cofense.com Open in urlscan Pro
141.193.213.20  Public Scan

URL: https://cofense.com/blog/malware-exploit-bypasses-segs-leaving-organizations-at-risk/
Submission: On July 25 via api from TR — Scanned from US

Form analysis 0 forms found in the DOM

Text Content

 * Stop Threats
   
   Business Email Compromise
   
   BEC amounts to $500 billion-plus annually in losses. Ensure your business is
   protected.
   
   Credential Theft
   
   Protect your user’s credentials and avoid a widespread, malicious attack.
   
   Malware
   
   With malware attacks on the rise, protect your business from all angles.
   
   QR Code Phishing
   
   This latest tactic is only just beginning. Here’s how to get ahead of this
   threat.
   
   Ransomware
   
   Phishing is the #1 attack vector for ransomware attacks. Stop phishing
   attacks in their tracks.
   
   Smishing
   
   Smishing is just all around us. Make sure your employees know how to stay
   safe.
   
   Vishing
   
   Voice-phishing is on currently on the rise. See how Cofense stops vishing
   attacks with our SAT solution.

 * Solutions
   
   Phishing Security Awareness Training 
   
   Train your employees to defend against advanced email threats.
   
   Email Threat Detection & Response
   
   Automatically stop attacks that bypass your secure email gateway.
   
   Phishing Intelligence Trends Review
   
   Download the Q3 Report
 * Clients
   
   Industries We Serve
   
   Businesses from all industries rely on Cofense to safeguard their teams.
   
   What Our Customers Say
   
   Global organizations trust Cofense to protect their most critical assets.

 * Resources
   
   Educational Resources
   
   Check out our resource library of solution content, whitepapers, videos and
   more.
   
   Events & Webinars
   
   Come see us at a local event or join us at an upcoming webinar.
   
   Customer Resource Center
   
   Contact us to get the most out of your Cofense solutions.
   
   Cofense vs. The Competition
   
   See why the Cofense Intelligent Email Security suite stands out against the
   competition
   
   Blog
   
   Stay current on cybersecurity trends, market insights and Cofense news.
   
   Check Your SEG
   
   See the real threats that are currently evading your Secure Email Gateway
   (SEG).
   
   Global Intelligence Network
   
   Protect your organization with our deep analysis into the current threat
   landscape and emerging trends.
   
   Technology Alliance Partners
   
   Trusted partner to some of the best technology brands in the world.

 * About
   
   About Cofense
   
   Cofense sees & stops email threats missed by standard security measures.
   
   News Center
   
   See the latest articles, press releases and more in our news center.
   
   Awards
   
   It’s an honor to be recognized in the cybersecurity market. Check out our
   recent awards.
   
   Partners
   
   Grow your business, drive new revenue streams, and improve your competitive
   posture through our Partner Program.
   
   Careers
   
   We’re looking for passionate people to join us in our mission to stop all
   email security threats for organizations around the globe.
   
   Management Team
   
   Get to know our management team.

 * Get a Demo  


X

Contact Us
Contact

 * Stop Threats
   
   Business Email Compromise
   
   BEC amounts to $500 billion-plus annually in losses. Ensure your business is
   protected.
   
   Credential Theft
   
   Protect your user’s credentials and avoid a widespread, malicious attack.
   
   Malware
   
   With malware attacks on the rise, protect your business from all angles.
   
   QR Code Phishing
   
   This latest tactic is only just beginning. Here’s how to get ahead of this
   threat.
   
   Ransomware
   
   Phishing is the #1 attack vector for ransomware attacks. Stop phishing
   attacks in their tracks.
   
   Smishing
   
   Smishing is just all around us. Make sure your employees know how to stay
   safe.
   
   Vishing
   
   Voice-phishing is on currently on the rise. See how Cofense stops vishing
   attacks with our SAT solution.

 * Solutions
   
   Phishing Security Awareness Training 
   
   Train your employees to defend against advanced email threats.
   
   Email Threat Detection & Response
   
   Automatically stop attacks that bypass your secure email gateway.
   
   Phishing Intelligence Trends Review
   
   Download the Q3 Report
 * Clients
   
   Industries We Serve
   
   Businesses from all industries rely on Cofense to safeguard their teams.
   
   What Our Customers Say
   
   Global organizations trust Cofense to protect their most critical assets.

 * Resources
   
   Educational Resources
   
   Check out our resource library of solution content, whitepapers, videos and
   more.
   
