Report Shows Increase in Email Attacks Using .com File Extensions
16.11.2018 securityweek Phishing
Leesburg, VA-based anti-phishing firm Cofense (formerly PhishMe) has discovered an uptick in the use of .com file extensions in phishing emails.
The .com file extension designated executable files in DOS and Windows 95, 98 and Me. It has been replaced by .exe in later versions of the operating system -- for example, the early Windows shell program command.com was replaced by cmd.exe in later versions. However, for backwards compatibility, Windows will still attempt to execute a file with the .com extension.
Throughout October, Cofense analyzed 132 unique phishing samples with the .com extension. To put this uptick in context, it found only 34 samples in the entire preceding nine months of 2018.
The most popular subject line lures in the new campaign (or campaigns) are 'payment' and 'purchase order' themes. These two make up 67% of the samples analyzed. Other themes include 'shipping', 'invoice' and 'remittance advice', giving the campaign a strong financial bias. The payload is generally information-stealing malware. "Threat actors," writes Aaron Riley, intelligence analyst at Cofense, in a blog posted Thursday, "are likely carrying out these campaigns to target employees with financial information stored on their local machines, which explains the use of information-stealing malware as the campaignsí payloads."
There is a correlation between the subject line and the delivered malware. Purchase order subject emails most commonly delivered the Loki Bot information stealer and the Hawkeye keylogger. Those with 'payment' subject lines more commonly delivered the AZORult information stealer. Riley isn't sure whether this indicates multiple groups or a single group believing that different malware better suits different targets.
Loki Bot (36%), AZORult (34%) and Hawkeye (24%) together accounted for 94% of the payloads. Pony also occurred but comprised just 4% of the payloads. In most cases, the .com payloads are directly attached to the phishing email. In some cases an attachment contained an intermediary dropper. As awareness of these methodologies increases, Riley "expects to see an increase in intermediary delivery of malicious .com files, wherein a "dropper" attachment will arrive with the phish and subsequently load the weaponized .com file onto the end point."
There was also a correlation between the malware type and their C2s. The samples of .com binaries that delivered AZORult communicated exclusively with domains hosted by Cloudflare. More than 75% of those delivering Loki Bot did similarly (Hawkeye stood apart, communicating exclusively with unique email domains). Cofense does not believe that Cloudflare is hosting the actual C2, but is rather being used as a domain front.
"By using Cloudflare," writes Riley, "which is typically trusted by most organizations, the attackers are able to circumvent blocks that might be put in place. Cloudflare recently changed its policies to disallow its use for malicious hosting, yet the service has continued to be used by attackers for malicious redirection."
Cofense expects to see an increased incidence of malware using the .com extension, with similar campaigns expanding to other industries such as healthcare and telecommunications. "An increased use of the .com extensions," warns Riley, "can be harmful to enterprise networks if organizations are not prepared for it, and once they are, another file extension will surge in popularity in a constant effort to stay ahead of the defense."
Cofense has a different approach to anti-phishing than many of its competitors. While machine learning and artificial intelligence is increasingly being used by technology to detect phishing and other forms of malicious email, Cofense concentrates on harnessing the collective intelligence of the users who receive the email. It trains user awareness, encourages user reporting, and analyzes those reports.
Cofense, formerly known as PhishMe, was acquired by a private equity consortium in February 2018. The deal valued the firm at $400 million. PhishMe had previously raised around $58 million in various funding rounds, including $42.5 million Series C funding in July 2016.