Targeted Email Attacks

Another day, another malware email. This one is also “Received: from deepin-f12c1fc0” just like yesterday, but with a better lure, I think. The email says “Please refer to,Have a nice weekend!” in an attempt to get me to open the poisoned “Conference information for next week.pdf” attachment. The VirusTotal scan shows a decent 12/43 (27.9%) detection rate. Just like for yesterday, the message is set to be of “High Importance.” But hey, that’s nice that they wished me a good weekend!

Subject: Conference information for next week
MD5: f567ffd4f7a19a469d836e5a0a9552ab
Originating IP: 60.249.181.163

For the last week+, I have been getting these pdf “statement” emails - sometimes several a day. It’s starting to get ridiculous. All of us have been receiving them, including our general office email box. Until today, though, they have all been from senders using Chinese characters in the “from” and subject fields, and in the email text if there is any. Nobody here would get any legitimate emails in Chinese, so all of us just automatically ignore and delete them. (We get lots of rants about China/Taiwan issues from random people, so we get a few of them a week.) It’s also the first one flagged as “High Importance.” The “reply to” email is also completely different from the sender.

The attachments have all been named very similar to this one, with a date and the word “statement.” That they misspelled “statement” is new, I believe, although I may be mistaken. The date in the name of the file is usually the day you get the email or the next/previous day. The attachments are all .pfd files. This particular one had a 9/43 (20.9%) rate of detection at VirusTotal. Interestingly, the email was “Received: from deepin-f12c1fc0 (60-249-181-163.HINET-IP.hinet.net [60.249.181.163])” which was also used in a recent Chinese-language email about Gaddafi’s death posted by Contagio.

Subject: 1104statment
MD5: 86730a9bc3ab99503322eda6115c1096
Originating IP: 60.249.181.163

Another random Excel file. No idea who the sender is supposed to be. It uses a relevant subject line, although the excel file name isn’t anything except a date and a number. The file has an 8/42 (19%) detection rate at VirusTotal, a little higher today than when I originally submitted it. Might not have bothered posting this, except for the fact that it came from that IBM111 server that we just saw in a similar instance and that Contagio also mentioned earlier this month.

Subject: US-TAIWAN
MD5: 97ff2338e568fc382d41c30c31f89720
Sending IP: 60.249.219.82

This is pretty sloppy. Who, in this day and age, would just open a mystery Excel spreadsheet sent in a blank email from some random Wright-Patterson Air Force Base email? But it’s definitely from one of the same groups that have been sending us better targeted stuff for a while - I think I’ve seen that “IBM111” computer before. The attached .xls file has only a 14% detection rate (6/43) on VirusTotal.

Email Subject: 20111012
MD5: 5fd848000d68f45271a0e1abd5844493
Originating IP: 60.249.219.82

It had to happen eventually. Luckily, my colleague is a star who is diligent about scanning all the internship applications she gets, and who is also savvy enough to see the warning signs of a disconnect between sender email/sender name and the signed name at the bottom of the email. We have a very active internship program, and she is listed as the contact on our website, so she gets quite a few applications each week. We both knew that it was only a matter of time before this became a vector, hence the diligent scanning.

So this is a fake internship application with two malicious attached Word .doc files, one named “Resume” and one named “Semester desired.” It’s actually two copies of the same file, which had already been uploaded by someone else at VirusTotal. The scanning showed detection at 8/42, or 19%.

Message
Subject: Winter/Spring Internship
Attachment MD5: 24fd4fb44d08c1a8d02dfd72155305d0
Received from: 121.32.69.44

Another email using my defense conference as bait to trick people into opening a malware-laden PDF attachment. The email looks exactly like the one from August 8, down to the attachment - it’s the same file. The original upload of August 8 had 41.9% coverage at VirusTotal. I re-scanned the file, now the coverage is up at 58.1%. Still not all that great, unfortunately.

The main difference this time was the target list. Last time, it seemed from the returns that it was targeting one of the largest think tanks here in the D.C. area. This time, the target was defense and security think tanks and academic institutions, but also apparently the U.S. Department of State. The vast majority of returns were from non-existing state.gov email addresses:

The coolest thing, though, was to see how some of the recipients’ mail systems dealt with this email. Several have apparently blocked ALL emails coming in from the IP address in question (60.249.181.163) using the Barracuda spam blocking system. I wonder if that is a wider block on Hinet overall, so it blocks legitimate email traffic from Taiwan as well? Hinet is, after all, a main ISP in Taiwan.

Several other systems also blocked the email because they detected the malicious attachment. The one in the screenshot below is apparently using McAfee, although others that blocked it were using Trend Micro - at least if you go by the name of the detection.

