Targeted Email Attacks

It had to happen eventually. Luckily, my colleague is a star who is diligent about scanning all the internship applications she gets, and who is also savvy enough to see the warning signs of a disconnect between sender email/sender name and the signed name at the bottom of the email. We have a very active internship program, and she is listed as the contact on our website, so she gets quite a few applications each week. We both knew that it was only a matter of time before this became a vector, hence the diligent scanning.

So this is a fake internship application with two malicious attached Word .doc files, one named “Resume” and one named “Semester desired.” It’s actually two copies of the same file, which had already been uploaded by someone else at VirusTotal. The scanning showed detection at 8/42, or 19%.

Message
Subject: Winter/Spring Internship
Attachment MD5: 24fd4fb44d08c1a8d02dfd72155305d0
Received from: 121.32.69.44

Another sort-of-targeted email - by that I mean targeted at the China-analyst community in general, not at me or my NGO specifically. Again with a malicious Word file attachment. We used to get .doc files all the time, but then it switched to .pdf almost exclusively. Guess that’s changed lately.

The attachment has decent coverage at Virustotal (38.1%). The immediate sender, supposedly forwarding an interesting article, is at the “NC” - i.e. the National Committee on US-China Relations. The original sender of the email was from the Council on Foreign Relations. The title of the shared article is taken from a real article published on May 17. The original sending out of the article from CFR was at 10:50am on the 17th. That’s a quick turnaround to use it for malicious purposes - I got the email at 5:10am on the 18th. 

Given the tone of the text in the email, I wonder if this is spoofing a real email? 

It was inevitable that such a hugely important event would be used to spread malware. There was even a segment about watching out for it on the radio this morning! I’m actually kind of excited to have received one, weirdly enough. None of my colleagues got a copy.

The sender is supposedly a Senior Fellow at a prominent local NGO, although the “From” email listed isn’t correct. Note that the email was sent “To” an email address with the same user name, but the domain is a letter scramble similar to the real domain (turning it into the actual domain of a completely different NGO, likely unintentionally). The attached Word document - called, ominously, “Laden’s Death.doc” - has a minimal profile at Virustotal - only one positive detection (2.4%) when I uploaded it this morning. The Subject line, “Courier who led U.S. to Osama bin Laden’s hideout identified” is the exact headline copied from a CNN article posted overnight. The sender’s IP address: 220.228.120.62. Looks like it might have been sent from a compromised Lotus Notes mail system at a tech company in Taiwan.

Update: Both F-Secure and Contagio have more details, including what the document looks like. The text in the document is copied exactly from that CNN article.