Finance Departments getting Targeted by Phishing Emails with .Com Payloads

As per a recent analysis by Cofense IntelligenceTM, there has been a substantial increase in the number of phishing emails targeting financial service departments by using .com extensions.

Cofense Intelligence, an anti-phishing company, has analyzed 132 samples that are unique having .com extension in the month of October alone; whereas, the company had analyzed only 34 samples in the past nine months before that. Four malware families that are different were utilized.

The file extension .com is used for the text files having executable byte code. Microsoft NT kernel-based operating systems and Disk Operating System (DOS) both allow .com files to be executed because of the backward compatibility reasons. Within DOS stub, .com style byte code is similar across all the PE32 binaries (.dll, .exe, .scr, etc.).

The phishing emails contents as well as the subject lines suggest that the financial service departments are specifically getting targeted by the threat actors. The two very frequently used subject line by the hackers are 'purchase order' and 'payment' for tempting the recipients to click. The threat actors usually carry out these campaigns for targeting the employees having financial information saved on their local systems or machines, which explains use of the information-stealing malware as campaigns' payloads. The mentioning of .iso file attachment in email contents is actually an archive which contains a .com executable.

Out of the malware families which are being delivered, most were made up of Hawkeye, AZORult and Loki Bot. The analysis done by Cofense Intelligence reveals that the subject lines of the email are specific to malware payloads that they deliver. For example, if the email subject is 'payment' then it would deliver mostly AZORult information stealer, whereas if 'purchase order' is the email subject then it would deliver mostly the Hawkeye keylogger and the Loki Bot information stealer.

Generally, the .com payloads are attached directly to the phishing email without the intermediary delivery mechanism. Though, there are a few campaigns that include an attachment containing an intermediary dropper.

Aaron Riley, an Intelligence Analyst, writing on Cofense blog says that, "Cofense Intelligence estimates that we'll see an increased adoption of malware using the .com extension. Similar campaigns will likely expand to other industries that have monetizable data, like the healthcare and telecommunication sectors". Riley further said that, an increase use of .com extensions could be harmful to the enterprise networks in case the organizations are unprepared for it; and if they become prepared, then there will be surge in popularity of another file extension in a continuous effort to remain ahead of defense.

» SPAMfighter News - 11/27/2018