   Events & Webinars
   
   Come see us at a local event or join us at an upcoming webinar.
   
   Customer Resource Center
   
   Contact us to get the most out of your Cofense solutions.
   
   Cofense vs. The Competition
   
   See why the Cofense Intelligent Email Security suite stands out against the
   competition
   
   Blog
   
   Stay current on cybersecurity trends, market insights and Cofense news.
   
   Check Your SEG
   
   See the real threats that are currently evading your Secure Email Gateway
   (SEG).
   
   Global Intelligence Network
   
   Protect your organization with our deep analysis into the current threat
   landscape and emerging trends.
   
   Technology Alliance Partners
   
   Trusted partner to some of the best technology brands in the world.

 * About
   
   About Cofense
   
   Cofense sees & stops email threats missed by standard security measures.
   
   News Center
   
   See the latest articles, press releases and more in our news center.
   
   Awards
   
   It’s an honor to be recognized in the cybersecurity market. Check out our
   recent awards.
   
   Partners
   
   Grow your business, drive new revenue streams, and improve your competitive
   posture through our Partner Program.
   
   Careers
   
   We’re looking for passionate people to join us in our mission to stop all
   email security threats for organizations around the globe.
   
   Management Team
   
   Get to know our management team.

 * Get a Demo  


X

Contact Us
Contact



MALWARE EXPLOIT BYPASSES SEGS LEAVING ORGANIZATIONS AT RISK

 * July 24, 2024

Home » Blog » Malware Exploit Bypasses SEGs Leaving Organizations at Risk

Threat actors continually leverage and create a plethora of tactics to bypass
Secure Email Gateways (SEGs). These include encoding malicious URLs with other
SEG protection tools, obfuscating file contents, and abusing SEG treatment of
“legitimate” files.

Recently, threat actors appear to be abusing how SEGs scan the contents of
archive type file attachments. The threat actors utilized a .zip archive
attachment and when the SEG scanned the file contents, the archive was detected
as containing a .Mpeg video file and was not blocked or filtered. When this
attachment was opened with common/popular archive extraction tools such as 7zip
or Power ISO, it also appeared to contain a .Mpeg video file, but it would not
play. However, when the archive was opened in an Outlook client or via the
Windows Explorer archive manager, the .Mpeg file is (correctly) detected as
being a .html and victims were able to open the .html and eventually execute the
embedded FormBook malware.


EMAILS

The specific emails that Cofense Intelligence has identified were targeting
Spanish speaking employees at an international financial firm and claimed to
deliver an attached invoice. The emails are fully featured, including a full
email body and a signature, a step beyond most common phishing emails. The
emails were sent with the “Roundcube Webmail/1.4.8” User-Agent and bypassed
Cisco IronPort but based on this analysis it is strongly likely they would also
bypassed other SEGs.



Figure 1: Email with attached archive containing obfuscated contents.


SEG BYPASS

Based on this analysis and related testing, it appears that the malicious
attachments were able to bypass detection due to how SEGs parsed the file inside
of the archive files. If the SEG had received and scanned an email with the
identified malicious HTML attached, it would have blocked the email. Even if it
was a .zip archive attachment with clearly malicious content, most SEGs would
have scanned the archive contents and detected their malicious nature.

Here in Figure 2 is an example of how Cisco IronPort typically views the
contents of a .zip file. This indicates that an attached .zip archive had its
contents extracted and contained a gif and an HTML file.



Figure 2: Sample of Cisco IronPort scan of typical .zip archive attachment.

In Figure 3 below, we see the Cisco IronPort header for the email in Figure 1
containing an HTML file disguised with the .Mpeg file extension inside of an
attached .zip archive.



Figure 3: Cisco IronPort scan of obfuscated .zip archive.

Illustrated in Figure 3, Cisco IronPort determined that the file inside of the
archive was an .Mpeg and not an HTML. Although other SEGs are not as verbose in
the email headers when it comes to their scanning of file attachments, it is
highly likely that they would return similar results when scanning this .zip
archive. In fact, as will be seen in the next section, many common archive
extraction tools also view the contained file as a .Mpeg despite indicators to
the contrary.


ATTACHMENTS

The .zip archive attached to this email appears innocuous to both SEGs and a
cursory investigation by an analyst using standard static analysis tools. The
.zip archive contents would appear to be an .Mpeg to many common tools utilized
by security analysts and researchers, such as Power ISO and 7zip.



