Targeted Email Attacks

My colleague got an email “from” me, asking her to click on a link to a zip file, supposedly containing information about how the “Best Chef from Northwest U.S” was “creating new tastes” in Taiwan. The subject is actually the title of an article from a Taiwan newspaper a few days before. The linked file was hosted on the hacked web server of some poor guy’s personal website (I’ve written to him telling him he may want to lock his site down and remove any files he doesn’t recognize.) The zip file contains a .exe file, and has a 6/43 (14.0%) detection rate - rather poor - at VirusTotal.

Subject: Best Chef from Northwest U.S. creates new tastes
MD5: b2036cb65a868fde9ff22a72ee3a883d
Originating IP: 63.73.11.15
X-Mailer: Auto Mailer (www.automsw.com) ID: 284535 [I’m including this because I think it’s the first one I’ve seen an email with this particular mailer.]

Another one of the emails targeted specifically at me and my colleagues. This email, supposedly containing a link to a “Training Manual” was sent “from” my colleague who handles HR issues to me, our boss, our Chairman, and to the main organization email. The email address they used for our Chairman wasn’t correct, but it was a pretty good guess. Interesting that they used the same guessed email address for him as for an email we saw in June. The email contained a link to a zip file, hosted at what is probably a hacked server in Hong Kong. 

I didn’t download and scan this sample (no time, no safe environment to do so), but my understanding is that the linked .zip file contains an Excel file, and it’s most certainly malicious. 

Honestly, I was getting a little weirded out at the lack of these types of attack emails lately, and I worried if that indicated that we had been compromised. So I have been extremely paranoid - more so than normal - about scans and monitoring of our work systems. But perhaps it was just a regular lull over the summer…

Message
Subject: Training Manual for US-Taiwan Staffs

Why yes I do want to know about the latest and greatest weapons developed by the Chinese Air Force! So tempting! Yet I’m not actually willing to risk clicking on this likely-poisoned link… (Update: A researcher friend of mine has confirmed that the link leads to a page with a malicious Flash file, exploiting a vulnerability that was patched by Adobe as late as this Tuesday.)

This email came to all of us in my office, and I wouldn’t be surprised if it was a very widespread blast that went to most of the people in D.C. working on defense issues in Asia. It came from a Yahoo email, using a very common type Chinese name - I have no idea who the person is that’s being impersonated, or indeed if it perhaps just a random name.

It’s a pretty humdrum email, to be honest. Yet the message source for the HTML email was kind of unusual. The (simplified) Chinese characters included as title names mean “Click for alternate translations” which is almost exactly the phrasing used on Google Translate. I wonder if the text was auto translated from Chinese to English before being pasted into the email?

Also, I was kind of intrigued by the location of the file. It resides on the (likely hacked) webserver of CSCAP, which is the Council for Security Cooperation in the Asia Pacific, and a part of the Center for International Relations (IIR), at National Chengchi University (NCCU) in Taiwan.

Another malicious file sent via the compromised mail server of that doctor’s office in Kentucky. Its the same as my May 31 and June 1 entries. (Mila at Contagio has more extensive data on some of these files)

This time, the payload of the spear phishing email was contained in a PDF file (Virustotal 11.9%) talking about Navy procurement (the last few have been Word .doc files). But again this looks more targeted at the D.C. area defense policy people in general, rather than directly at us. Only one of my colleagues got this, I did not - which was kind of strange given that we normally get the same stuff. The text of the email was taken directly from a Navy Times article on June 10. I have no idea who the sender is supposed to be.

This spear phishing/attack email is actually unusually
targeted - it looks like the only recipients of this particular email are current/past employees of my NGO, along with our main public email address. The supposed sender was someone well known to us, but who is no longer at that U.S. government post. It came from a Yahoo address, cleverly named so as to slightly misspell the person’s name.

The email itself links to a malicious zip file hosted online. I was super paranoid about this one because it was so targeted, so I never did download the actual file - hence no Virustotal scan.

A steady stream of malicious files… Again, these were more targeted at the D.C. area defense policy people in general, rather than directly at us. But both my colleagues got these - I did not. Both came from the same seemingly-hacked mail server as the one from yesterday. (Use it or lose it, perhaps?)

Both had Word document attachments - one called “Q and A.doc” (Virustotal 30.2%) and one called “2011 Insider’s Guide to Military Benefits.doc” (Virustotal 26.2%. They had different “from” senders listed, and the attachments were not just renamed versions of the same file - they had different file hashes.

The first one seems like it could be a copy of a real email. It’s from someone telling the recipient to read the attached “balanced and fair” article written about an interview. The actual, real article that the text is taken from was published on April 10, 2011.

The second looks like it’s content taken off a website - from an actual publication on military benefits, available for purchase at the website of the spoofed sender.

Honestly, I’m sort of additionally pissed off that it seem they are using the hacked mail server of a doctor’s office in Kentucky to send these out…

This was a pretty targeted one-two attack. On May 26, both my boss and I received an email “from” our colleague, with a cryptic subject header and a link to a zip file purportedly containing data about our annual Taiwan defense conference. It asked us to download information in a zip file from a “purplemoo.com” location online - what appears to be the hacked web server of a legitimate business. I sent the file to Virustotal, which had a decent 33% coverage.

This is all well and good, and sort of standard. But the funny thing was that on May 27, I received another email, with a slightly modified subject line, that claimed “Sory [sic], this is the correct version” and a link to the same file. Again, both my boss and I received the email “from” our colleague, while she received the same email as if “from” my boss. Given that the URL of the compromised file location contained “US-Taiwan”, it seems pretty specific to my NGO only. None of us know what the email subject might be referencing. Headers show both emails sent from 63.233.155.6.

May 26 version:

May 27 version: