Share this page!

Microsoft Security Intelligence Profile picture
Twitter logo
25 Nov, 6 tweets, 2 min read
In the past weeks, researchers have noted the increased abuse of legitimate cloud hosting services in malware campaigns. Microsoft threat intelligence shows this trend persists, w/ a number of known malware incl. BazarLoader, Zloader, Lightbot, Hancitor, etc. using the technique.
The email campaigns use a wide range of lures, incl. ones that use threats of job dismissal, exposing illegal activity, other fear tactics. The link leads to a malicious document or archive file hosted on a legitimate service. Downloading & opening the file leads to the payload.
A recent campaign uses password-protected .zip files hosted on Google Drive, with the password (curiously incorrect in this sample) in the email. While other services, incl. those from Microsoft, have been abused, the recent spike in the use of Google services is notable.
To help protect against these attacks, Microsoft Defender for Office 365 uses machine learning and detonation technology to automatically analyze new and unknown threats in real time, backed by Microsoft researchers closely monitoring the trend to ensure continued coverage.
Sample IoCs: Password-protected .zip files (SHA-256): be20dfd99d49b4639f272761be9d0ea0f89cf77bd62859483113fe3958ed0303, 3a55962a819764fe6a513fe2360a0684be25550a8c844db431198aef75831532
Here’s a sample advanced hunting query that Microsoft 365 Defender customers can run to locate emails that use the techniques we observed in these campaigns:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Microsoft Security Intelligence

Microsoft Security Intelligence Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MsftSecIntel

Microsoft Security Intelligence Profile picture
16 Nov
We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering. The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc.
One of the interesting techniques we observed in this campaign is the use of redirector sites with a unique subdomain for each target. The subdomain follows different formats but generally always contains the recipient’s username and org domain name.
This unique subdomain is added to a set of base domains, typically compromised sites. Notably, the phishing URLs have an extra dot after the TLD, followed by the Base64-encoded email address of the recipient.
Read 9 tweets
Microsoft Security Intelligence Profile picture
22 Sep
Emotet joined the password-protected attachment bandwagon with a campaign starting Friday. The campaign slowed down over the weekend (typical of Emotet) but was back today in even larger volumes of emails in English, as well as in some European languages.
The Emotet emails carry a password-protected archive file that contains a document with malicious macro, which then downloads the Emotet payload. In contrast, last week’s Trickbot campaign used password-protected documents attached directly to emails.
If the recipient enters the password, which is in the email body, the document tricks users into enabling the malicious macro by claiming the that the file was created on “Windows 10 Mobile” (Friday’s campaign) or “Android device” (today’s campaign).
Read 4 tweets
Microsoft Security Intelligence Profile picture
18 Sep
Earlier this week we started seeing a spike in the use of password-protected documents in multiple malware campaigns, including Trickbot. These documents are attached to emails that use varying social engineering lures like the typical "order", "invoice", "documents". Image
We also saw the increasingly less common but still used “new corona case” lure. Some of the emails also indicate more specific targeting, with attackers using the domain of compromised sender accounts as part of the email body for improved believability. ImageImage
When opened, the malicious documents prompt for the password, which is in the email body. If the recipient enters the password, the document opens with instructions to enable editing and enable content, so that a malicious macro can run and download the payload. ImageImage
Read 5 tweets
Microsoft Security Intelligence Profile picture
3 Sep
Our comprehensive, active tracking of Dudear operations, attributed to the threat actor CHIMBORAZO (aka TA505), shows that these campaigns relentlessly use multiple layers of detection evasion techniques to try and slip through defenses.
These techniques include the routine use of varying social engineering lures (recent ones include Expense report, fake Citrix ShareFile email, and fake Dropbox notification) and download websites that block traffic from automated analysis, in addition to the CAPTCHA challenge. ImageImageImage
The email campaigns also switch between using HTML attachments that lead to a series of redirector websites before eventually leading to the download website, and using malicious URLs that download the malicious HTML, or both.
Read 5 tweets
Microsoft Security Intelligence Profile picture
26 Aug
A new info-stealing malware we first saw being sold in the cybercriminal underground in June is now actively distributed in the wild. The malware is called Anubis and uses code forked from Loki malware to steal system info, credentials, credit card details, cryptocurrency wallets ImageImageImage
The new malware shares a name with an unrelated family of Android banking malware. Anubis is deployed in what appears to be limited, initial campaigns that have so far only used a handful of known download URLs and C2 servers.
Microsoft Defender ATP detects the new malware as PWS:MSIL/Anubis.G!MTB. We will continue to monitor this threat for the possible expansion of these campaigns.
Read 4 tweets
Microsoft Security Intelligence Profile picture
13 Aug
Dudear campaigns, associated with the threat actor CHIMBORAZO (aka TA505), are a staple in the threat landscape, with regular runs since resurfacing in January. This month’s campaign, active as of today, uses the same techniques including polymorphism & detection evasion tactics. Image
Dudear emails carry polymorphic HTML redirectors that lead to an intermediate redirector website (often compromised), which then redirects to the download site. This month’s email lures include pension certificates, shipping docs, privacy documents, invoice, remittances, etc. ImageImage
The download website uses a CAPTCHA challenge as well as GeoIP check to evade automated analysis. Past these checks, an Excel file with highly obfuscated macro code is downloaded and in turn drops the payload, typically info-stealing malware GraceWire or Dridex. ImageImageImage
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @MsftSecIntel