Targeted Email Attacks

A “target all Washington, D.C. policy wonks” type email sent to my colleague. Not targeted at my NGO, and not really at the Taiwan/China community either. The email text contains President Obama’s remarks on the Middle East and North Africa, a speech he gave on May 19. The attached Word file was named “President Obama’s Speech.doc” and had 20.9% coverage on Virustotal. I’ve included parts of the email header too, as I found it interesting and sort of sad…

Header:

This email seems rather poorly thought out, as well. Why would someone open the poisoned attachment when the complete text of the speech is included in the email itself?

This was a pretty targeted one-two attack. On May 26, both my boss and I received an email “from” our colleague, with a cryptic subject header and a link to a zip file purportedly containing data about our annual Taiwan defense conference. It asked us to download information in a zip file from a “purplemoo.com” location online - what appears to be the hacked web server of a legitimate business. I sent the file to Virustotal, which had a decent 33% coverage.

This is all well and good, and sort of standard. But the funny thing was that on May 27, I received another email, with a slightly modified subject line, that claimed “Sory [sic], this is the correct version” and a link to the same file. Again, both my boss and I received the email “from” our colleague, while she received the same email as if “from” my boss. Given that the URL of the compromised file location contained “US-Taiwan”, it seems pretty specific to my NGO only. None of us know what the email subject might be referencing. Headers show both emails sent from 63.233.155.6.

May 26 version:

May 27 version:

Another sort-of-targeted email - by that I mean targeted at the China-analyst community in general, not at me or my NGO specifically. Again with a malicious Word file attachment. We used to get .doc files all the time, but then it switched to .pdf almost exclusively. Guess that’s changed lately.

The attachment has decent coverage at Virustotal (38.1%). The immediate sender, supposedly forwarding an interesting article, is at the “NC” - i.e. the National Committee on US-China Relations. The original sender of the email was from the Council on Foreign Relations. The title of the shared article is taken from a real article published on May 17. The original sending out of the article from CFR was at 10:50am on the 17th. That’s a quick turnaround to use it for malicious purposes - I got the email at 5:10am on the 18th. 

Given the tone of the text in the email, I wonder if this is spoofing a real email? 

It was inevitable that such a hugely important event would be used to spread malware. There was even a segment about watching out for it on the radio this morning! I’m actually kind of excited to have received one, weirdly enough. None of my colleagues got a copy.

The sender is supposedly a Senior Fellow at a prominent local NGO, although the “From” email listed isn’t correct. Note that the email was sent “To” an email address with the same user name, but the domain is a letter scramble similar to the real domain (turning it into the actual domain of a completely different NGO, likely unintentionally). The attached Word document - called, ominously, “Laden’s Death.doc” - has a minimal profile at Virustotal - only one positive detection (2.4%) when I uploaded it this morning. The Subject line, “Courier who led U.S. to Osama bin Laden’s hideout identified” is the exact headline copied from a CNN article posted overnight. The sender’s IP address: 220.228.120.62. Looks like it might have been sent from a compromised Lotus Notes mail system at a tech company in Taiwan.

Update: Both F-Secure and Contagio have more details, including what the document looks like. The text in the document is copied exactly from that CNN article.