Full Report
Cybersecurity researchers have found that bad actors are continuing to have success by spoofing sender email addresses as part of various malspam campaigns. Faking the sender address of an email is widely seen as an attempt to make the digital missive more legitimate and get past security mechanisms that could otherwise flag it as malicious. While there are safeguards such as DomainKeys
Analysis Summary
# Tool/Technique: Exploitation of Neglected Domains for Email Spoofing and Phishing
## Overview
Threat actors are increasingly utilizing old, neglected domains, often with short names on reputable Top-Level Domains (TLDs), to spoof sender email addresses in malspam campaigns. These domains often lack crucial DNS records like SPF, allowing malicious emails to bypass security checks that rely on domain age or standard authentication checks. This technique is used to enhance the legitimacy of phishing attempts across various lures, including tax-related scams and brand impersonations, and sometimes to evade tracking by frequently changing sender addresses.
## Technical Details
- Type: Technique (Sender Spoofing via Domain Abuse)
- Platform: Email Systems (Targeting End Users receiving emails)
- Capabilities: Bypassing domain age-based spam filters, evading sender authentication checks (due to missing DNS records like SPF).
- First Seen: Active since at least December 2022 (for one specific campaign mentioned).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (When QR codes are attached)
- T1566.002 - Spearphishing Link (When redirecting to phishing sites)
## Functionality
### Core Capabilities
- **Sender Address Spoofing:** Faking the sender address to appear legitimate.
- **Bypassing Security:** Using domains that lack SPF records, allowing spoofing to succeed against checks reliant on those records.
- **Domain Age Exploitation:** Leveraging old, unmaintained domains that are trusted due to their history or TLD reputation, but lack current security configurations.
### Advanced Features
- **QR Code Distribution:** Distributing attachments containing QR codes that link victims to phishing sites, often requiring phone-based scanning (WeChat/AliPay lures).
- **Traffic Distribution Systems (TDSes):** Using TDSes to redirect victims to specific fake login/phishing pages after clicking a malicious link.
- **Self-Spoofing for Extortion:** Spoofing the victim's own sender address in blackmail/extortion emails to provide "proof" of system compromise (alleged RAT installation).
## Indicators of Compromise
- File Hashes: N/A (Focus is on email infrastructure/domains)
- File Names: Documents containing QR codes (often password-protected).
- Registry Keys: N/A
- Network Indicators:
- Phishing domains impersonating brands like Amazon, Mastercard, SMBC.
- Domains associated with attacker-controlled infrastructure used for redirection (TDS).
- Bitcoin wallet addresses (for extortion scams).
- Behavioral Indicators: Emails using tax lures in Mandarin, demanding QR code scanning, or emails using self-spoofing for extortion threats.
## Associated Threat Actors
- Muddling Meerkat
- Unspecified threat actors involved in brand impersonation and extortion campaigns.
## Detection Methods
- Signature-based detection: Detecting known malicious QR code content or specific phishing site URLs.
- Behavioral detection: Monitoring for emails demanding users interact with QR codes or initiate payments based on social engineering lures.
- YARA rules: Potentially rules targeting specific documents containing embedded QR codes or known Mandarin tax/financial lures.
## Mitigation Strategies
- Prevention measures: Enforcing strict DMARC policies for owned domains. Organizations should ensure their own legacy domains are properly configured with strong SPF, DKIM, and DMARC records.
- Hardening recommendations: Implementing email gateway policies that inspect attachment content for QR codes, especially in conjunction with finance or tax themes. User training emphasizing the risks of scanning unknown QR codes or responding to extortion threats.
## Related Tools/Techniques
- **PhishWP:** A WordPress plugin used to create fake customizable payment pages to steal financial data.
- **ConnectWise Remote Access Tool:** Being distributed via phishing emails impersonating the US SSA to deliver remote access software.
- **Butcher Shop Campaign:** Phishing campaign utilizing Canva, Dropbox DocSend, and Google AMPs to boost credibility and evade URL scanners, relying on Cloudflare Turnstile to block scanners.
