Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
1
Malicious Email Activity Report TEC
HN
OLO
GY
SECURITY
COMPLIANCE
Managed Security Services
Managed Detection & Response
Email Protection Suite
Cloud Email & Collaboration
TEC
HN
OLO
GY
SECURITY
COMPLIANCE
Managed Security Services
Managed Detection & Response
Email Protection Suite
Cloud Email & Collaboration
TEC
HN
OLO
GY
SECURITY
COMPLIANCE
Managed Security Services
Managed Detection & Response
Email Protection Suite
Cloud Email & Collaboration
TEC
HN
OLO
GY
SECURITY
COMPLIANCE
Managed Security Services
Managed Detection & Response
Email Protection Suite
Cloud Email & Collaboration
TEC
HN
OLO
GY
SECURITY
COMPLIANCE
Managed Security Services
Managed Detection & Response
Email Protection Suite
Cloud Email & Collaboration
March 2020
IntroductionTargeted Attack Protection (TAP) is a product within SilverSky’s Email Protection Suite (EPS), which detects advanced
threats through static and dynamic analysis of attachments, websites, and downloads linked to inbound emails.
This report provides a summary of TAP email detections between March 1 – March 31, 2020, to help maintain an ongoing
understanding of malicious email activity trends. The information contained within this report is primarily derived from
daily detection data from the TAP production servers, samples submitted to the TAP team from customers as misses,
and internal research on new and known threats. The report includes a high-level view of detections from TAP in March, a
description of known threats TAP has detected and flagged over the past month, and an overview of some new phishing
campaigns used to test the detection capabilities of TAP against unknown threats.
Detected ThreatsDaily reporting data is analyzed by the SilverSky Threat Intelligence Team to identify detection trends and information that
could indicate specific attack methods or campaigns. This section provides information on detections of interest for the
month of March.
AZORuIt Malware Exploiting CVE-2017-11882
The AZORult malware was observed being delivered by phishing documents that used Covid19 as a lure in late March
2020. The malicious email titled ‘Maersk COVID -19 update’ that contained Microsoft Excel document attachment de-
signed to exploit CVE2017-11882 vulnerability. The Microsoft Word document that is attached in the email seeks to exploit
a two and-a-half year Microsoft Office vulnerability which leverages Equation Editor. Meanwhile, once the document is
opened it installs AZorult which is an information stealing malware which we have seen since at least 2016. In this latest
notable effort, the exploits are exclusively targeting manufacturing, industrial, finance, transportation, pharmaceutical, and
cosmetic industries. Below is an example of this targeted email campaign:
2
Figure 4: Sample CVE-2017-11882 exploitation email
These emails were detected by SilverSky as malicious using the Malicious Macro rule. A SilverSky customer with a policy
blocking TAP malicious emails would prevent these emails from reaching end users.
PDF Attachment Downloads Remcos RAT dropper
We also came across a phishing email with a PDF attachment offering safety measures against Coronavirus. Downloading
the PDF attachment concurrently executes Remcos RAT dropper that runs together with a VBS file executing the malware.
According to our research, recipients are instructed to download the document from the “censorship-free” file-sharing
service, which then installs two executable files in the “C:\Users\” system directory. A VBScript is seen as the launching
point to run the executables.
This email was detected by TAP as malicious using the Malicious File Type Attachment rule. A SilverSky customer with a
policy blocking TAP malicious emails would prevent these emails from reaching end users.
3
Agent Tesla with WHO “Method” for Covid19
We noticed and email phishing campaign sent by threat actors spoofing the real address of the head of the World Health
Organization (WHO), one of the premier scientific resources on Covid19, claims method/preventive measures against
Covid19 disease. The malicious email attachment named “Method_COVID2019_Safety.pdf.rar” contains Trojan agent com-
pressed in Archive RAR file format with .pdf extension to trick users. The email came to recipient’s inboxes allegedly from
the WHO, with a sender email address of World Health Organization <who[@]astaylojstlk.com>. Notice that the sender’s
email address domain is “astaylojstlk[.]com” when legitimate WHO email addresses instead end with “who.int”. Once the
recipient open and runs the attachment, GuLoader, used to load the real payload, installs Agent Tesla, trojan written in
Visual Basic that can steal usernames, passwords, and credit card information from the user’s system.
