Our mission is making INBOX.CLEAN™ a reality: stop phishing attacks — the root cause of 95% of breaches — before they reach users. Get the only solution that preemptively stops Business Email Compromise, malware, ransomware and other advanced threats by discovering and eliminating them before they cause damage.
Email Security has certainly come a long way. With cloud messaging now the standard versus the legacy on premise approach (Lotus Notes anyone?) the strategy of securing these clouds has also experienced a revolution.
Area 1’s cloud-native SaaS solution supports three key use cases: preemptive anti-phishing across all threat vectors (email, web, social, network); cloud email security / SEG replacement; and phishing security automation for SOC teams.
Area 1 is a Microsoft Certified Partner and a Google Cloud Security Technology Partner of the Year. We also integrate with a number of SIEM, SOAR, SEG and firewall technology providers to fit your unique infrastructure. Learn More
FIND A CHANNEL PARTNER
Work with trusted cybersecurity experts across the globe to secure your business. Learn about our partnerships with Legato Security, Optiv, SADA Systems, SYNNEX and others. Channel Partners Become A Channel Partner
Following the recent return of Emotet after a five-month hiatus, a newly-discovered phishing campaign is using updated tactics by leveraging the hype surrounding President Trump’s decision to halt U.S. funding for the World Health Organization (WHO). In a ruse to drop this dangerous banking trojan, the malicious messages take the form of a typical Political Action Committee (PAC) email, eliciting support for presidential incumbent Donald Trump in the upcoming 2020 election.
First caught by Area 1 Security on August 21st, this ongoing campaign contains all the hallmarks of the resurgence of Emotet:
Leveraging stolen email content
Subject lines prefaced with “Fwd:” and ”RE:”
And PowerShell commands to download and execute the malware
This campaign, however, aims to compromise politically-related entities rather than just the typical targets of opportunity that are commonly associated with this banking trojan. In Figure 1, you can see how the attacker forwards a legitimate PAC mailer to develop a false sense of legitimacy, with entirely authentic content throughout the body of the message. Every link works and leads to benign web pages of the impersonated PAC.
Like a Wolf in sheep’s clothing, the attacker cleverly disguises their Emotet delivery mechanism as messaging about timely and highly publicized, hot-button issues in politics.
[Figure 1. Screenshot of phishing message]
The subject of the email reads “Fwd:Breaking: President. Trump suspends funding to WHO,” and the attacker employs Display Name Spoofing in an attempt to mask the true sender address. The actual sender addresses used to spread the phishing messages vary, but all have one thing in common: each is a legitimate account compromised by the attacker to launch this fraudulent WHO-themed campaign.
A closer look at the attacker’s infrastructure reveals compromised hosts used in the transfer of the phishing messages, such as the sending Mail Transfer Agent (MTA) server[.]websoftperu[.]com. Area 1 Security suspects that this MTA may have been compromised due to an open port running a very outdated version of OpenSSH (7.4), which has numerous vulnerabilities.
Compromised email accounts of several small businesses around the world were used in each wave of this campaign, again luring victims with the same stolen PAC email content.
One of these accounts is also connected to similar phishing messages with slightly different lures, all with the intent to infect targets with Emotet.
The example account above is, in particular, the source of various politically-themed phishing messages that contain stolen content from a number of different PAC mailers and was observed in the targeting of politically-affiliated email accounts.
Whereas other malicious actors may look for sender domains that do not have these protocols configured or configured correctly, this attacker boldly leverages correctly-configured authentication protocols to their advantage. This tactic allows the attacker to bypass legacy vendors that solely rely on these authentication methods to provide indicators of maliciousness.
There is approximately one week of turnover time between each wave of the campaign as the attacker retools to get ahead of defenses. This includes various changes, such as modifying the weaponized attachment and using new compromised sender infrastructure and accounts.
Efforts like this can easily equip the attacker with the ability to circumvent typical signature-based detections that depend on IP addresses and payload hashes of known threats, leading defenders through a never-ending game of “cat and mouse”.
