Hiding in Plain Sight: The Banking Trojan Stalking Your Users' Inboxes
Hiding in Plain Sight: The Banking Trojan Stalking Your Users' Inboxes

If you're a seasoned, conscientious IT professional, you have likely been spending more and more time over the past few years pondering just what your users know (or don't know) about phishing. You know that attacks on organizations such as yours have been climbing at a rapid rate and that the payloads they deliver to inboxes throughout your organization have become increasingly dire.

You can be fairly confident that most of your users have at least heard of "phishing" and undoubtedly know that it is "bad." But having a general awareness of "phishing" as an online threat is not going to protect your organization from falling prey to a ransomware disaster that brings critical operations to a grinding halt. Neither will it prevent a sophisticated backdoor trojan from being used to exfiltrate sensitive data that allow criminal actors to fleece your organization of its most treasured secrets.

Phishing is Boring

So where do users get what they know about phishing attacks? You and your IT staff have likely sent around emails warning staff about the dangers of phishing. You may even have provided some general advice on how to spot potential threats in their inboxes (be wary of emails from outside the company, be suspicious of emails you weren't expecting or that are from people you don't know, watch for telltale signs like spelling errors and typos, etc.).

Your users have other sources of information about phishing threats, however, and these are likely to carry more weight with them than the occasional cautionary email from their employer's IT staff. One obvious alternate information source is social media, where your users will be hearing dark stories of questionable provenance about incidents rumored to have occurred somewhere at some other organization. Another source will be the mainstream news media, which has devoted more and more space in recent years to online threats, usually in the form of stories about the latest high-profile ransomware campaigns.

There are at least two problems with these information sources, even when they provide factually accurate accounts of IT security incidents. First, they can leave users feeling disconnected from the people and events under discussion. These incidents always seem to happen somewhere else, in some other company located in some other country, and were caused by stupid people doing transparently stupid things. In our experience, users tend to underestimate the threats they anticipate encountering themselves and overestimate their own savviness in recognizing and responding to such threats.

Second, though, social media and mainstream news media can give users the impression that phishing attacks and the havoc they cause are rare special events that occur only every so often in a completely random fashion. Catastrophic phishing campaigns, in other words, are like spectral visitations from some cyber grim reaper whose shadow ominously falls on some houses while mysteriously passing over others.

Left to their own devices, users can easily acquire a dangerously unrealistic sense for the threat posed by phishing campaigns. Far from being only the cause of occasional, random, eye-popping special events that are breathlessly reported via social media or mainstream news stories, the reality of phishing is that it has become a routine, everyday part of office life that users should expect to encounter as part of their daily toils in cubicles throughout your organization.

Indeed, were it not for the fear you and the rest of your IT staff feel in the pit of your stomach as you review the latest phishing campaigns that wash over your organization, we could even say that phishing is boring -- a background presence whose weight is constant, pervasive, and that shows no signs of lifting anytime soon. When you see the same social engineering hooks pushed via the same phishing templates week in and week out, it can be difficult not to be lulled into a kind of complacency. Boring is, in some cases, a good thing. IT staff rarely look forward to an "interesting" day at the office. But boring can also be deadly.

One phishing campaign that we have been tracking over the past few months beautifully illustrates the hum-drum reality of phishing as we presently know it.

Phishing is Routine

Starting back in September of this year, organizations that have rolled out the Phish Alert Button (PAB) have been reporting a steady stream of phishing emails that are all part of an ongoing campaign. Although the malicious emails used in this campaign have exhibited quite a bit of daily flux in Subject: lines and body text, it became quickly obvious to us that they were all of a piece. Somewhat to our surprise, this campaign has continued for months -- marching on relentlessly using the same predictably random elements all the way through to late December and the time of this writing.

If you are looking for example emails from this campaign, you will find that they are fairly easy to spot. First, the constantly changing menu of email templates used in this campaign relies on social engineering hooks centered that most routine of business topics: invoices and their associated payments.

This campaign's phishing emails tend to be short and to the point. And although they may gently nudge readers with the suggestion of a minor problem involving an invoice or payment, they are never alarmist. None of these emails leans on users with threats of account closures, lawsuits, disciplinary action from HR, or the loss of data or money. No, these emails are designed to slip into users' inboxes without raising eyebrows and generate reflexive clicks on embedded links from users too busy to notice anything amiss.

Although multiple employees in your organization may receive phishing emails from this campaign, most will receive different emails with varying subject lines, body text, and embedded links. In the course analyzing one day's haul of emails from this campaign, we observed twenty different Subject: lines:

  • Awaiting for your confirmation
  • BUK6-6479252009
  • Final Account
  • INCORRECT INVOICE
  • Invoice
  • Invoice# 8300329
  • Invoices attached
  • Invoice due, number 65319/WC#AGNXP/2017 (06 Dec 17)
  • Invoice Problem
  • Invoices Overdue
  • New invoice #9
  • Order Confirmation
  • Outstanding INVOICE FBNPT/2128389/3857
  • Overdue payment
  • Please send copy invoice
  • Purchases 2017
  • Sales Invoice
  • Seperate Remittance Advice Layout - paper document A4
  • Trouble with you invoice
  • VZTZG7-79058215606

Each one of these Subject: lines was paired with one of thirty-four different email bodies, with a similar spread of embedded links. And that was just one day's collection of phishing emails from this malicious campaign. Over the course of weeks and months we noted that these basic elements (Subject:, body text, embedded URL) changed almost daily, with a different mix of elements being introduced every day.

Not only does this use of constantly changing elements make it more difficult for anti-spam and anti-malware engines to reliably target this phishing campaign, it also makes it more challenging for even the most vigilant IT staff to recognize when their own organizations are under attack. Instead of seeing a wave of identical phishing emails hitting their email servers in a short period of time, IT staff will see only a disparate collection of apparently unrelated emails that more easily blend in to the daily stream of email traffic.

Digging deeper, we noticed that the bad guys behind this campaign had taken several other steps to mask the common malicious nature of their campaign's emails:

  • From: and Return-Path: lines pointed to an equally varied collection of email addresses.
  • Campaign emails appeared to be sent from a variety of compromised email accounts or boxes enrolled in a botnet.
  • Nearly all the domains used in the emails' embedded links were compromised, but otherwise legitimate domains (as opposed to dodgy domains on disreputable Top Level Domains suspiciously registered within the last 72 hours).
  • Embedded links kicked off the download of Word documents with, once again, a variety of file names (Awaiting for your confirmation.doc, Final Account.doc, Invoice Number 382845.doc, Invoices Overdue.doc, Order Confirmation.doc, etc.)

There were, however, several common elements that established a family resemblance of sorts:

  • All emails used social engineering hooks based on invoice and payment issues.
  • All emails made use of a similarly structured text body (simple salutation, 1-2 line body proper followed by an un-obfuscated link and a simple signature block consisting mainly of the sender's name).
  • All embedded links yielded .DOC files of a similar size (153.1 KB).
  • It is, of course, the .DOC files that lie at the core of this phishing campaign -- the glue that holds the whole thing together.

Phishing is Sophisticated

The .DOC file downloads turned out to be the most interesting and alarming element of this otherwise unremarkable looking campaign (though it should be noted that the campaign's unremarkable appearance was very much the product of a concerted, skillful effort on the part of the bad guys to give it that quality).

The Word .DOCs in question opened to the kind of simple, unadorned, yet professionally designed macro warning screen that we have otherwise been seeing less and less of over the course of 2017.

Users who proceed to enable macros or editing in this Word doc are unwittingly kicking off the download of an executable dropper by the embedded macro, which reaches out to an IP address associated with a known malicious C&C server. The dropper, in turn, registers an innocuously named Windows Service to give the malware persistence across reboots, and then proceeds to download still more malware modules.

