ChickenKing Posted November 7, 2022 Share Posted November 7, 2022 (edited) Hey everyone! Wanted to start this thread to discuss some trends you've been observing in email threats recently. Pretty much anything that uses email as an attack vector. Malware attachments, malware hosting links, credential harvesters, bank fraud, MITMB, BEC, anything really! For some background, I work as a security engineer, and my main job functions are detection engineering, malware analysis, and incident response. We have a very robust email detection program, incorporating hundreds of custom YARA rules, manual indicators, and a couple enterprise tools. As a result, we catch many many email threats on a daily basis. As I'm sure you all have, we were recently hit by the recent wave of emotet. For some reason the TA used the same xls attachment across seemingly their entire several-thousand email campaign, which definitely made fingerprinting this wave easier. Of the 40+ emails we received, they were all blocked by an enterprise tool and never made delivery. See below for hash values MD5: 2486374800299563ab8934122234242a | SHA256: ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c Back in August - September, I observed and handled several dozen emails over that time period related to a new wave of qakbot. They all involved a link -> pw protected zip -> iso -> lnk -> process injection -> c2. This has since slowed down but I'll include a couple hashes and c2 IPs for anyone interested. SHA256: f005f68a8d4d58c7c50341408ecc2963e97035abe7845a667de13fe040e8b280 | SHA256: 7a52a41edce28f3140864f05272761cf5b2a12e155bdb68b779e3144ad2aba06 IPv4: 176[.]177[.]136[.]35 | IPv4: 139[.]228[.]33[.]176 And of course, the credential harvesters are always coming in, multiple a week pretty consistently. Curious what sorts of things you guys have seen! Edited November 7, 2022 by ChickenKing fixed an erroneously bolded item 1 Link to comment Share on other sites More sharing options...
v0ltage Posted November 8, 2022 Share Posted November 8, 2022 I've yet to delve into analysing them, I'm short staffed/handed at the moment, but we to have seen a massive surge in Emotet again (as reported). I have noticed one of our VIP's received significantly more of this threat than others and they are a higher risk than most due to how they conduct themselves online. Thankfully all blocked at the gateway which identified the threat to the recent campaign but I've snagged copies of the messages to take a look when I get a chance. I have a "stand-up" with the IT execs and employees so will use these as examples. Other thing I've noticed, not sure if anyone else has, but another surge in CV19 phishing emails. Spotted one which was impersonating my local government/council, although the quality wasnt good!. I'll see if I can dig it out 1 Link to comment Share on other sites More sharing options...
MalwareTech Posted November 8, 2022 Share Posted November 8, 2022 A lot of ISO / LNK stuff since MS "disabled" macros. It's strange because the update that attempts to reduce the impact of macro malware likely hasn't been widely deployed yet. 1 Link to comment Share on other sites More sharing options...
Chauke Posted November 8, 2022 Share Posted November 8, 2022 I recently noticed alot of Window in window attacks. Link to comment Share on other sites More sharing options...
malware_marty Posted November 8, 2022 Share Posted November 8, 2022 Seen a lot of AitM/Evilproxy credential phishing campaigns delivered using valid email encryption services, ie Proofpoint, O365, Cisco. This decreases visibility of our email tools and makes these much harder to spot. 3 Link to comment Share on other sites More sharing options...
ChickenKing Posted November 8, 2022 Author Share Posted November 8, 2022 update; also noticed that a lot of phishing campaigns use cloud leverage. Basically a link to a redirect page that then goes to the credential harvester. sometimes has a captcha. Unfortunately this beats tools like cloudphish and others as they only go one link deep. Been having more success detecting these by fingerprinting verbiage and email formatting/content with YARA rules. Have loads of detections for certain phrases or words like "view the invoice here" or "click to view fax" , things like that. Have had a lot of success detecting phishing emails this way. 1 Link to comment Share on other sites More sharing options...
ChickenKing Posted November 8, 2022 Author Share Posted November 8, 2022 1 hour ago, MalwareTech said: A lot of ISO / LNK stuff since MS "disabled" macros. It's strange because the update that attempts to reduce the impact of macro malware likely hasn't been widely deployed yet. seeing this as well, has almost been exclusively qakbot Link to comment Share on other sites More sharing options...
