Phishing in the Wild II

Phishing events are commonly seen in the public so the Proficio’s threat intelligence team often receives opportunities to research different type of phishing activities. On the 13th November 2020, a client had requested for assistance on a phishing incidence that had occurred within their environment.

In this blog, we share some of the findings from our own deep-dive investigations into the HTM spear-phishing email campaigns.

In this type of phishing attempt, the adversary would send a spear-phishing email with a HTM (.htm) file attach containing a URL link to the victim. Based on the team’s investigation of the incident that was reported, upon clicking on the phishing link it would redirect the victim to a phishing page which was hosted on another domain.

In this incidence, the phishing link was observed to be hosted on the domain “bayleafinternational[.]com” and upon clicking, the page would be redirected to the domain “laikipianorthtvc[.]ac[.]ke”. However, by 18th November 2020, the redirected phishing domain was taken down so instead of the first observed site “laikipianorthtvc[.]ac[.]ke”, it would redirect the user towards the domain “altia[.]in”. A Whois lookup (Figure 1) was performed on the first redirected link “laikipianorthtvc[.]ac[.]ke” and based on the updated date, it is suggested that this site was likely to taken down on 16th November 2020.

Sample phishing domain

Figure 1 – Sample phishing domain

The team further investigated the redirected phishing link. Simulating access of the phishing domain would display a phishing page that resembles a Microsoft login page (Figure 2). Upon entering the credentials, we noticed that the phishing site would redirect the victim to a URL on the same domain with a URL path containing “/complete?ss=2”. In this incidence that we were investigating, the user was redirected to the request URL “hxxps://altia[.]in/complete?ss=2”. A HTTP POST request could also be identified upon submitting the credentials (Figure 3).

Redirected fake login page

Figure 2 – Redirected fake login page

Test access with response code

Figure 3 – Test access with response code

Similar phishing activities were also found in the wild, with our research suggesting that this phishing campaign appears to have started as far back as 1st September 2020; it is likely this phishing campaign is still ongoing. We have noticed that multiple domains were being used in this phishing campaign, but some of the used and older pages have since been taken down.

Comparing the phishing activities observed with those seen in the wild, aside from the same fake Microsoft login page used, the phishing links appears to share similar naming formats as follows:

  • Initial URL from email
    • <domain>/<base64-encoded victim’s email address>
  • Redirected phishing page
    • < phishing domain>/?ss=2&ea=<victim email address>&session=<session ID>
  • Redirected complete page
    • <phishing domain>/complete?ss=2

The following framework is produced based on the investigated incidence:

Tactics  Techniques  Use 
Reconnaissance [TA0043]  Phishing for Information: Spearphishing Link [T1598.003] The phishing email contains a HTM file with a phishing link that leads to a fake login page used to steal credentials
Defense Evasion [TA0005]  Masquerading: Match legitimate name or location [T1036.005] The phishing email contains the use of a htm files with the file name containing the client’s domain.
Initial access [TA0001]  Phishing: Spearphishing Link [T1566.002] The adversaries utilize spear phishing emails and redirect victims to credential harvesting sites.


Anyone can fall victim to a phishing attack. Cybercriminals offer try and catch unsuspecting individuals by sending a phishing email from a reputable or known users that they wouldn’t expect to be compromised. It is advisable to safeguard yourself and your organization to avoid being the next victim from phishing attacks and credential theft. We would recommend organization to consider the following measures if this has seen within your environment.

  • Educate your employees and users to improve cybersecurity awareness.
    • Remind users to report any suspicious emails received, even from other employees, to their cyber-security team.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Always verify any suspicious emails through a different channel such as calling the supposed sender for verification.
  • If your organization is expecting legitimate emails from the senders, filter by email subjects and quarantine emails sent from those compromised senders to anyone outside of an expected recipient list.
  • Reach out to any legitimate sender that appear have their account(s) compromised and instruct them to take action to secure their account(s).
  • Make use of Multi-Factor Authentication to secure email and other user credentials.
  • Make use of network segmentation alongside the zero-trust model.

Ryuk Ransomware

Ryuk ransomware was first discovered in the wild in 2018. It is known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to as many systems as possible before initiating the file encryption.

This ransomware group was one that did not stop attacks on healthcare organizations despite the Coronavirus pandemic in 2020, made clear by their recent attack against Universal Health Services (UHS). In this blog, we will share the common IOCs for this type of attack and ways to stay protected.

Since 2019, the most common method for Ryuk threat actors to gain entry to a victim’s environment is with the use of Trickbot and Emotet malware, often starting with phishing attacks. In the case of the UHS attack, both Emotet and TrickBot were detected within the UHS’ environment.

The attack chain often starts with delivering Emotet to a victim host via phishing email, which subsequently downloads Trickbot onto the host. After harvesting data, Trickbot opens a reverse shell to provide Ryuk ransomware threat actors with entry to the victim’s environment, allowing the actors to manually deploy the ransomware on the victim host.

Ryuk ransomware has been found to contain commands for killing services related to antivirus products, and Trickbot has the capability to disable Microsoft Defender as well. A UHS employee has stated online that during the attack, “multiple antivirus programs were disabled”.

Ryuk Ransomware Commands Example

Figure 1 – An example of commands in Ryuk ransomware

According another UHS employee, one of the infected computers displayed a ransom note that read “Shadow of the Universe”, which is similar to the phrase “balance of shadow universe” seen in previous Ryuk ransom notes. Names of files were observed being appended with the file extension “.ryk”, which is the extension used by Ryuk ransomware after successfully encrypting a file.

Ryuk Ransomware Note Example

Figure 2 – Example of a ransom note

While there are limited details on the UHS attack, there are some common activities and IOCs of Ryuk ransomware attacks involving Trickbot and Emotet:

  • Phishing email containing Microsoft Office attachments (.doc, .xls etc.) with Macros
  • PowerShell commands executed by Macros
  • Downloading of PowerShell Empire/Cobalt Strike/PsExec
  • Exploitation of EternalBlue vulnerability which is over port 445 (SMB)
  • Unusual scheduled tasks, registry keys created
  • Recurring traffic towards Trickbot C2 servers over ports such as ports 446, 447, 449, 8082
  • Privilege escalation
  • Files with the file extension “.ryk”
  • “RyukReadMe.txt” or “RyukReadMe.html”

Prevention is better than cure. It is advisable to safeguard yourself and your organization to avoid being the next victim of this ransomware attacks. We would recommend the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware
  • Consider Managed EDR services that will enable you to quickly react and contain any ransomware vendor
    • These services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Have a cold or distributed backup system in place
    • At a minimum, have backups separate from production systems for your critical files or systems
  • Keep your operating systems up to date on the latest security patches
  • Make use of network segmentation alongside the zero-trust model
  • Close unnecessary network ports to reduce entry points for attackers
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise
  • Educate your employees and users to improve cybersecurity awareness