This email was detected by TAP as malicious using the Malicious Archive Attachment rule. A SilverSky customer with a
policy blocking TAP malicious emails would prevent these emails from reaching end users.
New ThreatsThe following outlines email threats that have been identified through open source research and analyzed to assess the
ability of TAP to detect and block these threats.
Government-Themed Covid19 Attacks
This medium-sized credential phishing campaign primarily
targeting the U.S. healthcare and higher education orga-
nizations with an email claiming that the Trump adminis-
tration is considering sending American adults a check of
$1,000 as a part of effort to stimulate the country’s econo-
my. The recipients are redirected to verify their information
for the “new payroll directory” by clicking on the malicious
link in the email. Once clicking, they are taken to the phish-
ing page which asks for their domain, username, email
address, and password.
The email notes that “the Trump administration is consid-
ering sending most American adults a check for $1,000
as part of the efforts to stimulate the economy and help
workers whose jobs have been disrupted by business
closures because of the pandemic.”
Analysis indicates that TAP would successfully detect this
attack through the Credential Phishing rule, protecting end
users and their organizations from this attack.
CoViper Malware, a New Variant of MBRLocker Ransomware with Coronavirus Theme
An installer with the name of “Coronavirus” being dis-
tributed as the COVID-19.exe file where the malware will
extract numerous files to a folder under %Temp% and then
executes a batch file named Coronavirus.bat. This batch
will move the extracted files to a C:\COVID-19 folder, con-
figuring various programs to automatically start on login,
and then restart Windows. Upon restarting, a picture of the
Coronavirus will be displayed along with a message stating
“coronavirus has infected your PC!” . Despite the fact that
the solution to reinstate the MBR to original version was
discovered using CTRL+ALT+ESC key combination, this
does not solve all the issues. An antivirus scan must be run
to scan the system and remove all files related to CoVi-
per. It is noteworthy that “Update.vbs” is designed to keep
CoViper up-to-date. Thus, CoViper must be immediately
removed in its entirely.
SilverSky is continuing work to confirm that our assump-
tions are correct, and that TAP can detect attacks using
this method.
4
Threat AnalysisThe following chart provides a breakdown of emails that were detected between March 1 – March 31, 2020 categorized
into the reasons for the detection.
Figure 1 - Categories for Suspicious and Malicious Email Detections in March: The breakdown of detections for this month
shows that there has been a significant rise in the number of detections using Google Safe Browsing. This is preponderant-
ly due to a large phishing campaign by threat actors making use of the viral disease known as Covid-19 to their advantage
which is discussed in further detail later in this report. Concurrently, an increase of detections in Suspicious URL’s is also
seen compared to last month as the result of Covid-19 attacks.
