Targeted Email Attacks

It's been eerily quiet lately, nothing interesting coming in, really. So I thought I would post a few of the fake LinkedIn connection emails from this past fall. Both of these came supposedly "from" government employees - people who show up in my list of secondary contacts.

I'm just posting this to show the sometimes unintentionally hilarious and weird world I live in. In the early 1990:s, Taiwan bought some LaFayette fighters from France. The whole thing turned into a scandal involving bribery and death - see this BBC article for more. The Taiwan government received some of the bribery money back from France in 2007, but they are still trying to recoup some of it. The French company involved in the scandal was Thomson-CSF, which now is called Thales.

That's the background of why this otherwise rather pedestrian "using unclothed women as a lure to get people to open malicious files" email still feels related to some of the other stuff we see, particularly as the originating IP (168.95.4.108) is from Hinet (Taiwan's largest ISP) and the same IP address as in an August 16 entry.

My colleague got an email "from" me, asking her to click on a link to a zip file, supposedly containing information about how the "Best Chef from Northwest U.S" was "creating new tastes" in Taiwan. The subject is actually the title of an article from a Taiwan newspaper a few days before. The linked file was hosted on the hacked web server of some poor guy's personal website (I've written to him telling him he may want to lock his site down and remove any files he doesn't recognize.) The zip file contains a .exe file, and has a 6/43 (14.0%) detection rate - rather poor - at VirusTotal.

Another day, another malware email. This one is also "Received: from deepin-f12c1fc0" just like yesterday, but with a better lure, I think. The email says "Please refer to,Have a nice weekend!" in an attempt to get me to open the poisoned "Conference information for next week.pdf" attachment. The VirusTotal scan shows a decent 12/43 (27.9%) detection rate. Just like for yesterday, the message is set to be of "High Importance." But hey, that's nice that they wished me a good weekend!

For the last week+, I have been getting these pdf "statement" emails - sometimes several a day. It's starting to get ridiculous. All of us have been receiving them, including our general office email box. Until today, though, they have all been from senders using Chinese characters in the "from" and subject fields, and in the email text if there is any. Nobody here would get any legitimate emails in Chinese, so all of us just automatically ignore and delete them. (We get lots of rants about China/Taiwan issues from random people, so we get a few of them a week.) It's also the first one flagged as "High Importance." The "reply to" email is also completely different from the sender.

The attachments have all been named very similar to this one, with a date and the word "statement." That they misspelled "statement" is new, I believe, although I may be mistaken. The date in the name of the file is usually the day you get the email or the next/previous day. The attachments are all .pfd files. This particular one had a 9/43 (20.9%) rate of detection at VirusTotal. Interestingly, the email was "Received: from deepin-f12c1fc0 (60-249-181-163.HINET-IP.hinet.net [60.249.181.163])" which was also used in a recent Chinese-language email about Gaddafi's death posted by Contagio.

I found this very amusing. It is a lazy spearphish type email using the upcoming Halloween holiday as a lure. At first I wondered if it used to be different types of briefing points originally, and the text was just changed? There is an extra space in the text before "Halloween," which is why it seemed like it was edited. But then I went to the website of the Navy Safety Center, and they actually have Halloween Briefing Points in a PDF and a PP presentation on Halloween hazards! Not sure why, but there you are. (Screenshot for posterity). 

Again this came from an unknown to me sender. We were not the only ones who got this, anyway, as TrendMicro posted about the same email. (Although when I originally submitted it to VT, they did not have a detection for it, although it had a decent 37.2% detection rate.)

The email header showed the originating IP as being a restaurant in Philadelphia, which I thought was interesting. Doubt the restaurant was open at the time, given that it was sent at 4:40am...

Another random Excel file. No idea who the sender is supposed to be. It uses a relevant subject line, although the excel file name isn't anything except a date and a number. The file has an 8/42 (19%) detection rate at VirusTotal, a little higher today than when I originally submitted it. Might not have bothered posting this, except for the fact that it came from that IBM111 server that we just saw in a similar instance and that Contagio also mentioned earlier this month.

This was pretty well done. It's an invitation to attend and to register for an event in Taipei, jointly held by three of the most prominent foreign trade associations in Taiwan. The event itself is real. The supposed sender is the real event coordinator, and someone with whose name I'm familiar - we work extensively with her organization. The email was sent to three people - me, my boss, and a former colleague - it was the inclusion of that colleague (with a long-retired email address) that tipped me off right away.

The email used the information straight from the website of the real event, but the "sender" uses a well-named yahoo.com email address instead of the person's real email - another indicator. The email had two attachments - one called "Registration Form.doc" and one called "AmCham BCCT ECCT Joint Luncheon.pdf." The PDF document had an 11/42 (26.2%) detection rate at VirusTotal, while the Word document was 8/42 (19.0%). (From what I can gather from the detections, the Word file is set to utilize the CVE-2010-3333 "RTF Stack Buffer Overflow" vulnerability in Office.)

This is pretty sloppy. Who, in this day and age, would just open a mystery Excel spreadsheet sent in a blank email from some random Wright-Patterson Air Force Base email? But it's definitely from one of the same groups that have been sending us better targeted stuff for a while - I think I've seen that "IBM111" computer before. The attached .xls file has only a 14% detection rate (6/43) on VirusTotal.

