Targeted Email Attacks

Another day, another malware email. This one is also “Received: from deepin-f12c1fc0” just like yesterday, but with a better lure, I think. The email says “Please refer to,Have a nice weekend!” in an attempt to get me to open the poisoned “Conference information for next week.pdf” attachment. The VirusTotal scan shows a decent 12/43 (27.9%) detection rate. Just like for yesterday, the message is set to be of “High Importance.” But hey, that’s nice that they wished me a good weekend!

Subject: Conference information for next week
MD5: f567ffd4f7a19a469d836e5a0a9552ab
Originating IP: 60.249.181.163

For the last week+, I have been getting these pdf “statement” emails - sometimes several a day. It’s starting to get ridiculous. All of us have been receiving them, including our general office email box. Until today, though, they have all been from senders using Chinese characters in the “from” and subject fields, and in the email text if there is any. Nobody here would get any legitimate emails in Chinese, so all of us just automatically ignore and delete them. (We get lots of rants about China/Taiwan issues from random people, so we get a few of them a week.) It’s also the first one flagged as “High Importance.” The “reply to” email is also completely different from the sender.

The attachments have all been named very similar to this one, with a date and the word “statement.” That they misspelled “statement” is new, I believe, although I may be mistaken. The date in the name of the file is usually the day you get the email or the next/previous day. The attachments are all .pfd files. This particular one had a 9/43 (20.9%) rate of detection at VirusTotal. Interestingly, the email was “Received: from deepin-f12c1fc0 (60-249-181-163.HINET-IP.hinet.net [60.249.181.163])” which was also used in a recent Chinese-language email about Gaddafi’s death posted by Contagio.

Subject: 1104statment
MD5: 86730a9bc3ab99503322eda6115c1096
Originating IP: 60.249.181.163