***
# Tool/Technique: Butcher Shop Phishing Campaign
## Overview
The "Butcher Shop" campaign is a targeted phishing operation primarily aimed at stealing Microsoft 365 credentials from workers in the legal, government, and construction sectors since early September 2024. It leverages trusted platforms to host or redirect users to malicious sites, enhancing its evasion capabilities.
## Technical Details
- Type: Campaign/Technique
- Platform: Web (Email delivery, landing on cloud-hosted redirection services)
- Capabilities: Credential harvesting, evasion of URL scanning systems.
- First Seen: Early September 2024.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.002 - Spearphishing Link
- TA0011 - Command and Control (via redirection infrastructure)
## Functionality
### Core Capabilities
- **Credential Harvesting:** Primary goal is stealing Microsoft 365 credentials.
- **Lure Delivery:** Using emails to redirect victims.
### Advanced Features
- **Trusted Platform Abuse:** Abusing legitimate services like Canva, Dropbox DocSend, and Google Accelerated Mobile Pages (AMPs) to host redirection mechanisms or links.
- **Cloudflare Turnstile Bypass:** Displaying a custom challenge page using Cloudflare Turnstile **before** showing the actual phishing page. This is explicitly designed to make it difficult for automated email protection systems (like URL scanners) to reach and analyze the final malicious stage.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Malicious URLs hosted or redirected through Canva, DocSend, or Google AMPs infrastructure.
- Behavioral Indicators: Redirection sequences involving a Cloudflare Turnstile challenge immediately preceding a credential entry prompt.
## Associated Threat Actors
- Unknown (Specific group not explicitly named, analyzed by Obsidian Security).
## Detection Methods
- Signature-based detection: Less effective against the initial links due to staging on trusted services.
- Behavioral detection: Monitoring for user navigation patterns that involve a Cloudflare challenge preceding a known M365 relevant landing page.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Monitoring for login attempts originating from unusual cloud-based redirection services.
- Hardening recommendations: Enhanced MFA enforcement for M365, especially for lower-security-posture sectors like construction. Training on recognizing sophisticated redirection chains.
## Related Tools/Techniques
- General cloud service abuse for hosting malicious content.
***
# Tool/Technique: PhishWP WordPress Plugin
## Overview
PhishWP is a malicious WordPress plugin designed to turn compromised or newly established WordPress websites into phishing traps. Its goal is to mimic legitimate payment processors (like Stripe) to steal personal and financial data entered by unsuspecting users.
## Technical Details
- Type: Malware/Tool (WordPress Plugin)
- Platform: WordPress Websites (Server-side installation; client-side interaction)
- Capabilities: Create customizable fake payment pages, intercept and exfiltrate user-submitted PII and financial data.
- First Seen: Recent (Advertised/analyzed in recent reports).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access (If installed following a site compromise)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Sending collected data directly to attackers, often via Telegram).
## Functionality
### Core Capabilities
- **Mimicry:** Creating convincing payment page layouts resembling services like Stripe.
- **Data Collection:** Capturing Personal Identifiable Information (PII) and payment card details entered by victims.
### Advanced Features
- **Real-time Exfiltration:** Sending collected victim data directly to attackers, often via the Telegram application.
- **Versatility:** Can be installed on legitimately compromised WordPress sites or newly deployed fraudulent ones.
## Indicators of Compromise
- File Hashes: N/A (Based on plugin distribution)
- File Names: PhishWP plugin files within `/wp-content/plugins/`.
- Registry Keys: N/A
- Network Indicators: Outbound communication from the compromised WordPress site to Telegram servers containing stolen data.
- Behavioral Indicators: Unauthorized installation or modification of files within the WordPress plugin directory structure.
## Associated Threat Actors
- Unspecified actors advertising and utilizing the plugin.
## Detection Methods
- Signature-based detection: Signature matching for the specific code base of the PhishWP plugin files.
- Behavioral detection: Monitoring outgoing network traffic from WordPress servers to messaging platforms like Telegram for unexpected data transfers.
- YARA rules: Rules targeting plugin file signatures.
