Targeted Email Attacks

It had to happen eventually. Luckily, my colleague is a star who is diligent about scanning all the internship applications she gets, and who is also savvy enough to see the warning signs of a disconnect between sender email/sender name and the signed name at the bottom of the email. We have a very active internship program, and she is listed as the contact on our website, so she gets quite a few applications each week. We both knew that it was only a matter of time before this became a vector, hence the diligent scanning.

So this is a fake internship application with two malicious attached Word .doc files, one named “Resume” and one named “Semester desired.” It’s actually two copies of the same file, which had already been uploaded by someone else at VirusTotal. The scanning showed detection at 8/42, or 19%.

Message
Subject: Winter/Spring Internship
Attachment MD5: 24fd4fb44d08c1a8d02dfd72155305d0
Received from: 121.32.69.44

It was inevitable that such a hugely important event would be used to spread malware. There was even a segment about watching out for it on the radio this morning! I’m actually kind of excited to have received one, weirdly enough. None of my colleagues got a copy.

The sender is supposedly a Senior Fellow at a prominent local NGO, although the “From” email listed isn’t correct. Note that the email was sent “To” an email address with the same user name, but the domain is a letter scramble similar to the real domain (turning it into the actual domain of a completely different NGO, likely unintentionally). The attached Word document - called, ominously, “Laden’s Death.doc” - has a minimal profile at Virustotal - only one positive detection (2.4%) when I uploaded it this morning. The Subject line, “Courier who led U.S. to Osama bin Laden’s hideout identified” is the exact headline copied from a CNN article posted overnight. The sender’s IP address: 220.228.120.62. Looks like it might have been sent from a compromised Lotus Notes mail system at a tech company in Taiwan.

Update: Both F-Secure and Contagio have more details, including what the document looks like. The text in the document is copied exactly from that CNN article.

Another of what I think of as not-that-targeted-but-sort-of emails, containing a malicious Word attachment of supposed draft meeting minutes labeled “Asia policy notations.” The file had about 24% coverage on Virustotal the first time I scanned it, but that’s been upped to 31.7% a day later.

Although the “From” and “To” names are different, the email address is the same for both. It’s that same email address as one of the April 13 emails, using a Gmail account by the name of a well known analyst at a prominent semiconductor market research firm. The supposed sender is completely unknown to me (unless it’s supposed to be the French Minister for Climate Change?), but the supposed recipient used to work on China issues at the IMF until last year.

This came as a BCC to my boss today. The “To” recipient is a person at the local D.C. office of the Taiwan government (effectively the embassy, although it’s not officially called that). It has the same user name as his official Taiwan government email, so I wonder if it’s his personal email address. The attachment, a Word document with no name (possibly because the original document used Chinese characters in the file name) has about 25% coverage at Virustotal. Better than the other file from today, but still pretty poor.


  
The inclusion of the Yahoo Liam image cracked me up…

A “Happy New Year” greeting sent directly to me, supposedly “from” a prominent Taiwan researcher at CSIS. I know this person, but I also know that he has been used as the sender of these types of emails before, poor guy. And the writing style is nowhere close, of course. The fact that it’s about two weeks early for a Happy New Year’s greeting is another clue. Sent from IP 168.95.4.157.

(Aside: CSIS, like my office, uses SPF records to designate which mail servers are allowed to send emails on behalf of our domain. I wish that Google didn’t just “softfail” messages sent from IP addresses not designated as allowed under the SPF record. There should at least be some sort of warning about the softfail - otherwise what’s the point, really?)

This was a weird one, also sent directly to me. It looks like it could be a copy of a real email sent from a staff member of a Congressperson, sending along a resume for consideration. Obviously not a real email, as the greeting is for “John” not me. It contains a malicious Word file attachment. The sender is from a yahoo address, mimicking the normal house.gov style of email addresses. I sent a note to the real house.gov email in the signature, telling her about the use of her name. But it bounced - I guess it’s no longer a valid email.

There were several times through the year 2010 that my colleagues and I were used as the spoofed “sender” of some of these types of emails. Apparently, I sent out a very poorly worded email about “Taiwan’s Self Defense Needs” linking to a zip file containing malicious Word files, hosted on the hacked webserver of a Canadian company selling orthopedic products! Both my colleagues got copies of that email, but I didn’t - at least they were smart enough not to send it directly to me. I contacted the Canadian company, and asked that they remove the file (and told them to let their IT people know, so they could secure their server).

Also, one of my colleagues was the supposed sender on a an email about “US-Taiwang News” [sic], which also linked to a zip file with malicious contents, hosted on the hacked webserver of a swimming association in Colorado. I contacted this organization too, asked them remove the file, and to notify their IT people that they had been hacked.

Finally, my boss was used as the “sender” for an email about Taiwan military modernization. He did write those words - they came directly from an editorial he wrote that was published in Defense News more than a year earlier. The email had a malicious PDF attached.

On March 13, 2009, George Mason University and others hosted an event called “Space Economy Symposium” in D.C. On August 4, I received a spoofed email from George Mason that claims that the event is taking place a few days later. The email is inviting me to the event, and asks me to take a look at the attached “administrative arrangements”. The attachment was a malware-infested Word document.

Again, I wouldn’t be surprised if this mimics a real invite sent out earlier in the year, as it uses the right sponsor logos and everything, and the text is almost word for word from the main website of the event. It’s very targeted, and it’s sent directly to me and even starts off with “Dear Real Name”.

A note supposedly sending us a “Daily China News Update” from an international Public Relations firm. Screen shot of the fake email, which contained a malware-infected Word document as an attachment.

A note supposedly from a RAND researcher, about the Chinese stock market. Screen shot of the fake email, which contained a malware-infected Word document as an attachment.