Trends in email threats (malware, phish, fraud, etc)

[ChickenKing]

Hey everyone! Wanted to start this thread to discuss some trends you've been observing in email threats recently. Pretty much anything that uses email as an attack vector. Malware attachments, malware hosting links, credential harvesters, bank fraud, MITMB, BEC, anything really!

For some background, I work as a security engineer, and my main job functions are detection engineering, malware analysis, and incident response. We have a very robust email detection program, incorporating hundreds of custom YARA rules, manual indicators, and a couple enterprise tools. As a result, we catch many many email threats on a daily basis.

As I'm sure you all have, we were recently hit by the recent wave of emotet. For some reason the TA used the same xls attachment across seemingly their entire several-thousand email campaign, which definitely made fingerprinting this wave easier. Of the 40+ emails we received, they were all blocked by an enterprise tool and never made delivery. See below for hash values
MD5: 2486374800299563ab8934122234242a | SHA256: ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c

Back in August - September, I observed and handled several dozen emails over that time period related to a new wave of qakbot. They all involved a link -> pw protected zip -> iso -> lnk -> process injection -> c2. This has since slowed down but I'll include a couple hashes and c2 IPs for anyone interested. 
SHA256: f005f68a8d4d58c7c50341408ecc2963e97035abe7845a667de13fe040e8b280 | SHA256: 7a52a41edce28f3140864f05272761cf5b2a12e155bdb68b779e3144ad2aba06

IPv4: 176[.]177[.]136[.]35 | IPv4: 139[.]228[.]33[.]176

And of course, the credential harvesters are always coming in, multiple a week pretty consistently.

Curious what sorts of things you guys have seen!

Edited November 7, 2022 by ChickenKing
fixed an erroneously bolded item

[v0ltage]

I've yet to delve into analysing them, I'm short staffed/handed at the moment, but we to have seen a massive surge in Emotet again (as reported).  I have noticed one of our VIP's received significantly more of this threat than others and they are a higher risk than most due to how they conduct themselves online.  Thankfully all blocked at the gateway which identified the threat to the recent campaign but I've snagged copies of the messages to take a look when I get a chance.  I have a "stand-up" with the IT execs and employees so will use these as examples.

Other thing I've noticed, not sure if anyone else has, but another surge in CV19 phishing emails.  Spotted one which was impersonating my local government/council, although the quality wasnt good!.  I'll see if I can dig it out

[MalwareTech]

A lot of ISO / LNK stuff since MS "disabled" macros. It's strange because the update that attempts to reduce the impact of macro malware likely hasn't been widely deployed yet. 

[Chauke]

I recently noticed alot of Window in window attacks. 

[malware_marty]

Seen a lot of AitM/Evilproxy credential phishing campaigns delivered using valid email encryption services, ie Proofpoint, O365, Cisco. This decreases visibility of our email tools and makes these much harder to spot.

[ChickenKing]

update; also noticed that a lot of phishing campaigns use cloud leverage. Basically a link to a redirect page that then goes to the credential harvester. sometimes has a captcha. Unfortunately this beats tools like cloudphish and others as they only go one link deep. Been having more success detecting these by fingerprinting verbiage and email formatting/content with YARA rules. Have loads of detections for certain phrases or words like "view the invoice here" or "click to view fax" , things like that. Have had a lot of success detecting phishing emails this way. 

[ChickenKing]

1 hour ago, MalwareTech said:

A lot of ISO / LNK stuff since MS "disabled" macros. It's strange because the update that attempts to reduce the impact of macro malware likely hasn't been widely deployed yet. 

seeing this as well, has almost been exclusively qakbot

[DrDisexon]

11 hours ago, ChickenKing said:

seeing this as well, has almost been exclusively qakbot

Here is a very good article about the lnk I found out to be interesting https://www.docguard.io/lnk-file-based-attacks-are-on-the-rise/

Edited November 9, 2022 by DrDisexon

[gnugro]

On 11/8/2022 at 11:16 AM, Chauke said:

I recently noticed alot of Window in window attacks. 

Can you explain this attack more please?

[lost-troll]

With the recent Emotet emails I went through around 30 XLS samples - I noticed 28 of them were exactly 261,120 bytes.  Each had a different hash and filename, but were the same size. They were all extracted from password protected Zip files - and those came in at 215,066 bytes.  A great IOC posting from Unit 42 had the same numbers on one of their IOC: https://github.com/pan-unit42/tweets/blob/master/2022-11-07-IOCs-for-Emotet-infection-with-IcedID-and-Bumblebee.txt

[Chauke]

13 hours ago, gnugro said:

Can you explain this attack more please?

You get mails from hacked Business Partners with links leading to fake services. Then they create fake Windows with JS to catch you mfa or e-mail verification.

 

https://www.bleepstatic.com/images/news/security/phishing/b/browser-in-the-browser/chrome-single-sign-on-google.jpg

 

[karlyeurl]

In my current company, we're being targeted by _someone_, and we are investigating what's going on. The language matches, the account is a random Gmail address, but they set their name/surname as is they were a colleague of ours. They're basically asking us to get back to them ASAP as they need us to get something for them.

It's weird because on one hand, they went through a non-negligible amount of effort to target us, but didn't manage to make it non-obvious for both spam filters (Google correctly detected the message as dangerous) and ourselves (weird formatting, I'm the only one in the company who wraps their emails at 80 chars, wrong level of politeness, wrong channel for urgent messages (emails are slow)). We're considering to have someone bite to see what's what, and possibly have a good laugh.

[Scoobs McGee]

I've been noticing some waves of callback phishing from paypal.com lately. No spoofing, and a paypal hosted invoice if you follow the link. Although not originally billed to the email recipient. While these can go so far as attempts to get the caller to download malware, any numbers that I've called are "only" after credit card or paypal / bank login data. Searching for email from @paypal.com with "+1" in the message body seems to do a good job of finding them with few false positives.

[0xAEN]

We currently deal with a lot of html file attachments "disguised" as purchase orders. Kinda fun to reverse engineer them though.

Edited November 10, 2022 by 0xAEN

[ChickenKing]

8 minutes ago, 0xAEN said:

We currently deal with a lot of html file attachments "disguised" as purchase orders. Kinda fun to reverse engineer them though.

see these sometimes too. Usually either is the html of a cred harvester that opens in your browser, or the html of a site that will download malware. either way, nothing good!

[0xAEN]

8 minutes ago, ChickenKing said:

see these sometimes too. Usually either is the html of a cred harvester that opens in your browser, or the html of a site that will download malware. either way, nothing good!

yup seems to be mostly fake M/O365 pages