It’s encouraging that not all the malware-laden emails sent reached their destinations. Yet I still hate having my hard work organizing this conference be tainted by these malicious emails sent out in our name…

Message
Subject: Invitation: US-Taiwan Defense Industry Conference 2011
Attachment MD5: 61cd38ea5bd91ce96f62540d403bd702
Received from: 60.249.181.163

Update, August 16
Two more campaigns went out overnight. We got about 20 returns for another mailing of the “Invitation” email, and about five for the “Agenda” email. The returns once again came primarily from U.S. government domains, from a bunch of older emails (several returns from emails that I know have been obsolete for a while). Luckily, they are lazy and are using the same PDF with the same hash and the same exploit, and the same mailing server. So it looks like a lot of places have gotten wise to it and blocked the mail either for a malicious attachment, or for coming from a bad IP. Unfortunately, we also got a few “Out of Office” replies as well…

I am angry about this email, because it really feels like an attack on me personally. This kind of stuff makes doing my job - which includes promoting events - so much harder. 

I only discovered this particular one because it came back as a return for an email sent to an invalid address at a large and influential think tank. Basically, it’s my NGO used as the sender, and the defense conference I plan each year used as the bait, to try to trick the recipients into opening a malicious PDF file named “Conference Registration Form.pdf.” The attached malicious PDF had a decent 41% detection rate at VirusTotal. The text and graphics in the email itself (down to the destinations for the links shown in the email) were taken directly from the front page of the conference website, with small adjustments to fit the text colors to the color scheme of the site.

I was able to get a copy from someone else of the original headers for this email, and I found it interesting that it was sent from a computer named “councilpc” - just like a similar email from the 2010 conference. Perhaps there really is a machine out there in attack-land that is dedicated to sending out stuff “from” us? Seems rather random otherwise, but who knows.

Message
Subject: Invitation: US-Taiwan Defense Industry Conference 2011
Attachment MD5: ec8a87a00b874899839b03479b3d7c5c
Received from: 60.249.181.163

From what I have heard, a very similar email to this one was sent out to some prominent members of the community, including one of my speakers. That email had the same header and sender but was called “Agenda - US-Taiwan Defense Industry Conference 2011” and contained an .exe .src file zipped up in a .zip attachment. Haven’t been able to confirm, though, as nobody who I know received it has been able to send me a copy.

Update
Someone who reads this blog (thanks!) kindly provided me with some details on this other email, as follows:

The email with the subject “Agenda for US-Taiwan Defense Industry Conference 2011” had similar headers:

Received:     from councilpc (60-249-181-163.HINET-IP.hinet.net [60.249.181.163]) (authenticated bits=0)
        by msr10.hinet.net (8.14.2/8.14.2) with ESMTP id p78DnWDd011944

The email has no content, only an attachment called: Agenda - US-Taiwan Defense Industry Conference 2011.zip with md5 61cd38ea5bd91ce96f62540d403bd702. The zip file contains a .SCR file which drops out a common targeted attack backdoor. The backdoor connects to rdaccount.dns1.us. The backdoor is the same as the one which is dropped from the PDF in the other email you mention “Invitation: US-Taiwan Defense Industry Conference 2011.”

Message
Subject: Agenda for US-Taiwan Defense Industry Conference 2011
Attachment MD5: 61cd38ea5bd91ce96f62540d403bd702
Received from: 60.249.181.163

This email is not specifically targeted at the China-watchers like normal, instead it’s more general - the subject could be of interest to anyone working in an office, for example. I don’t know the person who supposedly sent the email. The attached PDF is called “2011 project budget.pdf” (which sounds sort of like the document that caused all those issues for RSA) and had a decent 34.9% (since updated to 41.9%) at VirusTotal. 

Message
Subject: 2011 project budget
Attachment MD5:  8356b3dfdafc580a9def6dc55bc7aacf

I have been remiss in posting a few things, since it’s been a pretty quiet month and a half or so, and I’ve been busy. This email, targeted to the overall China-watching community, came in on July 4. It’s a fake article supposedly from The Economist, attached as a PDF file. I couldn’t find an original article with that title, but the magazine did run a June 23, 2011 special on China, so it’s possible that it’s related to that. The text of the email is pretty good, so I wonder if it’s a re-send of an actual email? I wasn’t familiar with the supposed sender, but it looks like he might be involved in a few China-related organizations. The attached PDF was named “10293874.pdf” and had a pretty good 40.5% coverage on VirusTotal.

Message

- Subject: China’s Efforts Towards A Peaceful Economically Developing World
- MD5   : f8b7c2361416e56928f457f6eb834896

Another malicious file sent via the compromised mail server of that doctor’s office in Kentucky. Its the same as my May 31 and June 1 entries. (Mila at Contagio has more extensive data on some of these files)

This time, the payload of the spear phishing email was contained in a PDF file (Virustotal 11.9%) talking about Navy procurement (the last few have been Word .doc files). But again this looks more targeted at the D.C. area defense policy people in general, rather than directly at us. Only one of my colleagues got this, I did not - which was kind of strange given that we normally get the same stuff. The text of the email was taken directly from a Navy Times article on June 10. I have no idea who the sender is supposed to be.