Targeted Email Attacks

I found this very amusing. It is a lazy spearphish type email using the upcoming Halloween holiday as a lure. At first I wondered if it used to be different types of briefing points originally, and the text was just changed? There is an extra space in the text before “Halloween,” which is why it seemed like it was edited. But then I went to the website of the Navy Safety Center, and they actually have Halloween Briefing Points in a PDF and a PP presentation on Halloween hazards! Not sure why, but there you are. (Screenshot for posterity). 

Again this came from an unknown to me sender. We were not the only ones who got this, anyway, as TrendMicro posted about the same email. (Although when I originally submitted it to VT, they did not have a detection for it, although it had a decent 37.2% detection rate.)

The email header showed the originating IP as being a restaurant in Philadelphia, which I thought was interesting. Doubt the restaurant was open at the time, given that it was sent at 4:40am…

Subject: Fwd: Halloween Briefing Points
MD5: 926313fbe5289125af4bf65440bf3036
Originating IP: 75.150.170.174

This is pretty sloppy. Who, in this day and age, would just open a mystery Excel spreadsheet sent in a blank email from some random Wright-Patterson Air Force Base email? But it’s definitely from one of the same groups that have been sending us better targeted stuff for a while - I think I’ve seen that “IBM111” computer before. The attached .xls file has only a 14% detection rate (6/43) on VirusTotal.

Email Subject: 20111012
MD5: 5fd848000d68f45271a0e1abd5844493
Originating IP: 60.249.219.82

Why yes I do want to know about the latest and greatest weapons developed by the Chinese Air Force! So tempting! Yet I’m not actually willing to risk clicking on this likely-poisoned link… (Update: A researcher friend of mine has confirmed that the link leads to a page with a malicious Flash file, exploiting a vulnerability that was patched by Adobe as late as this Tuesday.)

This email came to all of us in my office, and I wouldn’t be surprised if it was a very widespread blast that went to most of the people in D.C. working on defense issues in Asia. It came from a Yahoo email, using a very common type Chinese name - I have no idea who the person is that’s being impersonated, or indeed if it perhaps just a random name.

It’s a pretty humdrum email, to be honest. Yet the message source for the HTML email was kind of unusual. The (simplified) Chinese characters included as title names mean “Click for alternate translations” which is almost exactly the phrasing used on Google Translate. I wonder if the text was auto translated from Chinese to English before being pasted into the email?

Also, I was kind of intrigued by the location of the file. It resides on the (likely hacked) webserver of CSCAP, which is the Council for Security Cooperation in the Asia Pacific, and a part of the Center for International Relations (IIR), at National Chengchi University (NCCU) in Taiwan.

Another malicious file sent via the compromised mail server of that doctor’s office in Kentucky. Its the same as my May 31 and June 1 entries. (Mila at Contagio has more extensive data on some of these files)

This time, the payload of the spear phishing email was contained in a PDF file (Virustotal 11.9%) talking about Navy procurement (the last few have been Word .doc files). But again this looks more targeted at the D.C. area defense policy people in general, rather than directly at us. Only one of my colleagues got this, I did not - which was kind of strange given that we normally get the same stuff. The text of the email was taken directly from a Navy Times article on June 10. I have no idea who the sender is supposed to be.

A steady stream of malicious files… Again, these were more targeted at the D.C. area defense policy people in general, rather than directly at us. But both my colleagues got these - I did not. Both came from the same seemingly-hacked mail server as the one from yesterday. (Use it or lose it, perhaps?)

Both had Word document attachments - one called “Q and A.doc” (Virustotal 30.2%) and one called “2011 Insider’s Guide to Military Benefits.doc” (Virustotal 26.2%. They had different “from” senders listed, and the attachments were not just renamed versions of the same file - they had different file hashes.

The first one seems like it could be a copy of a real email. It’s from someone telling the recipient to read the attached “balanced and fair” article written about an interview. The actual, real article that the text is taken from was published on April 10, 2011.

The second looks like it’s content taken off a website - from an actual publication on military benefits, available for purchase at the website of the spoofed sender.

Honestly, I’m sort of additionally pissed off that it seem they are using the hacked mail server of a doctor’s office in Kentucky to send these out…