Figure 4: Archive file contents viewed in multiple programs.

 * In the top window depicts the archive file opened in Windows explorer
   directly, initiated from the Outlook desktop client. This clearly shows the
   archive contents as being an .html file.
 * The middle window is the archive file opened using the common archive
   extractor Power ISO.
 * The bottom window is the archive file viewed with the highly popular 7zip
   application.

As can be seen in the bottom and middle window, even common and widely used
archive extractors incorrectly identify the enclosed file as a .Mpeg. Using the
“test” option of 7zip on Windows we are also able to see a general warning about
the archive’s headers in Figure 5. However, the rather succinct warning does not
provide enough information to draw any conclusions.



Figure 5: 7zip test of obfuscated archive.

When the unzip tool in Ubuntu is used on the archive it provides the most
relevant information available yet, as can be identified in Figure 6.



Figure 6: Ubuntu unzip tool analysis of archive.

Starting with the hint that there is a “local” file name mismatch we are able to
look at the .zip archive in a text editor as seen in Figures 7 and 8. The start,
or “header”, of the file shown in Figure 7 shows us that the threat actor has
customized the .zip archive so that the file header calls its contents a .Mpeg.



Figure 7: Header of .zip archive.

The end of the file, or the “footer”, shown in Figure 8 shows us that the file
contained in the .zip archive should actually be treated as a .html.



Figure 8: Footer of .zip archive.

This demonstrates that many common archive extractors and SEGs read the file
header information for the archive and ignore the file footer that may contain
more accurate information.


INFECTION

When properly recognized as a .html file and opened, the HTML file delivered
another .zip archive, appearing to provide the file as a download from an
external source when it is in fact a decoded file embedded in the original HTML
file.

This second .zip archive contained a .cmd file which was in fact a .cab archive.
Inside of this .cab archive was the malicious executable. The executable was a
sample of DBat Loader. When run, the executable downloaded a payload, decrypted
its contents, and ran FormBook in memory. This version of FormBook contacted
several different C2s with different paths, unlike the standard FormBook which
contacts 16 different domains with the same path.

FormBook is an Information Stealer and is consistently in the top 10 most
commonly seen malware by Cofense. It is capable of keylogging, file management,
clipboard management, taking screenshots, network traffic logging, and password,
cookie, and form recovery from browsers. It is able to download and execute
additional malware putting infected users at risk of other kinds of malware
including Ransomware.

All third-party trademarks referenced by Cofense whether in logo form, name form
or product form, or otherwise, remain the property of their respective holders,
and use of these trademarks in no way indicates any relationship between Cofense
and the holders of the trademarks. Any observations contained herein regarding
circumvention of end point protections are based on observations at a point in
time based on a specific set of system configurations. Subsequent updates or
different configurations may be effective at stopping these or similar threats.
Past performance is not indicative of future results.

The Cofense® names and logos, as well as any other Cofense product or service
names or logos displayed herein are registered trademarks or trademarks of
Cofense Inc.

SHARE THIS ARTICLE

Facebook
Twitter
LinkedIn


READ MORE RELATED PHISHING BLOG POSTS

 * July 2024


SEG VS. SEG: HOW THREAT ACTORS ARE PITTING EMAIL SECURITY PRODUCTS AGAINST EACH
OTHER WITH ENCODED URLS

 * July 2024


BEWARE OF THE LATEST PHISHING TACTIC TARGETING EMPLOYEES

 * July 2024


A “META” FACEBOOK PHISH


SEE COFENSE IN ACTION.

Get a Demo


YOU'LL LEARN HOW TO:

 * Supercharge your Security Awareness Training so employees can easily spot and
   report actual threats.
 * Automatically detect and remove actual threats from across your enterprise.
 * Leverage our proprietary intelligence to avoid a breach.

1602 Village Market Blvd, SE #400
Leesburg, VA 20175
(888) 304-9422


CONTACT US








WHY COFENSE

 * Stop Threats
 * Cofense Solutions
 * Blog


RESOURCES

 * Events & Webinars
 * Knowledge Center
 * Contact Support
 * Customer Resource Center


COMPANY INFO

 * About
 * Legal
 * Privacy Policy

© 2024 Cofense Inc.

We use our own and third-party cookies to enhance your experience. Read more
about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to
our use of all cookies on our website.

Accept