Cofense

Privacy by keeping emails local and never requiring exportation to external cloud data lakes. This helps with compliance attestations and supports best-practice security methods.To learn more about Cofense PhishMe email security solutions, and how we uniquely stop advanced phishing attacks that bypass the technology of all SEGs – visit us at cofense.com.About CofenseCofense is the leader in intelligence-driven email defense solutions, powered by the world’s largest active phishing threat reporting network of more than 35 million Cofense-trained employees. Cofense protects the world’s largest enterprises against thousands of daily phishing attacks that evade traditional SEGs and AI-based perimeter defenses. Cofense PhishMe Email Security Awareness Training (SAT) goes far beyond basic awareness, training employees to recognize and report the latest and most dangerous threats that bypass SEGs. Cofense Phishing Threat Detection and Response (PDR) solutions include powerful automation tools as well as managed services that convert threat intelligence into rapid remediation and mitigation. Unique to Cofense, all customer deployments are force multiplied by global, collective SEG-miss intelligence. For more information, visit cofense.com or connect with Cofense on X and LinkedIn.

New advancements to the Cofense Phishing Detection and Response (PDR) platform improve visibility of dangerous email-based threats helping SOC teams respond faster.LEESBURG, Va. – October 23, 2024 – Cofense®, the leading provider of intelligence-driven phishing defense solutions, today announced the release of new AI-driven spam reduction capabilities to its Phishing Detection and Response (PDR) platform. These enhancements reduce workload so SOC analysts can concentrate on genuine threats that could quickly harm an organization’s revenue or reputation. “As phishing attacks continue to evolve, security teams demand tools that improve efficiency but also give them an edge in identifying and responding to threats,” said Jason Reinard, Senior Vice President of Product Engineering. “With these new AI features, Cofense is making it easier for analysts to cut through the noise, focus on what matters, and act faster when it counts.” Cofense has been testing and validating AI models in email phishing scenarios for nearly four years. These AI enabled updates to the Cofense PDR platform have been designed to reduce SOC workload and significantly improve the highlighting of today’s most dangerous email-based phishing attacks. “Cofense customers represent some of the most sophisticated organizations in the world. The bar we have is set very high, and this AI-based addition to our solution represents a major leap in our forward-looking technology,” concludes Reinard.AI-Powered Spam FilterDesigned to reduce SOC analyst spam overhead by 30% or more in this first iteration, this new feature of our PDR solution leverages Bayesian Machine Learning (ML) to orchestrate the customization of the AI spam filter. The process “learns” your SOC’s unique environment, identifying and automatically filtering out spam that previously inundated analysts’ inboxes. Each Cofense customer benefits from true local learning to their unique environment.Notably, and unlike many other AI-driven products, the Cofense PDR AI Spam Filter ensures complete data

To run the DLL which is the main Mekotio payload. A new variant of Mekotio is utilizing a DLL side-loading technique where DLLs related to legitimate applications are run, which then load in Mekotio.Subject: Subjects were predominantly made to look like Spanish invoices. Attachment: Mekotio is delivered mainly as a URL instead of an attachment. Behavior: URL delivers an MSI which, when clicked, will pull the stage 2 .exe. Brand: Fractur // Spanish Infection Chain: 5. RemcosRemcos was originally a remote desktop connection tool that has since been repurposed as a remote access trojan capable of taking control of a user's system. Its chief capabilities include key logging, information stealing, and audio/visual monitoring. Subject: Remcos was delivered as a fake invoice for a payment. Typically, the emails were delivered in Spanish, however some were delivered in other languages as well. Attachment: Remcos was delivered using Google docs URLs instead of attached malware. Behavior: Once the archive (either .tar or .rar) is downloaded and the contained .exe is executed, it waits in processes while reachine out to C2 for further instruction. Brand: Fractur // Invoices // Google Docs Infection Chain: SummaryThis month we observed the return of QakBot and a large increase in the delivery of Ursnif. Of note, we have seen a decrease in the overall prevalence of banking trojans such as Banload and it has fallen off the top list for now. The Cofense Phishing Defense Center (PDC) will continue to watch these threats as they evolve and deal with situations as they arise. All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