## Mitigation Strategies
- Prevention measures: Regularly patching and updating WordPress core, themes, and plugins. Using strong integrity checks on plugin files.
- Hardening recommendations: Restricting file write access in `/wp-content/plugins/` where possible, and strictly controlling user accounts with site administration privileges.
## Related Tools/Techniques
- General web skimming/form hijacking tools.
***
# Tool/Technique: Extortion via Self-Spoofing and Remote Access Allegations
## Overview
A social engineering scheme where attackers use email to extort money ($1800 in Bitcoin) by falsely claiming to have compromised the victim's system via a Remote Access Trojan (RAT) and possessing embarrassing videos. A key feature is spoofing the victim's own email address as the sender to assert credibility and demand the recipient check their own inbox as "proof."
## Technical Details
- Type: Technique (Social Engineering/Extortion Looper)
- Platform: Email Systems
- Capabilities: Psychological manipulation, alleged proof of compromise, financial extortion.
- First Seen: Described as an observed campaign tactic.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access (Though access is alleged, this is the starting point of the *social engineering* campaign).
- TA0009 - Collection (Alleged collection of video data).
- TA0012 - Impact (Extortion).
## Functionality
### Core Capabilities
- **Self-Impersonation:** Spoofing the recipient's own email address as the sender.
- **Threat Generation:** Claiming to have installed a remote access tool and recorded compromising material.
- **Demanding Payment:** Requesting a specific sum ($1800) in Bitcoin for deletion.
### Advanced Features
- N/A (Relies primarily on psychological pressure).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Bitcoin addresses associated with payment demands.
- Behavioral Indicators: Emails demanding payment to delete non-existent compromised data, sent from the recipient's own address or highly similar/randomly spoofed addresses.
## Associated Threat Actors
- Unspecified actors conducting extortion campaigns.
## Detection Methods
- Signature-based detection: Detecting specific keywords ("embarrassing videos," "$1800 Bitcoin").
- Behavioral detection: Flagging emails that originate from the recipient's address (if filtering allows this, or if the header analysis reveals the sender is manipulated).
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: User education regarding such blackmail scams; ensuring employees know that receiving such an email is proof of a **social engineering attempt**, not necessarily a breach.
- Hardening recommendations: Implement stricter anti-spoofing rules, although self-spoofing often relies on external relays or completely spoofed headers.
## Related Tools/Techniques
- Sextortion campaigns.
***
# Tool/Technique: Smishing Triad UAE Smishing Campaigns
## Overview
A series of SMS phishing (smishing) campaigns active in the UAE that impersonate law enforcement and government authorities (e.g., Dubai Police) to trick victims into making payments for non-existent traffic violations or license renewals.
## Technical Details
- Type: Campaign/Technique (Smishing)
- Platform: Mobile SMS
- Capabilities: Financial fraud via fake payment requests, impersonating authority figures.
- First Seen: Recent campaigns observed.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.004 - Phishing: SMS Phishing
## Functionality
### Core Capabilities
- **Authority Impersonation:** Claiming to be from the Dubai/UAE police or related government bodies.
- **Fake Fees:** Luring victims with plausible scenarios (traffic tickets, license issues).
- **Redirect to Payment:** Directing users via links in SMS to bogus payment portals.
### Advanced Features
- N/A (Focus on high-volume, plausible social engineering).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Bogus domains used for fake government/police payment sites.
- Behavioral Indicators: SMS messages containing links related to traffic fines or license renewals originating outside official channels.
## Associated Threat Actors
- Smishing Triad
## Detection Methods
- Signature-based detection: Blocking known malicious smishing URLs via mobile network/security gateways.
- Behavioral detection: Monitoring for high volumes of SMS traffic originating from non-official short codes or containing known scam language.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Implementing robust SMS filtering on telco networks.
- Hardening recommendations: Public awareness campaigns detailing how official entities communicate about fines and payments.
## Related Tools/Techniques
- Social engineering via mobile messaging.
