Targeted Email Attacks

My colleague got an email “from” me, asking her to click on a link to a zip file, supposedly containing information about how the “Best Chef from Northwest U.S” was “creating new tastes” in Taiwan. The subject is actually the title of an article from a Taiwan newspaper a few days before. The linked file was hosted on the hacked web server of some poor guy’s personal website (I’ve written to him telling him he may want to lock his site down and remove any files he doesn’t recognize.) The zip file contains a .exe file, and has a 6/43 (14.0%) detection rate - rather poor - at VirusTotal.

Subject: Best Chef from Northwest U.S. creates new tastes
MD5: b2036cb65a868fde9ff22a72ee3a883d
Originating IP: 63.73.11.15
X-Mailer: Auto Mailer (www.automsw.com) ID: 284535 [I’m including this because I think it’s the first one I’ve seen an email with this particular mailer.]

I got this email - supposedly from my Chairman going by the AOL (heh) email address used as the sender.  It was a very poorly constructed email, although the subject matter was clever. Two days earlier, my organization had put out a press release, urging Congress to pass TAMA. The subject was exactly the text of the PR headline, except cutting out a few words to imply that it had actually passed. The link in the email led to a malicious .zip file, hosted on the hacked web server of a company that sells fake brand items (bags, shoes, etc.). That made me laugh, given that I usually name the screenshots for this blog “fake_something.jpg.”

The timing was bad, as it was right in the lead-up to our defense conference. So I didn’t get a chance to process this email (submit to VirusTotal, analyze headers, etc.), but I thought I would post the screenshot anyway.

Another one of the emails targeted specifically at me and my colleagues. This email, supposedly containing a link to a “Training Manual” was sent “from” my colleague who handles HR issues to me, our boss, our Chairman, and to the main organization email. The email address they used for our Chairman wasn’t correct, but it was a pretty good guess. Interesting that they used the same guessed email address for him as for an email we saw in June. The email contained a link to a zip file, hosted at what is probably a hacked server in Hong Kong. 

I didn’t download and scan this sample (no time, no safe environment to do so), but my understanding is that the linked .zip file contains an Excel file, and it’s most certainly malicious. 

Honestly, I was getting a little weirded out at the lack of these types of attack emails lately, and I worried if that indicated that we had been compromised. So I have been extremely paranoid - more so than normal - about scans and monitoring of our work systems. But perhaps it was just a regular lull over the summer…

Message
Subject: Training Manual for US-Taiwan Staffs

Why yes I do want to know about the latest and greatest weapons developed by the Chinese Air Force! So tempting! Yet I’m not actually willing to risk clicking on this likely-poisoned link… (Update: A researcher friend of mine has confirmed that the link leads to a page with a malicious Flash file, exploiting a vulnerability that was patched by Adobe as late as this Tuesday.)

This email came to all of us in my office, and I wouldn’t be surprised if it was a very widespread blast that went to most of the people in D.C. working on defense issues in Asia. It came from a Yahoo email, using a very common type Chinese name - I have no idea who the person is that’s being impersonated, or indeed if it perhaps just a random name.

It’s a pretty humdrum email, to be honest. Yet the message source for the HTML email was kind of unusual. The (simplified) Chinese characters included as title names mean “Click for alternate translations” which is almost exactly the phrasing used on Google Translate. I wonder if the text was auto translated from Chinese to English before being pasted into the email?

Also, I was kind of intrigued by the location of the file. It resides on the (likely hacked) webserver of CSCAP, which is the Council for Security Cooperation in the Asia Pacific, and a part of the Center for International Relations (IIR), at National Chengchi University (NCCU) in Taiwan.

This spear phishing/attack email is actually unusually
targeted - it looks like the only recipients of this particular email are current/past employees of my NGO, along with our main public email address. The supposed sender was someone well known to us, but who is no longer at that U.S. government post. It came from a Yahoo address, cleverly named so as to slightly misspell the person’s name.

The email itself links to a malicious zip file hosted online. I was super paranoid about this one because it was so targeted, so I never did download the actual file - hence no Virustotal scan.

This was a pretty targeted one-two attack. On May 26, both my boss and I received an email “from” our colleague, with a cryptic subject header and a link to a zip file purportedly containing data about our annual Taiwan defense conference. It asked us to download information in a zip file from a “purplemoo.com” location online - what appears to be the hacked web server of a legitimate business. I sent the file to Virustotal, which had a decent 33% coverage.

This is all well and good, and sort of standard. But the funny thing was that on May 27, I received another email, with a slightly modified subject line, that claimed “Sory [sic], this is the correct version” and a link to the same file. Again, both my boss and I received the email “from” our colleague, while she received the same email as if “from” my boss. Given that the URL of the compromised file location contained “US-Taiwan”, it seems pretty specific to my NGO only. None of us know what the email subject might be referencing. Headers show both emails sent from 63.233.155.6.

May 26 version:

May 27 version: