The malspam security products miss: banking and email phishing, Emotet and Bushaloader

Posted by   Martijn Grooten on   Feb 11, 2019

This blog post was put together in collaboration with VB test engineers Adrian Luca and Ionuţ Răileanu. Virus Bulletin uses email feeds provided by Abusix and Project Honey Pot.

This year, Virus Bulletin's VBSpam test lab turns ten years old. Just as malicious and unwanted emails have evolved over the years, so has the lab. We continue to publish quarterly reports on the performance of email security products, but we also provide weekly feedback to the test participants, some of which have opted not to be included in the public reports but use this feedback to help improve their products and understand their performance in relation to that of competitor products.

This set-up also gives us a unique insight into the kinds of emails that are more likely to bypass email filters. On our blog, we regularly report on the malware and phishing emails for which this is the case.

During the past week there were two phishing emails (in our definition phishing emails include those with a malicious link) that bypassed most of the email security products in our lab: one that masqueraded as a message (in English) from a Bulgarian bank, and another that masqueraded as a message from Microsoft Office 365. Banks have, for obvious reasons, long been a target of phishing campaigns, while email account credentials are valuable both for the content of the mailbox and for the ability to send emails from them.

The bank email linked to a site hosted on Firebase, a Google-owned app development platform, while the Microsoft email linked to a URL on a compromised website. The use of legitimate services or compromised domains for links helps the emails bypass domain-based blocklists, which is a first step towards bypassing email filters.

dskbank_phishing_20190203.png microsoft_phishing_20190205.png

Left: Email masquerading as message from a Bulgarian bank. Right: Email masquerading as a message from Microsoft.

A better way to achieve high delivery rates, though, is to send the emails in small, very targeted batches. This explains why delivery rates for both phishing and malware tend to be many times higher than those of ordinary spam, which is still sent in very large numbers with only a tiny fraction of the messages making it to inboxes.

Given the lower delivery rate of larger campaigns, we were somewhat surprised this week to see two fairly large malware campaigns with quite high delivery rates.

Emails in German claiming to contain a bill from Deutsche Telekom (a large telecommunications provider) were spreading Emotet, a malware family that is commonly spread via spam campaigns. Emotet is known to have been used as a stepping stone in some pretty damaging malware campaigns, including recent Ryuk infections. Emotet infections can thus be rather costly.

A second large and quite poorly blocked malware campaign was based on an email sent in Italian which claimed to contain an invoice. The attachment was a RAR archive which included a single .vbs file, an instance of the Bushaloader downloader. Though we did not analyse the malware in this case, there was a similar campaign in November that served the Danabot banking trojan.

tmobile_malware_20190206.png fattura_malware_20190203.png

Left: Email claiming to contain a bill from Deutsche Telekom. Right: Email in Italian claiming to contain an invoice. 

If you would like your product to be tested in our lab, to receive weekly updates on its performance and, optionally, be included in our quarterly public reports, or if you have a question about our research, don't hesitate to contact us at [email protected].

 

IOCs

Emotet (.doc attachments; SHA256)

40c9e3b16e84ffbf7c1584aacd2e1888e33fb8ef6e3f7481c89da1ffeb217648
766533f5d447ec654ef6d99b9a755f3a45dfa5d20f06ba9adc08a27ece9fe181
aca76ed51926cab89416a4ec88bf7011ee6ee401ad3ed85e4d1ddd68efdef324
b64aa55d7a84cec25829a46c9a714c8649aaf1966f3e3a30d1890b70e9c3a17b
bb7f1524770d7ab49b7c4e3171059ddad674bac19b114610565fb3b8f6896612
d5ac5183d4ca6e96e81243a5f102c8b3a4ebab61714d4be11c0ad5bdfdb470d3
e490438fad86371a3f7a77ab06e42067cac03d07b68a80edf1276c964030a595
f1ee64c36fb96a8b2496915eabc7beb81a61778b82e32ebbab25a22ba34e7c53
f2667d8ffd157a7d19d913be1f19a6d585061fadde8196782d2b636a73f97e44

Bushaloader (.rar attachments; SHA256)

25f1c205f4936c4c112d709dc7bd859efc070bca464ba872ed025032d1798278
399ff526fc6c3c6e408e442fad76825c6d2a4558363354654c626d98e810cc42
510496ce3730492851975f50cbefbf912ceea8bb22dc3fcfd093991e0ab48466
6c8038be2e16ee02bc674bc413e8dfcc35f2246af872f6f0543668125a52f147
af7504ee7f8dff077a7a3d976b452738ff74654515ae6d2484558f6a95a60ea3
d396ff3a539c74469ee5375884f1d5c97aef17735d6435049620bab2ae456b2e
f7e41ded5efc99591de0cff3df37da8a01d62984342e218e1c3ced605fd51d2a
fd01b91276935f6dd56651b69aa0f8438d454d666fa54213893db26cf284ede2

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.