Even the “Smart Ones” Fall for Phishing

It’s easy to believe that phishing only happens to people who aren’t smart enough to detect it. This simply isn’t true. As the tech-savvy developers at software company a9t9 have indicated in their statement[1] about a phishing incident last week, even smart developers can be fooled with a phish.

As reported by Tripwire, a Chrome plugin developer fell for a phishing attack that allowed the threat actor to take control of a9t9’s account in the Chrome Store.  This means that the Copyfish plugin built by a9t9 was no longer under its control.  Meanwhile, the plugin has already been used to “insert ads/spam into websites” according to the statement by a9t9.

The original phishing message that lured the developer carried a link on the URL shortening service called Bit.ly.  As Tripwire explained, the victim did not notice the odd link because he was viewing the message in webmail.  However, in the screenshot of the message in its text format, the Bit.ly link is clearly-visible.  One of the great features of Bit.ly for those creating “bitlinks” is that you can view statistics about the locations and user agents of who clicks on your link.  Others can also see a few stats by appending a plus (+) sign to the end of the URL.  Below is what we saw when we did this:

The stats tell us that the bitlink was created on July 28th and leads to a URL on rdr11.top, a domain first registered on that same day via NameCheap but under privacy protection.  Once the victim clicked on the link, he was redirected to the rdr11.top URL which itself then redirected to a URL on chrome-extensions.top, to the page[2] seen below:

The domain chrome-extensions.top was also registered via NameCheap using privacy protection on July 28th.

The rdr11.top and chrome-extensions.top hosts resolve to Saint Petersburg, Russia, IP address, part of a /23 net block owned by Moscow Selectel Service.

Also known to resolve to have resolved to is the domain chrome-extensions.pro, registered July 21st with NameCheap, using privacy protection.

A third resolution to the same IP,, was the phishy-sounding domain cloudflaresupport.site, also registered via NameCheap under privacy protection, on July 18th.  A similar domain, cloudflaresupport.info, was registered with NameCheap on June 21st and even used the Cloudflare service for phishing Cloudflare accounts, but it is now under Cloudflare’s control.  See the tweet[3] below that included screenshots of the phishing message and spoofed Cloudflare login page:


In the Comments of that tweet are screenshots showing further redirection to a Google login phishing page on webstoresupport.top, registered with NameCheap using privacy protection on June 20th.  Other comments reveal that on June 21st CloudFlare actively engaged the customer support software ticketing service being used by the threat actor to send the phishing messages, FreshDesk.  However, a9t9’s statement mentions that FreshDesk was still being used on July 28th when the a9t9 developer was lured in by a phishing email message.


There are some lessons that can be learned about two factor authentication for such important accounts as your Chrome Store or Cloudflare logins; however, the main issue here is that the victim was not even thinking about the possibility of phishing while responding to his email messages. Phishing, now commonly used against all types of accounts and for increasingly-creative purposes, is known to be the number one way that attackers breach our critical processes, steal our intellectual property, and bring businesses to a screeching halt.  We can also thank a9t9 for owning up to its mistakes so that we can all learn from them.  Their share helps us to connect the dots and discover more about the phisher and his methods and infrastructure.

You can use PhishMe to make sure your employees know how to recognize, report, and respond to these growing threats.


[3] https://twitter.com/LawrenceAbrams/status/877666254974316544

[2] hxxps://login.chrome-extensions.top/ServiceLogin/?https://accounts.google.com/ServiceLogin?service=chromewebstore&passive=1209600&continue=https://chrome.google.com/webstore/developer/dashboard&followup=https://chrome.google.com/webstore/developer/dashboard

[1] https://a9t9.com/blog/chrome-extension-adware/

Threat Actors Use Advanced Delivery Mechanism to Distribute TrickBot Malware

Threat actors’ consistent pursuit of improved efficiency is a key characteristic of the phishing threat landscape. One method for improving efficiency is to use a unique delivery technique that not only allows threat actors to distribute malware but also succeeds in evading anti-virus software and technologies.