For a variety of malicious purposes. In 2019 up until around 2021, LokiBot would often be the most common malware family, followed by Agent Tesla Keylogger. At the time of this report, other malware families have appeared more often, and therefore pushed LokiBot down in the rankings. However, LokiBot is still in the top five malware families seen at Cofense. Figure 2 shows the percentage of LokiBot malware seen among other malware families in our Active Threat Reports (ATR), and although there was a small dip over the past year and a half, LokiBot has remained around eight percent of all malware seen each month. Figure 2: Loki Bot’s relative value seen at Cofense between January 2022 and July 2023. Delivery MechanismsLokiBot is often seen by itself when it is delivered via email, however, as can be seen in Figure 2, there is still quite a large amount of LokiBot that is accompanied by a delivery mechanism. Out of the delivery mechanisms seen by Cofense, an overwhelming 82% of LokiBot accompanied by a delivery mechanism is delivered by CVE-2017-11882. However, out of all the LokiBot samples seen by Cofense, over half of the LokiBots are seen delivered as a direct attachment. Figure 3: Delivery Mechanisms used to deliver Loki Bot between January 2022 and July 2023. Very rarely will LokiBot be delivered via embedded URLs or other forms of delivery mechanisms except for CVE-2017-11882, such as Visual Basic Scripts (VBS) or Windows Shortcut File (LNK), as just over one percent of LokiBot samples were seen to be delivered via both delivery mechanisms combined between January 2022 to July 2023.BehaviorLokiBot has a very straightforward and simplistic way of behaving. Once LokiBot has been downloaded and run, LokiBot will unpack itself onto the system. From there, this malware will start collecting sensitive

Low price and ease of use. Since then, lokistov has released LokiBot 2.0 and is currently selling it on underground forums. This newer version of the Information Stealer includes more evasive techniques and expands further into Keylogger, Remote Access Trojan (RAT), and even ransomware attributes.Notable UsesDue to LokiBot being around for a while, there have been a sizeable number of media pieces revolving around LokiBot, however none of them revolve around the campaigns that APT (Advanced Persistence Threat) groups are using this malware to conduct. The most recent use was in February of 2020, where LokiBot impersonated a Fortnite launcher, which was one of the most popular video games at the time. Since LokiBot is simple, adaptable and easily accessible, this malware has remained in the top 5 malware families seen at Cofense since 2019. During 2019 and 2020, LokiBot was a high competitor for the top malware family seen, constantly switching places with the ever-popular Agent Tesla.CapabilitiesAlthough LokiBot originated as an Information Stealer, it has been cracked and edited several times. LokiBot can have RAT or keylogger capabilities. However, the majority of LokiBot seen in the wild only demonstrates Information Stealer capabilities. LokiBot is capable of stealing credentials from over 100 different clients, including but not limited to:Email ClientsFTP ClientsVNC ClientsHTTP BrowsersPassword ManagersIM ClientsSpecific examples of what these applications are can be found in Table 1, however the list is not limited to just these specific applications.Mozilla FirefoxInternet ExplorerGoogle ChromeK-MeleonComodo DragonSeaMonkeySafariCoolNovoOperaChromiumTitan BrowserYandex BrowserSuperbird BrowserChrome CanaryWaterfoxFlash FXPNexus FileJaSFtpSyncoveryRemmia RDPFileZilaCyberDuckNovaFTPFTPShellNETFilemSecure WalletFlingKiTTYPuTTYWinSCPOutlookMozilla ThunderbirdPocomailGmail Notifier ProyMailPidginAI RoboFormKeePassEnPass1PasswordTable 1: List of examples that LokiBot has the capability to steal from. In the WildLokiBot has always been seen at Cofense as one of the most popular malware families used by threat actors. Due to its simplistic nature and usage, low-skill threat actors can use LokiBot