exploit content. This serves as a reminder that threat actors don’t always rely on exploit content because exploits of un-patched vulnerabilities are no longer required to break into an enterprise; simple phishing messages can accomplish this same goal.
I don’t think anyone likes to do taxes… unless you’re an accountant. Maybe.
Collecting all the documents, knowing which ones are needed, completing them in time, and handing over payments is a headache for individuals and companies alike. Phishing threat actors know this and will try to take advantage.
The United States Internal Revenue Service provides lots of resources about recent and relevant phishing attacks and scams targeting American taxpayers. Their international counterparts in the United Kingdom and Australia also provide extensive resources on recent attacks impacting their taxpayers. One important aspect of the material provided by these organizations is the delineation between what communication can be expected from each taxation authority and what forms of communication should be considered suspicious. For example, the Internal Revenue Service states that, “The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.”
The most common social engineering tactics utilized by threat actors appeal to fear, uncertainty, and doubt—three things that, for some, go together with the tax filing season. Often, threat actors will use phishing narratives that threaten the recipient with legal action because they supposedly failed to properly file their taxes. Other techniques use reminders or “helpful hints” appealing to recipients’ uncertainty and desire to take the best route for doing their taxes. These messages are often used to deliver malware tools designed to steal personal and corporate information. However, other threat actors take a still-more direct route inspired by the CEO fraud and BEC attacks that have become very popular and very, very profitable. In these scenarios, the threat actors impersonate a VIP within a company or organization and simply request that someone in the company’s human resources department simply send a copy of all the income reporting forms for every employee in the company.
Both techniques embody an interesting intersection that belies how threat actors operate. Threat actors often seek to infect the largest number of users possible with their malware tools. This allows them to maximize their opportunities for monetizing their malware deployments whether the malware in use is designed to provide access to private information or to simply encrypt it and demand a ransom payment. One example identified by PhishMe Intelligence in December 2016 targets individuals by offering up unsolicited tax advice regarding retirement savings. Attacks like these, if directed to victims outside of a firm or organization, can be used to impact those victims as individuals only.
Figure 1 – Unsolicited tax advice has been observed as an avenue for delivering malware
Threat actors have recognized this and some have adjusted their strategy. As a result, they have introduced attacks that take advantage of the intersection of two contemporary techniques.
First, they employ elements of soft targeting, a strategy in which phishers cast a wide net using a narrative intended to appeal to a class of individual. A prolific example of soft targeting is the ever-present “resume” phishing theme intended to disproportionately impact human resources personnel. Similarly, many tax-themed phishing campaigns are designed to disproportionately impact financial and accounting professionals within companies so the threat actor can gain access to the greatest amount of sensitive information at once. Whether the attack is designed to deliver a tool to steal financial information or hold it for ransom, threat actors appeal to accounting professionals’ careful handling of tax matters.
Second, phishers blend their techniques with the CEO fraud or BEC strategies by imposing a fake demand that an accounting professional turn over a company’s W-2 information for “review” by an imposter company VIP. These fraudulent requests are directed to someone within the organization responsible for fulfilling the requirement that tax information be completed promptly and accurately. The threat actor is therefore linking together the pressure of responding to senior management with the pressure of completing taxation paperwork promptly. The result if a compelling narrative that the threat actor hopes will result in the turnover of sensitive information about a company’s employees—simply by asking for it.
An example of the former was used to deliver the Spora Ransomware in January 2017 using a lure informing the victim that a “loyalty” tax refund may be available to them. With the listed sender “IndustrialandCommercial[.]com”, this was intended to resemble an opportunity for the recipient to learn more about a tax break to which their company may be entitled.
Figure 2 – Other campaigns have attempted to pitch a tax break to recipients
These appeals are not unique to the United States. Threat actors have frequently abused the names and impersonated representatives of taxation authorities around the world. Examples collected by PhishMe Intelligence in just past two months include emails delivering malware through impersonation of Australian, Brazilian, Indian, and Italian tax authorities. Each example delivered some form of malware utility used to carry out the theft of sensitive information.
Figure 3 – Australian Tax Office impersonated to deliver malware
Figure 4 – Increased diversity in impersonated tax authorities over the past year
Figure 5 – Examples include full internationalization in language selection
While these threat actors all sought to deliver some malware tools to their victims, threat actors requesting sensitive information have been active this year as well. The rash of BEC and CEO fraud scams that netted criminals around the world more than 3 billion dollars and lost US victims just shy of a billion dollars as of June 2016 per FBI reporting. Emulating this technique, other threat actors target the private, personal information of companies’ employees by sending emails to custodians of W-2 information while impersonating a member of a company’s top-level management. These emails simply ask individuals to turn over to the criminal all the W-2 information for the company.