Ribbon Cutting – Running Macros with CustomUI Elements

PhishMe® Research has generally seen macro execution in PowerPoint tied to specific actions and events, such as a mouse interaction with an object or custom actions. But the “Ribbon Cutting” technique uses a different method; it runs macro code by creating a UI callback that is triggered when the file is opened. Although in the example below we use PowerPoint, the technique can be used in other Office applications that support ribbon customizations.

Karo Ransomware Raises Stakes for Victims by Threatening to Disclose Private Information

A ransomware victim must have a compelling reason to go through the burdensome process of obtaining Bitcoin and paying the ransom. For many victims, the threat of permanently losing access to their files is enough. However, some ransomware authors and criminals seek to push victims harder by raising the stakes even further.

Threat Actors Continue Abusing Google Docs and Other Cloud Services to Deliver Malware

A key part of phishing threat actors’ mission is to create email narratives and leverage malware delivery techniques that reduce the likelihood of detection. By combining compelling social engineering with seemingly benign content, threat actors hope to bypass technical controls and to convince their human victims of a phishing email’s legitimacy. One method with a long history of use is the abuse of Google Docs file sharing URLs to deliver malware content to victims. Because Google Docs and other cloud services may be trusted within an enterprise, threat actors will continue to abuse file sharing services to possibly bypass firewalls and anti-virus technologies.

Threat Actors Leverage CVE 2017-0199 to Deliver Zeus Panda via Smoke Loader

Our Phishing Defense Center identified and responded to attacks leveraging a relatively new Microsoft Office vulnerability during the past few weeks. Last week, the PDC observed threat actors exploiting CVE 2017-0199 to deliver the Smoke Loader malware downloader which in turn was used to deliver the Zeus Panda botnet malware. These emails claim to deliver an invoice for an “outstanding balance” and trick the recipient to opening the attached file. In one instance, we have also seen the malicious attachment being delivered via URL.

Tracking and Mitigating Zyklon Phishing Using Threat Intelligence and Yara

The Zyklon HTTP Botnet malware is a tool that is readily accessible to threat actors in online criminal marketplaces and has been observed in use for various criminal activities. Among its features is the ability to log the keystrokes typed by a victim as well as to collect other private or sensitive information, and one of the most notable uses for Zyklon has been as a downloader and delivery tool for the Cerber encryption ransomware. Over a dozen unique campaigns to deliver this malware have been identified and reported by PhishMe Intelligence and it represents one of the most rapidly-growing constituents on the threat landscape. Each time the Zyklon malware is identified, it has followed a relatively-straightforward and mainstream method for infecting victims. With only one exception, Zyklon has been delivered using Microsoft Word documents with hostile macro scripting used to deliver the botnet malware payload.

SMILE – New PayPal Phish Has Victims Sending Them a Selfie

Phishing scams masquerading as PayPal are unfortunately commonplace. Most recently, the PhishMe Triage™ Managed Phishing Defense Center noticed a handful of campaigns using a new tactic for advanced PayPal credential phishing. The phishing website looks very authentic compared to off-the-shelf crimeware phishing kits, but also levels-up by asking for a photo of the victim holding their ID and credit card, presumably to create cryptocurrency accounts to launder money stolen from victims.

TrickBot Featured in New Wave of Phishing Emails Signaling Renewed Use of this Botnet Malware

The TrickBot financial crimes and botnet malware has seen mild usage since its introduction in late 2016. While it is able to emulate many of the features that made the Dyre trojan so successful, many aspects of its deployment left it rough around the edges. Examples of this roughness like persistence via a scheduled Windows task named “Bot” limited this malware’s evasion and anti-forensic capabilities. Furthermore, previous deliveries leveraged relatively simplistic techniques such as relying on executables in archives attached to phishing emails securing new infections. However, with some very minor refinements to both the malware resident and delivery processes, threat actors have evidenced a renewed drive to explore the possibilities this malware tool has to offer. The exploration of malware technologies and delivery processes are both trends that have been previously addressed in PhishMe® reporting and, as threat actors continue to turn to commoditized delivery methods, will continue to evolve.

