Targeted Email Attacks

Another day, another malware email. This one is also “Received: from deepin-f12c1fc0” just like yesterday, but with a better lure, I think. The email says “Please refer to,Have a nice weekend!” in an attempt to get me to open the poisoned “Conference information for next week.pdf” attachment. The VirusTotal scan shows a decent 12/43 (27.9%) detection rate. Just like for yesterday, the message is set to be of “High Importance.” But hey, that’s nice that they wished me a good weekend!

Subject: Conference information for next week
MD5: f567ffd4f7a19a469d836e5a0a9552ab
Originating IP: 60.249.181.163

For the last week+, I have been getting these pdf “statement” emails - sometimes several a day. It’s starting to get ridiculous. All of us have been receiving them, including our general office email box. Until today, though, they have all been from senders using Chinese characters in the “from” and subject fields, and in the email text if there is any. Nobody here would get any legitimate emails in Chinese, so all of us just automatically ignore and delete them. (We get lots of rants about China/Taiwan issues from random people, so we get a few of them a week.) It’s also the first one flagged as “High Importance.” The “reply to” email is also completely different from the sender.

The attachments have all been named very similar to this one, with a date and the word “statement.” That they misspelled “statement” is new, I believe, although I may be mistaken. The date in the name of the file is usually the day you get the email or the next/previous day. The attachments are all .pfd files. This particular one had a 9/43 (20.9%) rate of detection at VirusTotal. Interestingly, the email was “Received: from deepin-f12c1fc0 (60-249-181-163.HINET-IP.hinet.net [60.249.181.163])” which was also used in a recent Chinese-language email about Gaddafi’s death posted by Contagio.

Subject: 1104statment
MD5: 86730a9bc3ab99503322eda6115c1096
Originating IP: 60.249.181.163

I found this very amusing. It is a lazy spearphish type email using the upcoming Halloween holiday as a lure. At first I wondered if it used to be different types of briefing points originally, and the text was just changed? There is an extra space in the text before “Halloween,” which is why it seemed like it was edited. But then I went to the website of the Navy Safety Center, and they actually have Halloween Briefing Points in a PDF and a PP presentation on Halloween hazards! Not sure why, but there you are. (Screenshot for posterity). 

Again this came from an unknown to me sender. We were not the only ones who got this, anyway, as TrendMicro posted about the same email. (Although when I originally submitted it to VT, they did not have a detection for it, although it had a decent 37.2% detection rate.)

The email header showed the originating IP as being a restaurant in Philadelphia, which I thought was interesting. Doubt the restaurant was open at the time, given that it was sent at 4:40am…

Subject: Fwd: Halloween Briefing Points
MD5: 926313fbe5289125af4bf65440bf3036
Originating IP: 75.150.170.174

This was pretty well done. It’s an invitation to attend and to register for an event in Taipei, jointly held by three of the most prominent foreign trade associations in Taiwan. The event itself is real. The supposed sender is the real event coordinator, and someone with whose name I’m familiar - we work extensively with her organization. The email was sent to three people - me, my boss, and a former colleague - it was the inclusion of that colleague (with a long-retired email address) that tipped me off right away.

The email used the information straight from the website of the real event, but the “sender” uses a well-named yahoo.com email address instead of the person’s real email - another indicator. The email had two attachments - one called “Registration Form.doc” and one called “AmCham BCCT ECCT Joint Luncheon.pdf.” The PDF document had an 11/42 (26.2%) detection rate at VirusTotal, while the Word document was 8/42 (19.0%). (From what I can gather from the detections, the Word file is set to utilize the CVE-2010-3333 “RTF Stack Buffer Overflow” vulnerability in Office.)

Email Subject: AmCham / BCCT / ECCT Joint Luncheon
Attachment MD5 (Word): c4b130ab3dd60b94e0e3a9edb589b735
Attachment MD5 (PDF):   b2157f975ae5fbc26a2d97b2af94dc08
Received from: 173.245.79.43

This email is not specifically targeted at the China-watchers like normal, instead it’s more general - the subject could be of interest to anyone working in an office, for example. I don’t know the person who supposedly sent the email. The attached PDF is called “2011 project budget.pdf” (which sounds sort of like the document that caused all those issues for RSA) and had a decent 34.9% (since updated to 41.9%) at VirusTotal. 