Like taxes, it’s clear these types of attacks are not going away anytime soon. However, through consistent training organizations can battle these types of threats and potentially lower their impact. It’s important to remember that the IRS will never ask you for any sensitive information in an email, and when in doubt, go directly to the IRS website instead of following links in emails.
Now, there are 3 things about which you can be sure: Death, Taxes and Phishing!
As the public becomes more and more aware of ransomware threats through journalistic outlets and the advice of security professionals, threat actors face more challenges in successfully monetizing the deployment of their tools. The longevity of ransomware as a viable criminal enterprise relies upon the continued innovation that ensures threat actors can deliver and monetize infected machines. Much of the innovation seen in 2016 was focused on defying the expectations for how ransomware is delivered such as steganographic embedding of ransomware binaries, other forms of file obfuscation, and requirements for command line argumentation. These were all put forward as ways to ensure victims are infected by the ransomware and put into a position where they may be compelled to pay the ransom and thereby monetize the infection for the threat actor.
While it is easy to be caught up in hype regarding the smallest alteration to ransomware behavior, sometimes a step back and a look at the ransomware business model is more helpful. While the alteration in the extension given to files encrypted by Locky may be easy fodder for blog posts, changes like the addition of the “.shit” extension is likely little more than a jab at information security researchers who have placed a significant amount of stock in the extension applied to encrypted files. Simply put—changing the file extension used by this malware doesn’t fundamentally change how the malware impacts victims. And most victims probably don’t care what extension is applied to their now-inaccessible documents. Most importantly, it does not impact how the threat actor intends to generate revenue from that new infection.
Many of the changes seen in ransomware delivery through 2016 have supported the core of the business model by guaranteeing the maximal number of infections. Innovative means of bypassing controls, frustrating analysis, and creating difficulties for incident response were all created by defying certain expectations. These were all put forward as ways to ensure victims are infected by the ransomware and put into a position where they may be compelled to pay the ransom and thereby monetize the infection for the threat actor. However, as the public becomes more and more aware of ransomware threats through journalistic outlets and the advice of security professionals, threat actors face more challenges in successfully monetizing the deployment of their tools. The longevity of ransomware as a viable criminal enterprise relies upon the continued innovation that ensures threat actors can deliver and monetize infected machines.
One arena in which few ransomware developers have made forays is the capability to repurpose infected machines for other criminal endeavors. Widespread usage of ransomware as a first-step utility is still uncommon among the most prominent ransomware varieties as is the side-by-side delivery of other malware utilities via phishing email. However, this capability would be a simple addition to most ransomware varieties and would stand to create new and virtually-unlimited additional avenues for further monetization of infected machines beyond the collection of a ransom payment. One ransomware variety that has already begun to incorporate this functionality into its behavior is the Troldesh encryption ransomware.
An example of this ransomware was recently analyzed and was found to also deliver a content management system (CMS) login brute-force malware in addition to its core ransomware payload. This malware is designed to force its way into content management systems like WordPress and Joomla by guessing the login credentials. This is valuable to threat actors as it allows them to compromise those websites for any number of reasons including the posting of new malware payloads to be downloaded in later campaigns. Beyond giving threat actors access to the compromised websites, this malware also pushes the responsibility for those compromises away from the threat actor, giving them some level of deniability and distance from the attacks. However, the victim, whose computer is now being used to launch brute-force attacks on websites, must still pay the demanded ransom to regain access to the files that have been encrypted by Troldesh.
However, Troldesh is a ransomware that has a relatively low profile among ransomware varieties—especially in terms of its impact on English-speaking populations. However, another example was identified more recently that indicates that this one-two punch technique is also being used in conjunction with the Locky encryption ransomware—a malware that has a far wider reach and is more well-known.
However, repurposing a victim’s computer to carry out the activities highlighted in these examples are just two examples of what a threat actor could do if additional malware or capabilities are incorporated into ransomware samples. Two factors could make a scenario like this have a significant impact on an individual or company. First, if a threat actor can place a ransomware sample within an environment and then expand their reach using additional malware samples, the threat actor has created two avenues for victimizing that individual or organization. The ransomware is most obvious component of this scenario, but the additional malware sample could be used for a much longer and more damaging operation with implications reaching far beyond the ransomware incident. Secondly, since the expectation is that the ransomware sample is the only avenue for monetization and the only malware involved in most ransomware incidents, an individual or organization may not seek out the additional malware and instead address only the obvious threat instead of the quieter and more longitudinal threat.