TrickBot is a robust financial crimes and botnet trojan that shares a number of characteristics with the infamous Dyre banking trojan. Despite sharing similar functionality, TrickBot is an approximation of Dyre, not an exact copy. While this extends to the theft of online banking credentials, this botnet tool is flexible enough to provide threat actors with the ability to adapt and customize their intrusion based on information collected about machines infected by TrickBot.

One of the most tenacious and recurring delivery methodologies featured within the current threat landscape is the combination of PDF documents with an embedded Microsoft Word document. This document in turn contains macro scripting used to download and deobfuscate an XOR-ciphered executable payload. A number of current top-tier malware varieties have been deployed using this methodology. Criminals delivering the Jaff encryption ransomware and before it the Locky encryption ransomware both harnessed this technique as have the Dridex threat actors. This technique is popular because it provides some advantages over using a PDF or Word document with macros alone. The first and most obvious is the appearance it presents to its recipients. While awareness of Word documents with macros has proliferated in recent years due to its prolific use in phishing attacks, by adding just one step, unprepared users can be convinced to engage with the infection method.

Figure 1 – PDF reader requests permission to extract and open a Word document as seen with Jaff, Locky, and Dridex

This technique has now been employed as a means of delivering the TrickBot malware along with a renewed use of standalone Office documents with macro scripting. The phishing emails delivering these infection utilities featured no message content, no narrative, and in some cases, no subject line. This employs a different social engineering technique that, rather than relying on persuasive argumentation, appeals to the recipient’s curiosity.

Attachment Filename MD5 Hash
11180651.pdf d397901e0d35a108ed4218715e47f79d
89049517.pdf b327868a11287995c32dc433dbeb3fb7
61783306.pdf bb42465392dbc15c1b4ed88ab6ed47b3
33238593.pdf b0f75286403bd759872bde9655c76038
SCAN_0221.doc ed1e1515dcc0d8a7608e73345de642ea
SCAN_9392.doc e9d181fbbe7d10bf2b17672b4966ae70
SCAN_4659.doc 4596f215c4760cd643fc79935fd41736
SCAN_1146.doc c019021cf3473e46395791ca18e2dd82

Figure 2 – Example indicators from campaigns using this attack method

However, this renewed threat actor utilization also brings a very subtle refinement to the overall polish of the TrickBot deployment intended to improve its rate of successful infection as well as its likelihood to persist undetected on infected endpoints. The TrickBot malware relies on a Windows Task to ensure its persistence within infected environments. This task is defined by an XML file written to disk after TrickBot is initially run. Early examples of this persistence task were named “Bot” and would show up as such during audits of system tasks. However, this most recent iteration of task from “Bot” to the much less obvious “services update”. While this refinement may seem insignificant, it portends a much more serious approach on the part of the threat actor. One of these two filenames would look entirely out of place within an infected environment while the latter would be more reasonable–perhaps reasonable enough to escape detection.

Figure 3 – An excerpt from the “services update” Windows task

This renewed interest and exploration into distribution of the TrickBot malware comes with a handful of refinements in delivery and persistence. By harnessing a successful distribution methodology and refining their persistence mechanism, criminals using TrickBot are attempting to take their success using this botnet malware to another level. The challenge for security professionals is to develop a comprehensive defense against these improvements. The best approach is to combine tactical observations and atomic indicators with a strategic view of threat actors’ goals. Ultimately, defenders should not focus on just one attack vector or malware tool, but instead should anticipate the strategy threat actors use to accomplish their mission. In many cases, this mission is predicated upon the success of phishing emails.

Understanding how attackers craft and deploy these emails allows an organization to prepare and empower the email users within their organization. These users can then engage critically with those messages and, when a suspicious email is detected, report it to the security and incident responders defending the enterprise. These internal reports can then be compared to and combined with external sources to help network defenders overcome threats at a tactical level and apply those tactics as part of a greater strategy to overcome any phishing threat.

Learn about emerging trends and evolving threats in phishing malware with PhishMe’s Q1 Malware report, click here to download.