Targeted Email Attacks

My colleague got an email “from” me, asking her to click on a link to a zip file, supposedly containing information about how the “Best Chef from Northwest U.S” was “creating new tastes” in Taiwan. The subject is actually the title of an article from a Taiwan newspaper a few days before. The linked file was hosted on the hacked web server of some poor guy’s personal website (I’ve written to him telling him he may want to lock his site down and remove any files he doesn’t recognize.) The zip file contains a .exe file, and has a 6/43 (14.0%) detection rate - rather poor - at VirusTotal.

Subject: Best Chef from Northwest U.S. creates new tastes
MD5: b2036cb65a868fde9ff22a72ee3a883d
Originating IP: 63.73.11.15
X-Mailer: Auto Mailer (www.automsw.com) ID: 284535 [I’m including this because I think it’s the first one I’ve seen an email with this particular mailer.]

I got this email - supposedly from my Chairman going by the AOL (heh) email address used as the sender.  It was a very poorly constructed email, although the subject matter was clever. Two days earlier, my organization had put out a press release, urging Congress to pass TAMA. The subject was exactly the text of the PR headline, except cutting out a few words to imply that it had actually passed. The link in the email led to a malicious .zip file, hosted on the hacked web server of a company that sells fake brand items (bags, shoes, etc.). That made me laugh, given that I usually name the screenshots for this blog “fake_something.jpg.”

The timing was bad, as it was right in the lead-up to our defense conference. So I didn’t get a chance to process this email (submit to VirusTotal, analyze headers, etc.), but I thought I would post the screenshot anyway.

Another email using my defense conference as bait to trick people into opening a malware-laden PDF attachment. The email looks exactly like the one from August 8, down to the attachment - it’s the same file. The original upload of August 8 had 41.9% coverage at VirusTotal. I re-scanned the file, now the coverage is up at 58.1%. Still not all that great, unfortunately.

The main difference this time was the target list. Last time, it seemed from the returns that it was targeting one of the largest think tanks here in the D.C. area. This time, the target was defense and security think tanks and academic institutions, but also apparently the U.S. Department of State. The vast majority of returns were from non-existing state.gov email addresses:

The coolest thing, though, was to see how some of the recipients’ mail systems dealt with this email. Several have apparently blocked ALL emails coming in from the IP address in question (60.249.181.163) using the Barracuda spam blocking system. I wonder if that is a wider block on Hinet overall, so it blocks legitimate email traffic from Taiwan as well? Hinet is, after all, a main ISP in Taiwan.

Several other systems also blocked the email because they detected the malicious attachment. The one in the screenshot below is apparently using McAfee, although others that blocked it were using Trend Micro - at least if you go by the name of the detection.

It’s encouraging that not all the malware-laden emails sent reached their destinations. Yet I still hate having my hard work organizing this conference be tainted by these malicious emails sent out in our name…

Message
Subject: Invitation: US-Taiwan Defense Industry Conference 2011
Attachment MD5: 61cd38ea5bd91ce96f62540d403bd702
Received from: 60.249.181.163

Update, August 16
Two more campaigns went out overnight. We got about 20 returns for another mailing of the “Invitation” email, and about five for the “Agenda” email. The returns once again came primarily from U.S. government domains, from a bunch of older emails (several returns from emails that I know have been obsolete for a while). Luckily, they are lazy and are using the same PDF with the same hash and the same exploit, and the same mailing server. So it looks like a lot of places have gotten wise to it and blocked the mail either for a malicious attachment, or for coming from a bad IP. Unfortunately, we also got a few “Out of Office” replies as well…

I am angry about this email, because it really feels like an attack on me personally. This kind of stuff makes doing my job - which includes promoting events - so much harder. 

I only discovered this particular one because it came back as a return for an email sent to an invalid address at a large and influential think tank. Basically, it’s my NGO used as the sender, and the defense conference I plan each year used as the bait, to try to trick the recipients into opening a malicious PDF file named “Conference Registration Form.pdf.” The attached malicious PDF had a decent 41% detection rate at VirusTotal. The text and graphics in the email itself (down to the destinations for the links shown in the email) were taken directly from the front page of the conference website, with small adjustments to fit the text colors to the color scheme of the site.

I was able to get a copy from someone else of the original headers for this email, and I found it interesting that it was sent from a computer named “councilpc” - just like a similar email from the 2010 conference. Perhaps there really is a machine out there in attack-land that is dedicated to sending out stuff “from” us? Seems rather random otherwise, but who knows.

Message
Subject: Invitation: US-Taiwan Defense Industry Conference 2011
Attachment MD5: ec8a87a00b874899839b03479b3d7c5c
Received from: 60.249.181.163

From what I have heard, a very similar email to this one was sent out to some prominent members of the community, including one of my speakers. That email had the same header and sender but was called “Agenda - US-Taiwan Defense Industry Conference 2011” and contained an .exe .src file zipped up in a .zip attachment. Haven’t been able to confirm, though, as nobody who I know received it has been able to send me a copy.

