The anti-phishing solution provider Cofense, formerly PhishMe, has reported a marked increase in phishing campaigns using files with the .com extension. The .com extension is used for text files with executable byte code. The code can be executed on Microsoft NT-kernel-based and DOS operating systems.
The campaigns identified through Cofense Intelligence are primarily being sent to financial service departments and are used to download a variety of malicious payloads including the Loki Bot, Pony, and AZORult information stealers and the Hawkeye keylogger.
Some of the emails in the campaigns explain the user should open a .iso file attached to the email to view information related to the email notification. The iso file includes the .com executable. One such email claimed to be from a company that had received payment yet had no outstanding invoices. The email requested the recipient check the payment with the finance department to determine if an error had been made. The attachment appeared to be a credit notification from the bank.
The subject lines used in the phishing campaigns are varied and include shipping information notices, quote requests, remittance advice, bank information, and invoices, although the two most common subjects included a reference to ‘payment’ or a ‘purchase order’.
The payment themed emails were used with the AzoRult information stealer and the purchase order subject lines were used with Loki Bot and Hawkeye.
Most of the campaigns used the .com file as an email attachment, although some variants used an intermediary dropper and downloaded the .com file via a malicious macro or exploit. The latter is becoming more common as IT security teams are alert to the direct delivery mechanism. Most of the malware variants used in these campaigns communicated with domains hosted on Cloudflare. However, Cofense notes that the actual C2 is not hosted on Cloudflare. Cloudflare is used as a domain front as Cloudflare is often trusted by businesses and is therefore less likely to arouse suspicion.
Cofense predicts there will be a rise in the use of .com attachments in phishing campaigns and advises businesses to include the file extension in their anti-phishing training programs and phishing email simulations to prime users for when attacks occur.