Targeted Email Attacks

My colleague got an email “from” me, asking her to click on a link to a zip file, supposedly containing information about how the “Best Chef from Northwest U.S” was “creating new tastes” in Taiwan. The subject is actually the title of an article from a Taiwan newspaper a few days before. The linked file was hosted on the hacked web server of some poor guy’s personal website (I’ve written to him telling him he may want to lock his site down and remove any files he doesn’t recognize.) The zip file contains a .exe file, and has a 6/43 (14.0%) detection rate - rather poor - at VirusTotal.

Subject: Best Chef from Northwest U.S. creates new tastes
MD5: b2036cb65a868fde9ff22a72ee3a883d
Originating IP: 63.73.11.15
X-Mailer: Auto Mailer (www.automsw.com) ID: 284535 [I’m including this because I think it’s the first one I’ve seen an email with this particular mailer.]

I got this email - supposedly from my Chairman going by the AOL (heh) email address used as the sender.  It was a very poorly constructed email, although the subject matter was clever. Two days earlier, my organization had put out a press release, urging Congress to pass TAMA. The subject was exactly the text of the PR headline, except cutting out a few words to imply that it had actually passed. The link in the email led to a malicious .zip file, hosted on the hacked web server of a company that sells fake brand items (bags, shoes, etc.). That made me laugh, given that I usually name the screenshots for this blog “fake_something.jpg.”

The timing was bad, as it was right in the lead-up to our defense conference. So I didn’t get a chance to process this email (submit to VirusTotal, analyze headers, etc.), but I thought I would post the screenshot anyway.

Another one of the emails targeted specifically at me and my colleagues. This email, supposedly containing a link to a “Training Manual” was sent “from” my colleague who handles HR issues to me, our boss, our Chairman, and to the main organization email. The email address they used for our Chairman wasn’t correct, but it was a pretty good guess. Interesting that they used the same guessed email address for him as for an email we saw in June. The email contained a link to a zip file, hosted at what is probably a hacked server in Hong Kong. 

I didn’t download and scan this sample (no time, no safe environment to do so), but my understanding is that the linked .zip file contains an Excel file, and it’s most certainly malicious. 

Honestly, I was getting a little weirded out at the lack of these types of attack emails lately, and I worried if that indicated that we had been compromised. So I have been extremely paranoid - more so than normal - about scans and monitoring of our work systems. But perhaps it was just a regular lull over the summer…

Message
Subject: Training Manual for US-Taiwan Staffs

And it has begun, the exploiting of my defense conference to trick people into opening malicious files. I got this lovely email this morning “from” my Chairman, telling me to download a zip file in order to provide feedback on the conference. Of course, the zip file contained a payload (36.6% at Virustotal). Whoever sent it didn’t do a good job, though, because it landed in my junk filter. Which may be why I got an “update” later in the day, linking to a different zip file (54.8%). There were some minor changes to the email itself, the biggest change being that it was sent through a different server. Then I got a third one too…

Note that the sending email isn’t a valid email on our domain. It was a pretty good guess, though, following the same naming convention that some of us use. (Emails are not consistent across the organization by design. I guess emails for people all the time based on naming conventions, so we don’t have any!)

(Edited to add: We got another email today in the series of emails sent through that mail server of a doctor’s office in Kentucky. I’m not going to bother posting it, it’s really more of the same. Just check out Mila’s series about it instead.)

Message 1
- Subject: US-Taiwan Defense Industry Conference 2011 Draft
- Received from 194.106.162.202
- links to zip including the name “announcements” (plural)
- MD5   : fc97d4d9b624c583815892f3971131

Message 2
- Subject: US-Taiwan Defense Industry Conference 2011 Draft (update)
- Received from 64.8.114.16
- links to zip including the name “announcement” (singular)
- MD5   : 52ca28e93b272c3c2c270aafbc479966



I got a third email also. It was exactly the same as Message 2, except the “sender” was a different colleague.

This spear phishing/attack email is actually unusually
targeted - it looks like the only recipients of this particular email are current/past employees of my NGO, along with our main public email address. The supposed sender was someone well known to us, but who is no longer at that U.S. government post. It came from a Yahoo address, cleverly named so as to slightly misspell the person’s name.

The email itself links to a malicious zip file hosted online. I was super paranoid about this one because it was so targeted, so I never did download the actual file - hence no Virustotal scan.

This was a pretty targeted one-two attack. On May 26, both my boss and I received an email “from” our colleague, with a cryptic subject header and a link to a zip file purportedly containing data about our annual Taiwan defense conference. It asked us to download information in a zip file from a “purplemoo.com” location online - what appears to be the hacked web server of a legitimate business. I sent the file to Virustotal, which had a decent 33% coverage.

This is all well and good, and sort of standard. But the funny thing was that on May 27, I received another email, with a slightly modified subject line, that claimed “Sory [sic], this is the correct version” and a link to the same file. Again, both my boss and I received the email “from” our colleague, while she received the same email as if “from” my boss. Given that the URL of the compromised file location contained “US-Taiwan”, it seems pretty specific to my NGO only. None of us know what the email subject might be referencing. Headers show both emails sent from 63.233.155.6.

May 26 version:

May 27 version:

Another not as targeted as normal email, but still interesting. The subject line trumpets “Warning!! World nuclear disaster” and the email itself purports to link to a research report on how “Japan’s nuclear radiation will cause great disaster in the near future, including US. Europe, China etc.”

The link in the email to the “research report” is to a zip file hosted at “redcross.vankin.de” - Vankin is a German webhost, and the text of the email references the German Red Cross, the Deutsches Rotes Kreuz, whose actual domain is www.drk.de. Originating IP: 115.21.74.66.

Ok, this wasn’t as targeted as normal, but I found it amusing.** It’s an appeal supposedly “from” Wikileaks to download a .zip file with information about the Japan earthquake and tsunami. But it’s also playing on fears of war in Asia: “After the earthquake will once again revive Japanese militarism, China, South Korea, North Korea, Southeast Asia will once again be plunged into the war…”

One of the most amusing things is the “Please chick it to download” title for the link. And if you look at the message source, of course the link isn’t actually to wikileaks.org, like the text says.

** Amusing not because it’s exploiting the tragedy, that’s just wrong and annoying and sad. But the angle they took on this is just ridiculous.

I got this email “from” my boss, telling me “How about having a meeting tomorrow?” It then asked me to download information about the meeting in a zip file from a yahoodaily.com location online and provide my opinion. Apart from the fact that the email had terrible grammar, this would be so outside the range of normal interaction between us that it’s just silly. But from what I can tell, it was only sent directly to me and to my other colleague. Headers show it being sent from 59.120.142.18.

There were several times through the year 2010 that my colleagues and I were used as the spoofed “sender” of some of these types of emails. Apparently, I sent out a very poorly worded email about “Taiwan’s Self Defense Needs” linking to a zip file containing malicious Word files, hosted on the hacked webserver of a Canadian company selling orthopedic products! Both my colleagues got copies of that email, but I didn’t - at least they were smart enough not to send it directly to me. I contacted the Canadian company, and asked that they remove the file (and told them to let their IT people know, so they could secure their server).

Also, one of my colleagues was the supposed sender on a an email about “US-Taiwang News” [sic], which also linked to a zip file with malicious contents, hosted on the hacked webserver of a swimming association in Colorado. I contacted this organization too, asked them remove the file, and to notify their IT people that they had been hacked.

Finally, my boss was used as the “sender” for an email about Taiwan military modernization. He did write those words - they came directly from an editorial he wrote that was published in Defense News more than a year earlier. The email had a malicious PDF attached.