Targeted Email Attacks

For the last week+, I have been getting these pdf “statement” emails - sometimes several a day. It’s starting to get ridiculous. All of us have been receiving them, including our general office email box. Until today, though, they have all been from senders using Chinese characters in the “from” and subject fields, and in the email text if there is any. Nobody here would get any legitimate emails in Chinese, so all of us just automatically ignore and delete them. (We get lots of rants about China/Taiwan issues from random people, so we get a few of them a week.) It’s also the first one flagged as “High Importance.” The “reply to” email is also completely different from the sender.

The attachments have all been named very similar to this one, with a date and the word “statement.” That they misspelled “statement” is new, I believe, although I may be mistaken. The date in the name of the file is usually the day you get the email or the next/previous day. The attachments are all .pfd files. This particular one had a 9/43 (20.9%) rate of detection at VirusTotal. Interestingly, the email was “Received: from deepin-f12c1fc0 (60-249-181-163.HINET-IP.hinet.net [60.249.181.163])” which was also used in a recent Chinese-language email about Gaddafi’s death posted by Contagio.

Subject: 1104statment
MD5: 86730a9bc3ab99503322eda6115c1096
Originating IP: 60.249.181.163

A steady stream of malicious files… Again, these were more targeted at the D.C. area defense policy people in general, rather than directly at us. But both my colleagues got these - I did not. Both came from the same seemingly-hacked mail server as the one from yesterday. (Use it or lose it, perhaps?)

Both had Word document attachments - one called “Q and A.doc” (Virustotal 30.2%) and one called “2011 Insider’s Guide to Military Benefits.doc” (Virustotal 26.2%. They had different “from” senders listed, and the attachments were not just renamed versions of the same file - they had different file hashes.

The first one seems like it could be a copy of a real email. It’s from someone telling the recipient to read the attached “balanced and fair” article written about an interview. The actual, real article that the text is taken from was published on April 10, 2011.

The second looks like it’s content taken off a website - from an actual publication on military benefits, available for purchase at the website of the spoofed sender.

Honestly, I’m sort of additionally pissed off that it seem they are using the hacked mail server of a doctor’s office in Kentucky to send these out…

This was a pretty targeted one-two attack. On May 26, both my boss and I received an email “from” our colleague, with a cryptic subject header and a link to a zip file purportedly containing data about our annual Taiwan defense conference. It asked us to download information in a zip file from a “purplemoo.com” location online - what appears to be the hacked web server of a legitimate business. I sent the file to Virustotal, which had a decent 33% coverage.

This is all well and good, and sort of standard. But the funny thing was that on May 27, I received another email, with a slightly modified subject line, that claimed “Sory [sic], this is the correct version” and a link to the same file. Again, both my boss and I received the email “from” our colleague, while she received the same email as if “from” my boss. Given that the URL of the compromised file location contained “US-Taiwan”, it seems pretty specific to my NGO only. None of us know what the email subject might be referencing. Headers show both emails sent from 63.233.155.6.

May 26 version:

May 27 version:

It was inevitable that such a hugely important event would be used to spread malware. There was even a segment about watching out for it on the radio this morning! I’m actually kind of excited to have received one, weirdly enough. None of my colleagues got a copy.

The sender is supposedly a Senior Fellow at a prominent local NGO, although the “From” email listed isn’t correct. Note that the email was sent “To” an email address with the same user name, but the domain is a letter scramble similar to the real domain (turning it into the actual domain of a completely different NGO, likely unintentionally). The attached Word document - called, ominously, “Laden’s Death.doc” - has a minimal profile at Virustotal - only one positive detection (2.4%) when I uploaded it this morning. The Subject line, “Courier who led U.S. to Osama bin Laden’s hideout identified” is the exact headline copied from a CNN article posted overnight. The sender’s IP address: 220.228.120.62. Looks like it might have been sent from a compromised Lotus Notes mail system at a tech company in Taiwan.

Update: Both F-Secure and Contagio have more details, including what the document looks like. The text in the document is copied exactly from that CNN article.

This tumblelog is the extension of a post on my “regular” blog, because that post was getting unwieldy with examples.

I want to highlight the general issue of socially engineered and specifically targeted malware and trojans being spread through crafted spear-phishing emails, because it’s something that affects me on a regular basis.

Since late December, 2006, we have noted these types of attacks where I work. After looking into it in more detail, I have seen instances of this type of stuff going back to as early as 2003. But in 2006 was when we began noticing a pattern of emails that contained malware-infested attachments but that still seemed very, very well written and targeted towards the kinds of topics that my colleagues and I would be interested in.

It began with things like “here is an update on our new board members” or “here is the contact information we have for you, please update and send back” supposedly sent from organizations that we were working with on various projects. They were almost good enough to fool us, but the tone and content of the emails rang false enough that we became suspicious. I began systematically tracking these emails, in an effort to see what on earth was going on. Early on, they were mostly Word files, but that has since changed to become primarily PDF files, and sometimes zip files with .chm (a special type of html files developed by Microsoft for online help documents) files included. Usually they come attached to the targeted email, but sometimes those emails just contain links to outside files hosted on hacked webservers.

Then in the spring of 2007, the non-profit that I work for was used as the “sender” in a big email blast with malicious attachments that really put us on notice that this was going on.  That’s when I started talking to the people in the community about this, and when we started blowing the whistle on this issue to our contacts within the U.S. government.

Our good name and reputation has been used many times since then to try to spread malware. It is incredibly frustrating and scary to see your name and email address used in the from and signature fields in an email that you did not send - an email that contained a trojan-infected attachment, and that then went out to lots of people you work with and some you only know by reputation. It’s usually worse because it’s generally an email that you could potentially have sent out (in my case, usually something about the Taiwan defense conference I plan each year), so they must be watching you in some manner.

This microblog is intended as a place for me to post quickly the new examples of real, actual spear-phishing emails that I receive.

NOTE: This blog is not intended as a malware analysis blog - that niche is covered quite nicely already by the Contagio Dump and others. Rather, it is intended to raise awareness within my work community, and perhaps within the general internet community as well, that this type of activity is ongoing. Posts here are merely a potential tool for learning to recognize targeted emails using readily available information (such as SMTP headers) contained within the emails themselves.

I am working directly with several security researchers on the malware we receive, and I am unable to add any more researchers to the mix - sorry.