Panda versus DELoader: Threat Actors Experiment to Find the Best Malware for the Job

One important task for threat actors is the pursuit of new and innovative techniques for infiltrating their victims’ networks. A major aspect of this pursuit is the selection of a malware that can accomplish the mission at hand. For example, a ransomware threat actor may seek out the ransomware tool that guarantees the highest rate of ransom payment. However, threat actors with different missions might seek out tools using different success criteria. Threat actors can experiment and transition between these tools because, in many ways, these malware varieties represent interchangeable parts in an attack life cycle.

New Phishing Emails Deliver Malicious .ISO Files to Evade Detection

On May 22, 2017, PhishMe® received several emails with .ISO images as attachments via the Phishing Defense Center. ISO images are typically used as an archive format for the content of an optical disk and are often utilized as the installers for operating system. However, in this case, a threat actor leveraged this archive format as a means to deliver malware content to the recipients of their phishing email. Analysis of the attachments showed that this archive format was abused to deliver malicious AutoIT scripts hidden within a PE file that appears to be a Microsoft Office Document file, which creates a process called MSBuild.exe and caused it to act as a Remote Access Trojan. AutoIT is a BASIC-like scripting language designed for automating Windows GUI tasks and general scripting. Like any scripting or programming language, it can be used for malicious purposes.

FBI Announces That BEC Scam Losses Continue to Skyrocket, as Losses Exceed $3.1B

Financial losses from business email compromise (BEC) scams skyrocketed by 2,370% between January 2015 and December 2016, according to an FBI public service announcement released Thursday. The alarming statistic represents a sharp increase from the agency’s previous announcement, serving as a warning to users to stay vigilant in recognizing the threat.  

In the Shadow of WannaCry, Jaff Ransomware Arrives Using Familiar Phishing Techniques

Adding another entry to the ever-growing list of encryption ransomware, the Jaff Ransomware made its debut onto the threat landscape with large sets of phishing emails on May 11, 2017 – one day before the sensational impact of the WannaCry ransomware attack. However, the risks posed by the Jaff ransomware should not be overlooked. This, too, is a robust ransomware that leverages some of the most prolifically-used delivery mechanisms in phishing email and embodies characteristics associated with other very successful malware.

Bogus Claim: Google Doc Phishing Worm Student Project

According to internet sources, Eugene Pupov is not a student at Coventry University.

Since the campaign’s recent widespread launch, security experts and internet sleuths have been scouring the internet to discover the actor responsible for yesterday’s “Google Doc” phishing worm. As parties continued their investigations into the phishing scam, the name “Eugene Popov” has consistently popped up across various blogs that may be tied to this campaign.

A blog post published yesterday by endpoint security vendor Sophos featured an interesting screenshot containing a string of tweets from the @EugenePupov Twitter handle claiming the Google Docs phishing campaign was not a scam, but rather a Coventry University graduate student’s final project gone awry.

Source: Sophos News. https://nakedsecurity.sophos.com/2017/05/04/student-claims-google-docs-blast-was-a-test-not-a-phishing-attempt/

Several folks on Twitter, including Twitter verified Henry Williams (@Digitalhen) have pointed out a serious flaw in the @EugenePupov profile.

Source: Twitter, Inc. httpstwitter.com/digitalhen/status/860006167715643392

This twitter account, which fraudulently used a profile image portraying molecular biologist Danil Vladimirovich Pupov from the Institute of Molecular Genetics at the Russian Academy of Sciences, has since been deactivated.

Coventry University’s communications team quickly responded on social media denying all claims that anyone named Eugene Pupov is a current or former student.

Source: Twitter, Inc. httpstwitter.com/CoventryUniNews/status/860120215216148481

Something clearly is “phishy” about this situation.

Despite the university’s recent announcement discrediting claims of enrollment for a Eugene Popov, I would like to hypothetically explore the theory that yesterday’s campaign was a result of a student phishing research project that went terribly viral. Our PhishMe Intelligence teams identified and obtained the campaign source code and noticed that the most notable aspect of this phishing campaign was its uncanny ability to self-replicate and spread. From our vantage, there is no outward evidence indicating data was stolen or manipulated as previously alleged.

The list of domains created for this alleged “student demonstration” stinks like rotten phish.

googledocs[.]gdocs[.]download

googledocs[.]docscloud[.]download

googledocs[.]gdocs[.]win

googledocs[.]gdocs[.]pro

googledocs[.]g-2Dcloud[.]win

googledocs[.]g-2Ddocs[.]win

googledocs[.]g-2Dcloud[.]pro

googledocs[.]g-2Ddocs[.]pro

googledocs[.]docscloud[.]win

As a career-wide security researcher and current leader of phishing intelligence research teams, this list of domains is concerning. Typically, when a researcher is creating proof-of-concept code for a white paper or presentation, the naming conventions adjust the URLs to showcase their malicious or fraudulent nature for education purposes, examples being:

  • “foo-example.com”
  • “evil-mitm-site.com”
  • “hacker.foo.example.com

If the party responsible intended to showcase educational materials that had any potential to unintentionally mislead a victim, they would typically create one, possibly two, examples to help avoid such scenario. A similar example of this would be the puny code phishing sample recently covered in WIRED where the researcher created one puny code example domain.

What’s most concerning here is the number of googledoc look-alike domains. In most best practice scenarios, a legitimate security researcher would not typically register 9 domains to illustrate a point or to educate on a threat vector. This behavior pattern is most noticeably tied to malicious actors with real nefarious motivations behind their actions.

It may be some time before the true motives of the phishing worm author are revealed, however we are inclined to believe there is a very good chance that malicious intent was in development during this campaign, the execution of which snowballed quickly beyond the author’s desired scope.

Google Doc Phishing Attack Hits Fast and Hard

Google Doc Campaign Makes a Mark

In the process of managing phishing threats for our customers, our Phishing Defense Center and PhishMe Intelligence teams saw a flood of suspicious emails with subject line stating that someone has “has shared a document on Google Docs with you”, which contained a link to “Open in Docs”. The “Open in Docs” link goes to one of several URLs all within the https://accounts.google.com website.