DrDisexon Posted November 9, 2022 Share Posted November 9, 2022 (edited) 11 hours ago, ChickenKing said: seeing this as well, has almost been exclusively qakbot Here is a very good article about the lnk I found out to be interesting https://www.docguard.io/lnk-file-based-attacks-are-on-the-rise/ Edited November 9, 2022 by DrDisexon 1 Link to comment Share on other sites More sharing options...
gnugro Posted November 9, 2022 Share Posted November 9, 2022 On 11/8/2022 at 11:16 AM, Chauke said: I recently noticed alot of Window in window attacks. Can you explain this attack more please? Link to comment Share on other sites More sharing options...
lost-troll Posted November 10, 2022 Share Posted November 10, 2022 With the recent Emotet emails I went through around 30 XLS samples - I noticed 28 of them were exactly 261,120 bytes. Each had a different hash and filename, but were the same size. They were all extracted from password protected Zip files - and those came in at 215,066 bytes. A great IOC posting from Unit 42 had the same numbers on one of their IOC: https://github.com/pan-unit42/tweets/blob/master/2022-11-07-IOCs-for-Emotet-infection-with-IcedID-and-Bumblebee.txt 1 Link to comment Share on other sites More sharing options...
Chauke Posted November 10, 2022 Share Posted November 10, 2022 13 hours ago, gnugro said: Can you explain this attack more please? You get mails from hacked Business Partners with links leading to fake services. Then they create fake Windows with JS to catch you mfa or e-mail verification. https://www.bleepstatic.com/images/news/security/phishing/b/browser-in-the-browser/chrome-single-sign-on-google.jpg 1 Link to comment Share on other sites More sharing options...
karlyeurl Posted November 10, 2022 Share Posted November 10, 2022 In my current company, we're being targeted by _someone_, and we are investigating what's going on. The language matches, the account is a random Gmail address, but they set their name/surname as is they were a colleague of ours. They're basically asking us to get back to them ASAP as they need us to get something for them. It's weird because on one hand, they went through a non-negligible amount of effort to target us, but didn't manage to make it non-obvious for both spam filters (Google correctly detected the message as dangerous) and ourselves (weird formatting, I'm the only one in the company who wraps their emails at 80 chars, wrong level of politeness, wrong channel for urgent messages (emails are slow)). We're considering to have someone bite to see what's what, and possibly have a good laugh. 1 Link to comment Share on other sites More sharing options...
Scoobs McGee Posted November 10, 2022 Share Posted November 10, 2022 I've been noticing some waves of callback phishing from paypal.com lately. No spoofing, and a paypal hosted invoice if you follow the link. Although not originally billed to the email recipient. While these can go so far as attempts to get the caller to download malware, any numbers that I've called are "only" after credit card or paypal / bank login data. Searching for email from @paypal.com with "+1" in the message body seems to do a good job of finding them with few false positives. 1 Link to comment Share on other sites More sharing options...
0xAEN Posted November 10, 2022 Share Posted November 10, 2022 (edited) We currently deal with a lot of html file attachments "disguised" as purchase orders. Kinda fun to reverse engineer them though. Edited November 10, 2022 by 0xAEN 2 Link to comment Share on other sites More sharing options...
ChickenKing Posted November 10, 2022 Author Share Posted November 10, 2022 8 minutes ago, 0xAEN said: We currently deal with a lot of html file attachments "disguised" as purchase orders. Kinda fun to reverse engineer them though. see these sometimes too. Usually either is the html of a cred harvester that opens in your browser, or the html of a site that will download malware. either way, nothing good! 2 Link to comment Share on other sites More sharing options...
0xAEN Posted November 10, 2022 Share Posted November 10, 2022 8 minutes ago, ChickenKing said: see these sometimes too. Usually either is the html of a cred harvester that opens in your browser, or the html of a site that will download malware. either way, nothing good! yup seems to be mostly fake M/O365 pages 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now