Increase in Phishing Emails Using .Com File Extensions

November 23, 2018


The anti-phishing solution supplier Cofense, formerly PhishMe, has informed a noticeable rise in phishing campaigns utilizing files with the .com extension. The .com extension is utilized for text files with executable bytecode. The code can be performed on Microsoft NT-kernel-based and DOS operating systems.

The campaigns recognized through Cofense Intelligence are mainly being transmitted to financial facility divisions and are utilized to download a range of malevolent payloads including the Loki Bot, Pony, and AZORult information stealers and the Hawkeye keylogger.

Some of the electronic mails in the campaigns clarify the user must open a .iso file attached to the electronic mail to see information linked to the electronic mail notification. The .iso file contains the .com executable. One such electronic mail declared to be from a firm that had received payment, however, had no outstanding bills. The electronic mail requested the receiver check the payment with the finance division to decide if a mistake had been made. The attachment seemed to be a credit notification from the bank.

The subject lines utilized in the phishing campaigns are different and include shipping information notices, price requests, remittance advice, bank information, and bills, even though the two most usual subjects contained a reference to ‘payment’ or a ‘purchase order’.

The payment themed electronic mails were utilized with the AzoRult information stealer and the purchase order subject lines were utilized with Loki Bot and Hawkeye.

Most of the campaigns utilized the .com file as an electronic mail attachment, even though some variations utilized an intermediate dropper and downloaded the .com file through a malevolent macro or exploit. The latter is becoming more usual as IT safety teams are prepared to the direct delivery method. Most of the malware variations used in these campaigns interconnected with domains hosted on Cloudflare. Nevertheless, Cofense notes that the actual C2 is not hosted on Cloudflare. Cloudflare is utilized as a domain front as Cloudflare is often entrusted by companies and is for that reason less likely to arouse doubt.

Cofense expects there will be an increase in the use of .com attachments in phishing campaigns and suggests companies to include the file extension in their anti-phishing training programs and phishing electronic mail simulations to main users for when attacks happen.