SUSP: Suspicious URL
MAL: Malicious URL
SUSP: Credential Phishing
MAL: Business Service Impersonation
MAL: Google Safe Browsing
SUSP: File Integrity Check
SUSP: Suspicious Attachment
SUSP: Suspicious Macro
SUSP: Encrypted Document
MAL: Malicious Attachment
MAL: Malicious Macro
SUSP: Suspicious URL
MAL: Malicious URL
SUSP: Credential Phishing
MAL: Business Service Impersonation
MAL: Google Safe Browsing
SUSP: File Integrity Check
SUSP: Suspicious Attachment
SUSP: Suspicious Macro
SUSP: Encrypted Document
MAL: Malicious Attachment
MAL: Malicious Macro
SUSP: Suspicious URL
MAL: Malicious URL
SUSP: Credential Phishing
MAL: Business Service Impersonation
MAL: Google Safe Browsing
SUSP: File Integrity Check
SUSP: Suspicious Attachment
SUSP: Suspicious Macro
SUSP: Encrypted Document
MAL: Malicious Attachment
MAL: Malicious Macro
17%
1%<1%
<1%
3%
5%
7%
3%
4%
3%
56%
<1%
2%
2% 2%
8%
1%
44%
30%
4%
UR
L
2%
<1%
4%
1%
44%
37%
2%2%
8%
UR
LU
RL
FILE
FILE
FILE
SUSP: Suspicious URL
MAL: Malicious URL
SUSP: Credential Phishing
MAL: Business Service Impersonation
MAL: Google Safe Browsing
SUSP: File Integrity Check
SUSP: Suspicious Attachment
SUSP: Suspicious Macro
SUSP: Encrypted Document
MAL: Malicious Attachment
MAL: Malicious Macro
UR
L
FILE
58%
<1%
5%
8%
2%
12%
11%
2%
1%
5
Detection Trends
The below graphs show the trends over time for both suspicious and malicious detections. In order to accommodate fluc-
tuations in the number of users, these graphs have been created to show the proportion of each threat type and how that
has changed over the past year as new capabilities are developed with each release and specific campaigns cause spikes
in activity.
Figure 2 – Detection of Suspicious Emails: This graph shows that over the last month detections for suspicious URLs have
declined slightly, offset by rises in file integrity checks and suspicious attachments. The significant increase in Suspicious
Attachment detection perceptible due to the trending Covid19 campaigns. URLs are one of the most common methods
used in phishing emails and as such the large number of emails being detected by this rule is not unexpected, especially
given the identification of several large spam campaigns.
Figure 3 – Detection of Malicious Emails: There has been a slight drop in the proportion of malicious macros, offset by
the rise in malicious credential phishing and malicious BSI. The sharp rise in Malicious Credential Phishing detected this
month, largely due to variety of phishing campaigns capitalized by threat actors on the spreading of Covid19 virus world-
wide. Spoofing tactics to effectively evade Microsoft Office 365 were also observed this month resulting from Covid19
campaigns. However, it should be noted that the proportion of Malicious Attachments continues to dominate steadily
from January which may be due to Emotet, Lokibot and Trickbot campaigns progressing.
0Mar Apr May Jun July Aug Sept Oct Nov Dec Jan Feb Mar
10
20
30
40
50
60
70
80
Malicious Credential Phishing Malicious Attachment Malicious Macro Malicious BSI
0Feb Mar Apr May Jun July Aug Sept Oct Nov Dec Jan Feb
10
20
30
40
50
60
70
80
Malicious Credential Phishing Malicious Attachment Malicious Macro Malicious BSI
0MarFeb Apr May Jun July Aug Sept Oct Nov Dec Jan
10
20
30
40
50
60
70
80
Malicious Credential Phishing Malicious Attachment Malicious Macro Malicious BSI
0
10
20
30
40
50
60
70
80
90
100
AprMar May Jun July Aug Sept Oct Nov Dec Jan Feb Mar
Suspect Credential Phishing Suspect File Integrity Check Susicious Attachment Suspicious Macro Suspicious URL
0
10
20
30
40
50
60
70
80
90
100
AprMar May Jun July Aug Sept Oct Nov Dec Jan Feb Mar
Suspect Credential Phishing Suspect File Integrity Check Susicious Attachment Suspicious Macro Suspicious URL
