Month: July 2022

SpamTitan Plus Anti-Phishing Solution Gets New Predictive Threat Detection Capabilities

SpamTitan Plus is a leading-edge artificial intelligence-driven anti-phishing solution from TitanHQ that provides better coverage than any other anti-phishing product on the market. The solution has 100% coverage of all current market-leading anti-phishing feeds, which gives users a significant uplift in phishing link detections and faster detection of phishing threats than any other product.

The solution is fed massive clickstream traffic from more than 600 million endpoints worldwide, and more than 10 million new, and never-before-seen phishing and malicious URLs are added to the solution and blocked for all users every single day. When a new, malicious URL is detected, it takes less than 5 minutes for all users of SpamTitan Plus to be protected. Independent tests have shown SpamTitan Plus is 1.6 times faster at detecting phishing URLs than any of the current market leaders and achieves a 1.5x increase in unique phishing URL detections.

When a user clicks a link in an email, the URL is checked in real-time, not just when the email is delivered. This is important as campaigns are often conducted where the destination URL has malicious content added after delivery to bypass email security defenses. When SpamTitan Plus checks the link, the destination URL is scanned to identify spoofing and login pages, redirects are followed, and many dynamic checks are performed. If the destination URL is determined to be malicious, the user will be directed to a block page.

SpamTitan Plus was launched by TitanHQ in December 2021, and it has already proven popular with businesses that need the very best protection against phishing attacks. TitanHQ has now made a major update to the solution to improve its predictive phishing detection capabilities.

One of the ways that phishing campaigns are conducted to evade security solutions is to use personalized URLs for each targeted company and victim. In a standard phishing campaign, the same URL would be used for the entire campaign. When that URL is detected as malicious, it will be blocked by email security solutions. If a unique URL is used in these campaigns, if it is identified as malicious and blocked, it does not affect any other emails in the campaign as they each has a different URL. URLs are personalized at the path or parameter level, and most anti-phishing solutions provide no protection against these malicious personalized URLs. The personalized URLs are used in phishing, social engineering, reputation attacks, and malware distribution.

The latest predictive functionality detects and blocks automated bot phishing campaigns and personalized URL attacks, ensuring users get the very best phishing protection. The new capabilities have already been added to SpamTitan Plus and made available to all users.

“With predictive phishing detection, SpamTitan Plus can now combat automated bot phishing. At TitanHQ we always strive to innovate and develop solutions that solve real-security problems and provide tangible value to our customers. The end goal is to have our partners and customers two or three steps ahead of the phishers and cybercriminals’ said Ronan Kavanagh, CEO, TitanHQ.

Qakbot Malware is Still a Major Threat After 15 Years

Qakbot malware is one of the oldest malware threats that is still in use, having first been detected in 2007. Qakbot malware – aka QBot, QuakBot, and Pinkslipbot – has seen extensive development over the years and still poses a major threat to businesses worldwide. QakBot malware started life as a banking Trojan that was used to steal sensitive financial information. Qakbot malware can now also steal sensitive data from browsers and emails and as with many other modular banking Trojans, it also serves as a malware loader and is used to deliver secondary malware payloads.

As was the case back in 2007, Qakbot malware is most commonly delivered via phishing emails, using links to malicious websites where the malware is downloaded or malicious email attachments. Once initial access is gained to a victim’s network, privileges are escalated, and the malware operator uses Microsoft tools for lateral movement – termed living-of-the-land. This method means additional tools do not need to be downloaded, which could be detected, and the attackers can hide their activity amongst legitimate use of the tools by IT teams.

Qakbot malware is known to use exploits for known vulnerabilities. Qakbot malware was recently observed attempting to exploit the Follina remote code execution vulnerability (CVE-2022-30190) in the Microsoft Support Diagnostic Tool (MSDT), which affects Windows 11 and prior versions and most versions of Office. The malware has also used an exploit for Zerologon, to name just a couple.

In addition to being able to read and exfiltrate email data, QakBot malware – like Emotet – can hijack message threats and self-propagate. An existing email thread is found, and a malicious link is inserted into the conversation. Since the email sent includes the text of the previous conversation between two individuals, there is a reasonable chance of the malicious website being visited and the file being downloaded and opened. One way of getting around spam filters is for the URL to be included but not be made clickable, which means it needs to be manually copied into the browser.

Qakbot malware is strongly associated with ransomware attacks. Once the operators of the malware have achieved their aims, they sell access to infected devices to other threat groups as a secondary revenue stream. For example, QakBot malware has been observed delivering Cobalt Strike beacons to victims’ devices, and access to those beacons is then sold to ransomware gangs. The malware has been used by various ransomware gangs, including ProLock, Black Basta, MegaCortex, Egregor, and REvil.

A 2022 analysis of the malware, published by DFIR, highlights the speed at which attacks occur. DBIR shared information about an attack in October in which the entire network was compromised in minutes. In this case, it is unclear how initial access was gained but it is likely that the malware was delivered via a phishing email with an infected Excel spreadsheet, which launched the Qakbot malware DLL loader. A scheduled task was created to elevate privileges to system level and Qakbot was then injected into many processes, including Microsoft Remote Assistance (mrsa.exe).

Within 30 minutes of initial access, browser data and emails had been stolen from the host and within 50 minutes the malware had spread to another workstation and the process had been repeated. In a very short space of time, all workstations had been infected. Qakbot malware will also steal Windows credentials by dumping the memory of the Local Security Authority Server Service (LSSAS) Typically, credentials are stolen within 50 minutes of initial access being gained.

Detecting the malware once it has been installed can be a challenge. The key to protecting against infections is to improve email defenses, as this is the most common attack vector. That means implementing an email security solution that is not reliant on signature-based detection and includes behavior-based detection methods such as sandboxing and outbound scanning to identify compromised mailboxes. These features are present in SpamTitan Email Security products. A web filter is also recommended. WebTitan can detect and block command and control communications and provides additional protection against malicious links in emails, providing time-of-click protection to prevent users from visiting malicious websites linked in emails.