Update
Someone who reads this blog (thanks!) kindly provided me with some details on this other email, as follows:

The email with the subject “Agenda for US-Taiwan Defense Industry Conference 2011” had similar headers:

Received:     from councilpc (60-249-181-163.HINET-IP.hinet.net [60.249.181.163]) (authenticated bits=0)
        by msr10.hinet.net (8.14.2/8.14.2) with ESMTP id p78DnWDd011944

The email has no content, only an attachment called: Agenda - US-Taiwan Defense Industry Conference 2011.zip with md5 61cd38ea5bd91ce96f62540d403bd702. The zip file contains a .SCR file which drops out a common targeted attack backdoor. The backdoor connects to rdaccount.dns1.us. The backdoor is the same as the one which is dropped from the PDF in the other email you mention “Invitation: US-Taiwan Defense Industry Conference 2011.”

Message
Subject: Agenda for US-Taiwan Defense Industry Conference 2011
Attachment MD5: 61cd38ea5bd91ce96f62540d403bd702
Received from: 60.249.181.163

A “Happy New Year” greeting sent directly to me, supposedly “from” a prominent Taiwan researcher at CSIS. I know this person, but I also know that he has been used as the sender of these types of emails before, poor guy. And the writing style is nowhere close, of course. The fact that it’s about two weeks early for a Happy New Year’s greeting is another clue. Sent from IP 168.95.4.157.

(Aside: CSIS, like my office, uses SPF records to designate which mail servers are allowed to send emails on behalf of our domain. I wish that Google didn’t just “softfail” messages sent from IP addresses not designated as allowed under the SPF record. There should at least be some sort of warning about the softfail - otherwise what’s the point, really?)

I got this email “from” my boss, telling me “How about having a meeting tomorrow?” It then asked me to download information about the meeting in a zip file from a yahoodaily.com location online and provide my opinion. Apart from the fact that the email had terrible grammar, this would be so outside the range of normal interaction between us that it’s just silly. But from what I can tell, it was only sent directly to me and to my other colleague. Headers show it being sent from 59.120.142.18.

There were several times through the year 2010 that my colleagues and I were used as the spoofed “sender” of some of these types of emails. Apparently, I sent out a very poorly worded email about “Taiwan’s Self Defense Needs” linking to a zip file containing malicious Word files, hosted on the hacked webserver of a Canadian company selling orthopedic products! Both my colleagues got copies of that email, but I didn’t - at least they were smart enough not to send it directly to me. I contacted the Canadian company, and asked that they remove the file (and told them to let their IT people know, so they could secure their server).

Also, one of my colleagues was the supposed sender on a an email about “US-Taiwang News” [sic], which also linked to a zip file with malicious contents, hosted on the hacked webserver of a swimming association in Colorado. I contacted this organization too, asked them remove the file, and to notify their IT people that they had been hacked.

Finally, my boss was used as the “sender” for an email about Taiwan military modernization. He did write those words - they came directly from an editorial he wrote that was published in Defense News more than a year earlier. The email had a malicious PDF attached.

Copying information directly from a website and sending it out as an HTML email with a malicious attachment became a trend through the end of the year. In September, I received an email supposedly “from” my own organization, using content copied from our website, this time with information about our quarterly semiconductor report, with a malicious PDF attachment. The PDF was named “Executive Summary” because we post executive summaries of the reports on the website.

The graphics and text are taken from the Tech Products page on our website, while the contact info/open hours are taken from the contact page.

Similarly, in October, I received information about F-16:s (the topic of a report I had edited earlier in the year), with content straight off the Lockheed Martin website. Both of these emails used information and pictures from various pages on the websites (so it wasn’t as easy as just copy/pasting a single page, they were specifically crafted) and had PDF attachments containing malware.

My defense conference was in early October of 2010, and we began receiving malware-laden emails as early as in January of that year. We got quite a few of them, too many to include every single one here. But I thought I would put up two examples. On September 28, I received this email with text copied from the conference website. The text was taken directly from the introduction page on the conference site, including using the right color green for the text. It came from a specifically-crafted Yahoo address, but - curiously - didn’t have any attachments or links.

The next day, I again received an email with text copied from the conference website, this time with text taken directly from the agenda page and incorporating the background graphic from the website. This time, there was a malicious PDF attachment. Interestingly, the email was sent from the same Yahoo address, but the “return to” email was configured differently.

Also, the computer that sent the email was called “councilpc” (none of our in-house computers have that name). Not sure what that means (intended to confuse people who read headers, a dedicated computer for sending emails that are “from” us?), but it’s kind of creepy.

My 2010 Defense Conference-related targeted attacks have apparently started already, more than nine months out. Oh joy…

There were two emails from a gmail account - a user “jswang”, which is a pretty generic Chinese name. One was sent directly to me, and I was included in a mass mail for the other. The titles of these emails - see the screen shot of the direct email below, and this screen shot of the mass email - are both “US-Taiwan Defense Industry Conference 2010”, with an infected PDF file of that same name attached. Oh, and look! It’s sent from that same computer as the December 23, 2009 one - both emails are “Received: from testacb8580da5”.

We received more emails from this computer too, on January 16, a fake bio of a prominent researcher. Another email from January 13, talking about CSIST (the Taiwan military’s R&D organization), see this screenshot, was sent from user “jswang” again, at a nonexistent Taiwan government domain, and with that same “Received: from testacb8580da5” in the header.

Now I think these are still pretty sloppy, actually. Particularly the defense conference ones, given that it’s MY conference and I would know right away when an email about it isn’t real.