Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
C2 SOURCES FOR REPORT PERIOD
2019-07-18 TO 2019-08-01U.S. Public Schools Web Services Targeted By Credential Phishing
Campaigns Cofense Intelligence has analyzed a credential phishing
campaign that is targeting specific K-12 public schools webmail
services. The latest attack specifically targeted Outlook Webmail
Access (OWA) credentials by posing as a copy of an OWA login page.
Emails sent to exfiltrate credentials included a .HTM file which spoofed
the webmail service with the fake login page. Unsuspecting victims
would believe that the message is legitimate thanks to its subject of
'Message From The Administrator' and theme of an email account
closure notice, thus leading to a higher rate of success.
TABLE OF CONTENTSC2 DISTRIBUTION
IN A HURRY
PHISHING TRENDS
Top 5 Families by Volume
Top 5 Phenotypes
Top 5 Delivery Mechanisms
FILE AND DELIVERY TRENDS
Top 5 Subjects
Top 5 Spoofed Brands
File Extensions
INTELLIGENCE METRICS
New PhishMe Templates
Cofense Triage Rules
IOC Count by Severity
5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100
EXECUTIVE SUMMARYIn a hurry? Understand the phishing threat landscape at a glance! Here you can find the top threats of the reporting period to directly support
your executive leadership. While the information on this page will be found elsewhere in the report, we wanted to provide you with a one-
paged summary that you can provide in your internal executive reports.
TOP MALWARE THREATS FAMILY
Agent Tesla
PHENOTYPE
Keylogger
STAGE ONE
CVE-2017-11882
TOP CAMPAIGN FEATURES SUBJECT
Order PCT1086586 - Instruments - ENQUIRY
ABUSED BRAND
DHL
FILE EXTENSION
.doc
PHISHING SOURCE
United States
INTELLIGENCE METRICS THREAT REPORTS
471
IOCS
2457
YARA RULES
46
PHISHING TRENDSAgent Tesla Takes The Lead For Most Popular Malware For the first
time, the AgentTesla malware family has overtaken LokiBot in
popularity of campaigns analyzed. Congruently, keyloggers have
risen to be the most popular phenotype overtaking information
stealers. CVE-2017-11882 is at the forefront once again in delivery
mechanisms. For more information on CVE-2017-11882, please visit
https://cofense.com/patch-pass-cve-2017-11882-security-conundrum/.
FAMILIES
Agent Tesla
Loki Bot
NanoCore
Credential Phishing
Remcos Remote Access Trojan
FAMILIES Year
Loki Bot
Pony
NanoCore
Hawkeye Keylogger
AZORult
Cam
paig
ns O
ver
Tim
e
PHENOTYPES OVER TIME
Phenotypes organise malware families by behavior and intent
Report Period Previous 12 Months (Avg)
keylogger stealer bot rat other_malware
Cam
paig
ns O
ver
Tim
e
DELIVERY MECHANISMS OVER TIME
Malicious files used to begin an infection sequence
Report Period Previous 12 Months (Avg)
CVE-2017-11882
OfficeMacro WSCDownloader
CVE-2017-8570
OfficeDocument
with MaliciousOLE Package
FILE AND DELIVERY TRENDSOrders And Shipping Related Themes Rank Highest In Themes
Phishing campaigns with subject line centric around order invoices
and shipping notifications have ranked the highest among themes
analyzed. DHL is the top spoofed brand seen, and .zip attachments
have markedly increased during this data range. SUBJECTS
Order PCT1086586 - Instruments - ENQUIRY
TNT Express Invoice: 09004105
NEW ORDER
REQUEST FOR QUOTATION_HGTC
//Interested in your product//
BRANDS SPOOFED
DHLDHL:50%:50%DHL:50%
TNTTNT:24%:24%TNT:24%
HSBCHSBC:13%:13%HSBC:13%
FedExFedEx:7%:7%FedEx:7%
MaerskMaersk:7%:7%Maersk:7%
Occurrences Over Time
FILE EXTENSIONS DELIVERED DURING REPORT PERIOD
Extensions of files delivered either directly via email or embedded URL
Report Period Previous 12 Months (Avg)
xlsx
docx
r02
img
zip
0 25 50 75 100 125 150 175 200 225 250 275 300
COFENSE INTELLIGENCE METRICSWe Need Your Feedback! Cofense intelligence consistently provides our PhishMe team with real phishing messages to use in the creation of
PhishMe templates. We also offer daily Yara rules directly to our Triage users to help them better identify specific campaigns that target their
users. Here, you can find the most recent PhishMe templates and Yara rules that we have highlighted.
NEW COFENSE PHISHME TEMPLATES
SUBJECT DATE
Sharepoint Alert 2019-07-26 18:14:06 UTC
Bonus Document 2019-07-26 18:11:31 UTC
Independence Day eCard 2019-07-26 18:09:25 UTC
New Project Team 2019-07-26 18:08:01 UTC
Clipped Message 2019-07-26 18:06:09 UTC
NEW COFENSE TRIAGE YARA RULES
PM_Intel_NetWire_27021
PM_Intel_Loki_27019
PM_Intel_CredPhish_27009
PM_Intel_CredPhish_26967
PM_Intel_CredPhish_26946
IOCS BY SEVERITY
SEVERITY COUNT
MAJOR 1698
MODERATE 369
MINOR 386
NONE 4
OTHER 0