Message
Subject: 2011 project budget
Attachment MD5:  8356b3dfdafc580a9def6dc55bc7aacf

I have been remiss in posting a few things, since it’s been a pretty quiet month and a half or so, and I’ve been busy. This email, targeted to the overall China-watching community, came in on July 4. It’s a fake article supposedly from The Economist, attached as a PDF file. I couldn’t find an original article with that title, but the magazine did run a June 23, 2011 special on China, so it’s possible that it’s related to that. The text of the email is pretty good, so I wonder if it’s a re-send of an actual email? I wasn’t familiar with the supposed sender, but it looks like he might be involved in a few China-related organizations. The attached PDF was named “10293874.pdf” and had a pretty good 40.5% coverage on VirusTotal.

Message

- Subject: China’s Efforts Towards A Peaceful Economically Developing World
- MD5   : f8b7c2361416e56928f457f6eb834896

Another malicious file sent via the compromised mail server of that doctor’s office in Kentucky. Its the same as my May 31 and June 1 entries. (Mila at Contagio has more extensive data on some of these files)

This time, the payload of the spear phishing email was contained in a PDF file (Virustotal 11.9%) talking about Navy procurement (the last few have been Word .doc files). But again this looks more targeted at the D.C. area defense policy people in general, rather than directly at us. Only one of my colleagues got this, I did not - which was kind of strange given that we normally get the same stuff. The text of the email was taken directly from a Navy Times article on June 10. I have no idea who the sender is supposed to be.

Another day, another poisoned PDF attachment. The supposed sender is someone we work with quite often, who is well known in the community. You can see that someone just used a common misspelling of his first name, then created a Gmail address using that spelling. The “To” address is a real address to a fairly high level executive within his Asia-related, high-profile NGO.

I was intrigued by this one, because it seems like one of the attachments - ”US OSAC Report” - is completely clean, at least according to Virustotal (I didn’t open it to find out). It’s the other one, called “Middle East Civil Unrest” that is clearly malicious (22.5%). The subject line, as well as most of the actual text of the email, comes straight from a real report released under the auspices of the U.S. Department of State’s Bureau of Diplomatic Security (OSAC=Overseas Security Advisory Council, a joint government/industry security project). The real document was released as a “Global Security Report” on April 19 (scroll down, you can’t link to it directly as it’s behind a login).

The email was signed with a correct nickname, and someone had added “Please open the attached document to view the full report and its content” to the other text copied straight off the OSAC website. I have to wonder if this is a copy of a real email that the person had sent out with the real OSAC report attached, which was then co-opted and re-sent out with the added malicious attachment. Or it could just be that someone is really good at pulling one of these together, I suppose.

It’s been quiet for a while, but we got three today! Guess the Adobe 0-day is keeping people busy? This email comes “from” the US Naval Institute, and is text copied directly from a cool article on the USNI website (but without the awesome pictures). The supposed sender is probably the first person they could find on the USNI website with full contact info - it’s the info of an advertising manager. The malicious attachment is a PDF, which has about 40% coverage on Virustotal. I thought this was sort of sloppy and weird, and it only went to the main email for my NGO. But the original article is really fun, at least!!

I have a saved Google search that scans for certain phrases appearing online. Today, it came across this post on the Contagio malware dump website that I hadn’t seen before. The post concerns an email supposedly “from” my boss, using a gmail account he doesn’t control, writing to someone about an important issue - something that we have been actively working on for a long while. The text itself, though, isn’t something he/we had written. Actually, I had heard about this particular email from someone who received it and deleted it, but I never saw the actual email itself. I showed it to him today, and he said that he has never sent out anything even remotely similar. He had also heard about it, but had never seen an actual copy.

This is really well done. It could easily be something he would have sent out - except, of course, for the fact that he would have used his work email, not some weird gmail account, and that he normally sends individual emails to specific people, rather than to some nebulous group of “colleagues”.