So, what is this malware? It is, in fact, Emotet, a member of the Feodo family of malware. Emotet has been around in one form or another since 2014 and has, like most other sophisticated forms of malware we have seen in the past few years, undergone relentless, continuous development ever since.

Emotet has been classified as a banking trojan based on its core functionality, which is to use network sniffing tools to harvest account credentials and other sensitive data that can be exploited to drain bank accounts and engage in other forms of financial fraud.

Emotet has undergone a number of changes since it first appeared in the wild three years ago. First, where Emotet was originally distributed via malicious .JS files delivered to users via phishing emails, the bad guys changed to using malicious .PDFs and then, in more recent campaigns, macro-laden Word .DOCs.

Second, while the core information stealing functionality of Emotet has remained fairly constant, Emotet has acquired the ability to drop other malware modules, including other banking trojans like Dridex.

Third, some variants of Emotet now include worm-like functionality that allows the malware to spread laterally throughout organizations by brute-forcing weak passwords or even using known exploits such as EternalBlue to compromise un-patched boxes. Finally, Emotet now sports very sophisticated functionality designed to evade anti-malware (detection of virtualized environments and the ability to use cleverly implemented sleep routines to sidestep anti-malware scanning).

A number of security organizations have been calling attention not only to Emotet's increasingly sophisticated and dangerous evolution over the past five months but also the resurgence since September 2017 of phishing campaigns delivering Emotet to vulnerable organizations and users. Alarmingly, TrendMicro reports that the latest Emotet phishing campaigns have been fairly indiscriminate with respect to targeted industries. While banks and other financial organizations are particular favorites of Emotet for obvious reasons, no industry is truly safe.

Unfortunately, the AV industry itself continues to struggle with detection of Emotet phishing emails, Word .DOCs, and executable droppers. In our testing with Emotet Word .DOCs and executable droppers, typically only 10-20 engines (out of roughly 60 total) on VirusTotal detected the files in question even a day after their delivery by Emotet phishing emails. URL filtering services like Google SafeBrowsing rarely flagged the embedded links within Emotet phishes -- at least in the first few hours after those emails were reported by our customers. Such results are not surprising given the heavy rotation of phishing templates, text bodies, URLs, and individually repacked files used by Emotet phishing campaigns.

Phishing is A Five-Alarm Fire

As we noted at the outset of this piece, the Emotet phishing campaign documented here has been going on since at least September. While many other phishing campaigns have come and gone during that time period, some more spectacular and noteworthy than others, this Emotet campaign has been quietly grinding on, filling inboxes with a stefady stream of constantly changing emails all designed to do one thing: trick your users into an absent-minded, ill-considered click that could open a door into your organization's network for one of the more sophisticated banking trojans out there. And they're prosecuting that campaign not through threats, intimidation, slick attempts to spoof trusted online entities like Google or Amazon, or even enticing offers of free money. No, they're doing it by trying to fade into the background noise of everyday office email traffic.

Even as we write your users are probably reading on their favorite online news sources that the White House is now attributing the widely covered WannaCry ransomare attack back in May to Kim Jong-un's army of North Korean hackers. As dire and noteworthy as WannaCry was, the most critical question for you and your IT staff is whether your users -- once they finish shaking their heads at all the organizations who failed to install the patch released in March by Microsoft and mentally scolding the NSA for husbanding such a dangerous exploit as EternalBlue -- will recognize that the seemingly innocuous email sitting in their inboxes requesting an update on the status of an invoice is, in actuality, anything but the routine query it seems to be. Because that is the reality of phishing.

Your users are getting information about phishing and other online threats from a variety of sources, some more trustworthy than others. Only you, however, can focus your employees' attention on the fact that phishing is not something happening only in the news but every day when they open their inboxes. And the most effective tool you have available to concentrate your users' minds on the mundane, daily reality of phishing attacks is New-school Security Awareness Training, which teaches them to spot the tell-tale signs of a phishing attack and then populates their inboxes with simulated phishing emails, all the while enabling you to track their progress on the road to becoming woke to the threats they are already encountering on a daily basis.