The prospect of ransomware featuring additional capabilities or acting as malware downloaders is troubling. It greatly complicates the threat landscape and adds burdens to information security professionals tasked with protecting organizations from both ransomware and other malware utilities. The good news, however, is that many organizations are already aware and empowered to address both ransomware and non-ransomware malware threats. Phishing email has been the most prominent avenue for the delivery of both these categories of malware utility and is an arena where organizations can form holistic defense plans. Holistic phishing defense includes the education and empowerment of all email users to identify and report phishing emails before engaging with the malware they deliver. The information security professionals within those organizations can then utilize that internal intelligence from user reports along with external intelligence to best identify and respond to not just the obvious threats like ransomware, but also the quieter and less-obvious malware threats as well.
The full report on this Troldesh sample used to deliver additional malware payloads is available to PhishMe Intelligence users here. The list below includes a number of IOCs related to this analysis.
Troldesh command and control host:
Content Management System Brute-force bot executable:
Content Management System Brute-force bot command and control host:
The Locky and Kovter samples are described in this Active Threat Report and related IOCs are listed below.
Locky encryption ransomware sample:
Locky hardcoded C2 locations:
Kovter command and control resource:
Curious to learn more about our ransomware findings? Check out our Q2 Malware Review where we identified key trends in malware and ransomware in the threat landscape.
It is important to PhishMe to avoid hyperbolic conclusions whenever possible. In the interest of clarifying some conclusions that have been drawn from this blog post, it is important to keep in mind the nature of Locky distribution and how this malware is delivered to victims. We consider it a serious responsibility to report on very real threats in a way that lends itself to our credibility as well that the credibility of all information security professionals.
PhishMe has no reason to believe that this set of emails was delivered only to victims of the OPM incident nor to government employees as part of a spear phishing attack.
The email addresses associated with the OPM breach have not been actively circulated. As such, it is incredibly unlikely that the threat actors have any detailed knowledge of who will be receiving these emails. Furthermore, PhishMe has not received any confirmation that anyone impacted by the OPM incident has received a copy of these emails. Many people who were not affected by the OPM incident and are not affiliated with the U.S. government also received copies of these messages and are also put at a very real risk by this ransomware.
A continuing truth about the Locky encryption ransomware is that its users will take advantage of any avenue that they believe will secure them a higher infection rate but still utilize predictable themes. This time, the threat actors have chosen to impersonate the US Office of Personnel Management in one of their latest attempts to infect people with this ransomware. As we have noted in previous reporting, Locky has set the tone for 2016 with its outstanding success as an encryption ransomware utility. As we approach the end of the year, this ransomware continues to be a fixture on the phishing threat landscape.
One key example of this malware’s phishing narratives is a set of emails analyzed by PhishMe Intelligence this morning that cite the purported detection of “suspicious movements” in the victim’s bank account that were detected by the US Office of Personnel Management.
This phishing narrative comes with a few notable implications. First, emails that are designed to appear as if they were sent by the OPM and the threat actors hope that these are more likely to appeal to government workers and employees of government contractors. Secondly, the threat actors may also how that these messages are also more likely to appeal to individuals who have been subject to a loss of personal information as a result of the high-profile OPM breach.
If either of these implications bear any truth, the Locky threat actors once again demonstrate their unscrupulous nature and willingness to exploit the misfortune of others at any step in their delivery and infection process. However, absent the reference to the Office of Personnel management, this set of emails would be just another set of phishing emails delivering Locky featuring strange word choice such as “suspicious movements” and “out account”.
These emails reinforce the fact that overcoming the phishing threat and the ransomware it delivers is not some insurmountable task. Instead, user education and the bolstering of incident response practices can give organizations the edge over threat actors.
However, only four hardcoded command and control hosts were found to be supporting this Locky instance. They are listed below.
Furthermore, a single payment site where the ransomware victim can pay the Bitcoin ransom in exchange for a purported decryption application was identified.
The full PhishMe Intelligence report on this Locky analysis is available to PhishMe Intelligence clients here.
Never miss another phishing threat! Sign up for our complimentary Threat Alerts subscription service today.
Learn more about Locky and other ransomware threats at PhishMe’s Global Ransomware Resource Center.
Another ransomware tool has been added to the ever-growing encryption ransomware market with the introduction of the Bart encryption ransomware. Named by its creators in its ransom payment interface as well as in the extension given to its encrypted files, the Bart encryption ransomware has leveraged some distinctive mechanisms for delivery during its early deployments. Furthermore, this ransomware shares some interface elements that evoke the same look and feel used by the Locky encryption ransomware ransom payment interface. In many ways the Bart encryption ransomware is a very mainstream encryption ransomware in both the files it targets for encryption (a full list of these file extensions is included at the end of this post) as well as its demand for a sizable Bitcoin ransom. However, a number of elements related to this encryption ransomware are noteworthy when viewed through the lens of recent developments in the phishing threat landscape.