On May 22, 2017, PhishMe® received several emails with .ISO images as attachments via the Phishing Defense Center. ISO images are typically used as an archive format for the content of an optical disk and are often utilized as the installers for operating system. However, in this case, a threat actor leveraged this archive format as a means to deliver malware content to the recipients of their phishing email. Analysis of the attachments showed that this archive format was abused to deliver malicious AutoIT scripts hidden within a PE file that appears to be a Microsoft Office Document file, which creates a process called MSBuild.exe and caused it to act as a Remote Access Trojan. AutoIT is a BASIC-like scripting language designed for automating Windows GUI tasks and general scripting. Like any scripting or programming language, it can be used for malicious purposes.
Financial losses from business email compromise (BEC) scams skyrocketed by 2,370% between January 2015 and December 2016, according to an FBI public service announcement released Thursday. The alarming statistic represents a sharp increase from the agency’s previous announcement, serving as a warning to users to stay vigilant in recognizing the threat.
Over the past several days, the Phishing Defense Center identified and responded to several messages related to an ongoing phishing email campaign spoofing DocuSign to carry out an attack. These messages appear to be official DocuSign emails including links to review the document. Upon clicking the link, various malicious files are downloaded to the victim’s computer including the DELoader financial crimes malware.
Google Doc Campaign Makes a Mark
In the process of managing phishing threats for our customers, our Phishing Defense Center and PhishMe Intelligence teams saw a flood of suspicious emails with subject line stating that someone has “has shared a document on Google Docs with you”, which contained a link to “Open in Docs”. The “Open in Docs” link goes to one of several URLs all within the https://accounts.google.com website.
Throughout April, our Phishing Defense Team observed an increase in malicious URLs that deliver the financial crimes and botnet trojan known as Geodo. These emails take a simple approach to social engineering, using just a sentence or two prompting the victim to click on a link to see a report or invoice that has been sent to them.
An example of a typical phishing email used in these attacks is shown below:
Below are some examples of subject lines we have observed:
Emails containing malicious links providing the PDF documents used to deliver this malware have also been found to contain the word “attachment” somewhere within in the subject line.
Once the Geodo payload is in place on the victim’s computer, it will connect to the Geodo command and control infrastructure allowing the attacker to collect sensitive information from the infected machine.
Listed below are command and control hosts that have been observed during our analysis:
The core functionality of the Geodo trojan lies in its ability to collect sensitive information from infected machines and their users. Sophisticated browser-based information stealing functionality provided by Geodo includes form grabs and HTTPS man-in-the-middle attacks. Geodo also sports the ability to produce new sets of phishing emails, delivering itself to new potential victims.
Full List of Geodo IOCs collected by the Phishing Defense Center
Infection URLs (Where the malware was originally downloaded from):
Command and Control hosts:
PhishMe cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for unexpected emails that contain subject lines referring to invoices or attachments, and email bodies that ask you to visit a link to see an invoice or report. PhishMe Simulator customers may consider launching simulations that follow this style of attack to further train their users to detect and report suspicious emails.
Want to be notified of the latest malware strains and phishing threats? – sign up for our complimentary PhishMe Threat Alerts service, delivered straight to your inbox.
It’s no secret that 90% of breaches start with a phishing attack. The question is: are you prepared to recognize phishing and respond to it? Many organizations are concerned with how much spam they receive and implement controls specific to spam. But you shouldn’t confuse preventing spam with responding to phishing attacks.
On April 5th, our Phishing Defense Center received a flurry of emails with subject line following a pattern of Lastname, firstname. Attached to each email was a password-protected .docx Word document with an embedded OLE package. In all cases the attachments were password protected to decrease the likelihood of detection by automated analysis tools. A password was provided to the victim in the body of the email which attempts to lure the victim into opening the malicious attachment and to increase the apparent legitimacy of the message.
It’s the time of year when Taxes are on everyone’s mind – especially Phishers!
The stress of filing. The stress of gathering all the documents. The stress of reporting. The stress of the deadline. All of that on top of everything else you have to do this time of year makes tax time phishing a favorite and highly successful annual event for phishing scams. However, once the filing is completed, it doesn’t mean the campaigns will stop. W2 and CEO fraud are timeless phishing campaigns that run all year long.
On March 15, 2017, our Phishing Defense Center observed several emails with the subject line “Request for quotation” pretending to award Shell Oil Company contracts – a very targeted subject tailored to the receiver. As with most phishing emails, there is a compelling call to action for the receiver, in this case a contract award from a well-known organization. And, an added bonus unknown to the receiver, the emails also contained a malicious attachment designed to siphon data from its targets.
Included is an example of one of these emails along with basic Triage header information.
Each email analyzed contained instructions to open an attached .ace archive file that when decompressed revealed a Windows executable containing Loki Bot Malware.
Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.
The following Loki Bot executable was identified during our analysis.
Upon infecting a machine, this malware performs a callback to the following command and control host reporting the new infection and submitting any private data stolen during the infection process.
|Command and Control URL||IP Address||Location|
The command and control domain ‘elmansy.net’ was created almost exactly a year ago on 2016-03-18 with the email address firstname.lastname@example.org. The IP address reveals that the domain is being hosted out of Jiangsu, China.
As always, PhishMe cautions our customers to be wary of emails requesting information or promising reward. Specific to this sample, we recommend that customers be observant for emails containing the subject line “Request for quotation” or emails promising business with new or unknown businesses. PhishMe Simulator customers who feel this type of offer might be successful with its employees should consider launching simulations that follow this style of attack to further train their users.
Additionally, incident responders should consider blocking the domain and IP address mentioned above, as well as searching endpoint systems for the MD5’s if internal systems support it.
The Phishing Defense Center is the hub for our remotely managed PhishMe Triage services. The fully staffed center manages all internal reported emails for a number of organizations. All information shared has been cleansed of any identifiable data.