***
# Tool/Technique: Social Security Administration (SSA) Credential Harvesting / ConnectWise Delivery
## Overview
A phishing campaign, identified by Cofense, impersonates the U.S. Social Security Administration (SSA). This campaign employs dual objectives: directing victims to traditional credential harvesting pages or tricking them into downloading and running the ConnectWise remote access software installer.
## Technical Details
- Type: Campaign/Technique (Phishing/Malware Delivery)
- Platform: Email (Windows/Desktop endpoints for software execution)
- Capabilities: Credential harvesting and delivery of remote access software (ConnectWise).
- First Seen: Recent (as detailed in Cofense analysis).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566.001 - Spearphishing Attachment (If delivering ConnectWise installer)
- T1566.002 - Spearphishing Link (If directing to credential harvesting pages)
- TA0002 - Execution
- T1204 - User Execution (If user runs the installer)
## Functionality
### Core Capabilities
- **Impersonation:** Spoofing official SSA correspondence.
- **Dual Payload:** Offering either credential harvesting links or an attachment/link to install ConnectWise.
### Advanced Features
- **Remote Access Trojan (RAT) Delivery:** Deploying legitimate remote administration software (ConnectWise) for potential covert access, transforming the phishing lure into a malware delivery system.
## Indicators of Compromise
- File Hashes: Hashes associated with the ConnectWise installer distribution.
- File Names: Installer files disguised as SSA related documents.
- Registry Keys: N/A
- Network Indicators: C2 infrastructure associated with the credential harvesting pages or ConnectWise callback endpoints.
- Behavioral Indicators: User running an executable downloaded from an SSA-themed email.
## Associated Threat Actors
- Unspecified actors (Identified by Cofense).
## Detection Methods
- Signature-based detection: Signatures for the ConnectWise installer delivered via email.
- Behavioral detection: Monitoring for the execution of remote access software initiated following an email interaction.
- YARA rules: Rules targeting the payload installer.
## Mitigation Strategies
- Prevention measures: Strict email filtering for executables/installers originating from unverified sources.
- Hardening recommendations: Restricting the installation and execution of remote access tools unless explicitly authorized and managed via IT control.
## Related Tools/Techniques
- Use of legitimate software for malicious access (Living off the Land binaries/tools).
***
# Tool/Technique: Abuse of Generic Top-Level Domains (gTLDs)
## Overview
Cybercriminals are exploiting generic TLDs such as .top, .xyz, .shop, .vip, and .club. These TLDs accounted for 37% of reported cybercrime domains globally between September 2023 and August 2024, despite only holding 11% of the total market. This is due to their low registration fees and minimal registration requirements, which facilitate rapid abuse.
## Technical Details
- Type: Technique (Infrastructure Abuse)
- Platform: Domain Name System (DNS)
- Capabilities: Low-cost, low-barriers infrastructure use for hosting malicious content.
- First Seen: Long-term trend, highlighted in recent 2024 analysis.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1568 - Dynamic Resolution
- T1568.002 - Domain Generation Algorithms (Related to rapid domain creation/use)
## Functionality
### Core Capabilities
- **Cost-Effective Infrastructure:** Registering domains cheaply (22 options cost under $2.00).
- **Rapid Deployment:** Quickly setting up infrastructure for phishing or malware hosting.
### Advanced Features
- N/A (The feature is the ease and low cost of acquisition).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: High prevalence of domains ending in `.top`, `.xyz`, `.shop`, `.vip`, `.club` in threat intelligence feeds.
- Behavioral Indicators: High turnover rate of domains using these particular gTLDs among malicious actors.
## Associated Threat Actors
- Broadly utilized by various cybercriminal entities.
## Detection Methods
- Signature-based detection: IP/Domain blacklists heavily featuring these gTLDs.
- Behavioral detection: Scoring reputation based on TLD age and historical abuse rates.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Security solutions should assign higher suspicion scores or perform deeper inspection on traffic interacting with these specific gTLDs, regardless of initial content scans.
- Hardening recommendations: Domain security posture reviews should prioritize monitoring for outgoing traffic to these high-risk TLDs.
## Related Tools/Techniques
- Use of fast flux networking.