Analysis of Malware
At the bottom of the phishing message, there is a Microsoft Word Document that uses VBA Macros to drop the first-stage payload, the Emotet downloader. After clicking on the document, the user is prompted by a dialog box to enable editing and content, as depicted below.
[Figure 2. Screenshot of Dialog Box]
Merely clicking this box will enable a highly obfuscated VBA Macro (as shown in Figure 3) that runs an equally obfuscated PowerShell command using Windows Management Instrumentation (WMI).
[Figure 3. Screenshot of Macro VBA obfuscated code]
The content in Figure 4 shows a sampling of the PowerShell script after Area 1 Security researchers deobfuscated a majority of the code. This script attempts to download Emotet from a list of hardcoded compromised WordPress sites. It first runs through this list of sites (as highlighted below) to determine which are still actively hosting the Emotet trojan.
[Figure 4. Screenshot of deobfuscated PowerShell]
Area 1 Security found that, among the compromised sites hardcoded in the malware, only the link hxxp://cammis[.]com[.]br/wp-admin/8IArx/ was still active at the time of analysis. Once the final payload is found on a functioning site, it is downloaded to a temporary folder on the victim’s device, located at %userprofiles%\AppData\Local\. From here, a message is sent back to the Emotet command and control (C2) server, confirming that it was successfully downloaded.
What Makes Emotet Difficult to Detect?
Emotet is among some of the most destructive and costly malware, affecting both the public and private sectors. Once this advanced, modular banking trojan compromises a target device, other hosts on the network are at risk of infection, as the malware’s worm-like capabilities allow it to easily self-replicate to other connected devices. Sensitive information on the compromised hosts can be considered free reign, where essentially no data is safe from the attacker.
Since Emotet is primarily delivered via attachments or links in phishing emails, the attacker takes extra measures to ensure their messages will not trigger legacy email security solutions. These tactics range from simply changing the name and hash of the malicious file, to more advanced anti-debugging and host-environment analysis capabilities.
Emotet’s modular Dynamic Link Libraries (DLLs) and polymorphic nature offer the attacker not only continuously evolving capabilities but also effortless evasion of signature-based detection systems. Analysis of this evasive trojan can present challenges for those attempting to reverse the malware, as it is virtual-environment aware and will infinitely sleep in an attempt to render debugging analysis techniques ineffective. With malicious actors using constantly evolving malware, new and advanced techniques are needed to detect and catch these phishing messages before they reach users’ inboxes.
Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology leverage algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real-time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.
Business Email Compromise (BEC), also sometimes referred to as email account compromise (EAC) or vendor email compromise (VEC), is a type of phishing attack that takes advantage of an existing relationship between a victim and organization.
https://www.area1security.com/wp-content/uploads/2022/04/BlogEmailBanner_BECAttackType_2022APR14.png13072500Elaine Dzubahttps://www.area1security.com/wp-content/uploads/2022/04/Cloudflare-A1S-Logo-1-1.pngElaine Dzuba2022-04-18 10:07:242022-04-28 08:48:24Understanding the Four Business Email Compromise Attack Types
Dear America’s sports-loving, company-securing fans: Before you find yourself glued this weekend to (what some call) THE biggest game in college basketball history, we are here to crown the 2022 March Hackness winner!
https://www.area1security.com/wp-content/uploads/2022/03/Champion-Banner_2.png10002500Elaine Dzubahttps://www.area1security.com/wp-content/uploads/2022/04/Cloudflare-A1S-Logo-1-1.pngElaine Dzuba2022-03-31 06:00:292022-04-28 08:49:23Area 1 Security Announces the Most Spoofed Brand of 2021
Area 1 Security’s Sixth Annual March Hackness: The Perfect Phishing Bracket is here! Learn who made the list of the top brands that attackers use in phishing lures.
https://www.area1security.com/wp-content/uploads/2022/03/SocialBanner_Blog_MarchHackness2021_2500x1000-Copy-2.jpg10002500Elaine Dzubahttps://www.area1security.com/wp-content/uploads/2022/04/Cloudflare-A1S-Logo-1-1.pngElaine Dzuba2022-03-26 20:45:192022-04-28 08:51:272022 March Hackness: The Return of the Phishing Bracket