0
10
20
30
40
50
60
70
80
90
100
AprMar May Jun July Aug Sept Oct Nov Dec Jan Feb Mar
Suspect Credential Phishing Suspect File Integrity Check Susicious Attachment Suspicious Macro Suspicious URL
0
10
20
30
40
50
60
70
80
90
100
MarFeb Apr May Jun July Aug Sept Oct Nov Dec Jan Feb
Suspect Credential Phishing Suspect File Integrity Check Susicious Attachment Suspicious Macro Suspicious URL
0MarFeb Apr May Jun July Aug Sept Oct Nov Dec Jan
10
20
30
40
50
60
70
80
90
100
Suspect Credential Phishing Suspect File Integrity Check Susicious Attachment Suspicious Macro Suspicious URL
0Jan Feb Mar Apr May Jun July Aug Sept Oct Nov Dec
10
20
30
40
50
60
70
80
Malicious Credential Phishing Malicious Attachment Malicious Macro Malicious BSI
0Mar Apr May Jun July Aug Sept Oct Nov Dec Jan Feb Mar
10
20
30
40
50
60
70
80
Malicious Credential Phishing Malicious Attachment Malicious Macro Malicious BSI
0Feb Mar Apr May Jun July Aug Sept Oct Nov Dec Jan Feb
10
20
30
40
50
60
70
80
Malicious Credential Phishing Malicious Attachment Malicious Macro Malicious BSI
0MarFeb Apr May Jun July Aug Sept Oct Nov Dec Jan
10
20
30
40
50
60
70
80
Malicious Credential Phishing Malicious Attachment Malicious Macro Malicious BSI
0
10
20
30
40
50
60
70
80
90
100
AprMar May Jun July Aug Sept Oct Nov Dec Jan Feb Mar
Suspect Credential Phishing Suspect File Integrity Check Susicious Attachment Suspicious Macro Suspicious URL
0
10
20
30
40
50
60
70
80
90
100
AprMar May Jun July Aug Sept Oct Nov Dec Jan Feb Mar
Suspect Credential Phishing Suspect File Integrity Check Susicious Attachment Suspicious Macro Suspicious URL
0
10
20
30
40
50
60
70
80
90
100
AprMar May Jun July Aug Sept Oct Nov Dec Jan Feb Mar
Suspect Credential Phishing Suspect File Integrity Check Susicious Attachment Suspicious Macro Suspicious URL
0
10
20
30
40
50
60
70
80
90
100
MarFeb Apr May Jun July Aug Sept Oct Nov Dec Jan Feb
Suspect Credential Phishing Suspect File Integrity Check Susicious Attachment Suspicious Macro Suspicious URL
0MarFeb Apr May Jun July Aug Sept Oct Nov Dec Jan
10
20
30
40
50
60
70
80
90
100
Suspect Credential Phishing Suspect File Integrity Check Susicious Attachment Suspicious Macro Suspicious URL
0Jan Feb Mar Apr May Jun July Aug Sept Oct Nov Dec
10
20
30
40
50
60
70
80
Malicious Credential Phishing Malicious Attachment Malicious Macro Malicious BSI
6
www.silversky.com
Contact Details: US: 1-800-234-2175 | E: [email protected], 4813 Emperor Boulevard, Suite 200Durham, North Carolina 27703linkedin.com/company/silversky | twitter.com/SilverSky
Copyright © BAE Systems plc 2020. All rights reserved. BAE SYSTEMS, the BAE SYSTEMS Logo and the product names referenced herein are trademarks of BAE Systems plc. BAE Systems Applied Intelligence Limited registered in England & Wales (No.1337451) with its registered office at Surrey Research Park, Guildford, England, GU2 7RQ. No part of this document maybe copied, reproduced, adapted or redistributed in any form or by any means without the express prior written consent of BAE Systems Applied Intelligence.
The SilverSky Email Protection Services SolutionThe SilverSky solution is fully integrated, tested, and comes
from a single vendor, at a fraction of the cost of going it
alone. We can serve as a trusted partner – and extension
of your information security and corporate operations
functions – to make meeting enterprise-grade message
security and compliance requirements simple, easy, and
cost-effective.
Unparalleled security, reliability, and compliance
Email Protection Services from SilverSky are reliable, with
fault-tolerant and geographically-distributed infrastructure,
and are backed by proven industry expertise.