It had to happen eventually. Luckily, my colleague is a star who is diligent about scanning all the internship applications she gets, and who is also savvy enough to see the warning signs of a disconnect between sender email/sender name and the signed name at the bottom of the email. We have a very active internship program, and she is listed as the contact on our website, so she gets quite a few applications each week. We both knew that it was only a matter of time before this became a vector, hence the diligent scanning.

So this is a fake internship application with two malicious attached Word .doc files, one named "Resume" and one named "Semester desired." It's actually two copies of the same file, which had already been uploaded by someone else at VirusTotal. The scanning showed detection at 8/42, or 19%.

I got this email - supposedly from my Chairman going by the AOL (heh) email address used as the sender.  It was a very poorly constructed email, although the subject matter was clever. Two days earlier, my organization had put out a press release, urging Congress to pass TAMA. The subject was exactly the text of the PR headline, except cutting out a few words to imply that it had actually passed. The link in the email led to a malicious .zip file, hosted on the hacked web server of a company that sells fake brand items (bags, shoes, etc.). That made me laugh, given that I usually name the screenshots for this blog "fake_something.jpg."

I got an email "from" my boss, looking like it was sent using one of those "Add This" helper buttons. It was supposedly a link to a Defense News article that had caused quite a stir overnight, with the headline "U.S. To Deny Taiwan New F-16 Fighters" - an issue, as you may imagine, that is something we have been working on.

But look! The actual link wasn't to the article at all, it was yet another attempt to trick me into revealing my user name and password for my work email. It's that same link as the last two attempts over the last week or so.

A couple of interesting things about this email. One, it was sent using Big5 character set (that's the encoding used for traditional Chinese characters, like the ones used in Taiwan, not the GB set used in China). It was created using the Freeware HTML editor by Kurt Senfer, which I've seen a lot of for these types of emails. It was sent from another Hinet IP address of 168.95.4.108 (very close to the ones used in the last two similar emails). Once again, the name of the computer is appropriate, using the name of the supposed sender (although misspelled, which I thought was funny).

Interestingly, the link to unsubscribe from AddThis looked legitimate, and I figured that it would tell me where the original version of this email came from, so I followed it to "unsubscribe". Looks like the email address originally included in the unsubscribe code was "[email protected]." Not something that I had seen before, and a search online doesn't seem to find any hits for that email. Is it a legitimate email of someone they "own"? Is it an email they use for actual tasks like where to send replies or to gather emails that look good for later use? Who knows. Curious!

Message Subject: [Name, email address] has shared something with you Received from: 168.95.4.108]

Another email using my defense conference as bait to trick people into opening a malware-laden PDF attachment. The email looks exactly like the one from August 8, down to the attachment - it's the same file. The original upload of August 8 had 41.9% coverage at VirusTotal. I re-scanned the file, now the coverage is up at 58.1%. Still not all that great, unfortunately.

The main difference this time was the target list. Last time, it seemed from the returns that it was targeting one of the largest think tanks here in the D.C. area. This time, the target was defense and security think tanks and academic institutions, but also apparently the U.S. Department of State. The vast majority of returns were from non-existing state.gov email addresses:

The coolest thing, though, was to see how some of the recipients' mail systems dealt with this email. Several have apparently blocked ALL emails coming in from the IP address in question (60.249.181.163) using the Barracuda spam blocking system. I wonder if that is a wider block on Hinet overall, so it blocks legitimate email traffic from Taiwan as well? Hinet is, after all, a main ISP in Taiwan.

Several other systems also blocked the email because they detected the malicious attachment. The one in the screenshot below is apparently using McAfee, although others that blocked it were using Trend Micro - at least if you go by the name of the detection.

It's encouraging that not all the malware-laden emails sent reached their destinations. Yet I still hate having my hard work organizing this conference be tainted by these malicious emails sent out in our name...

Message Subject: Invitation: US-Taiwan Defense Industry Conference 2011 Attachment MD5: 61cd38ea5bd91ce96f62540d403bd702 Received from: 60.249.181.163

I guess the first try at getting us to give up our email logins today failed, so they are trying again. And this is a really juicy email, about the first Chinese Aircraft Carrier formerly called the Varyag (purchased from Russia). It even has pictures! The pictures come from a real BBC news story on August 10 with the title "China's first aircraft carrier 'starts sea trials.'"

The email comes from the same supposed sender, using the same computer name and a slightly different IP address like the one from earlier today. Clicking on either the link or the pictures leads you to that same fake page where we are supposed to unthinkingly try to log in to our work emails. I have to hand it to them, though, the fake login page is very well crafted. (My thanks to a less-paranoid friend who went there and took a screenshot.)

Message Subject: Fw: BBC News: Details of First Chinese Aircraft Carrier Revealed Received from: 168.95.4.104

This was likely intended to bait us into revealing email login information, rather than being the "normal" attack emails with an attachment or link to a malicious file that would install malware on our computers. This is more along the line of traditional phishing attacks to try to trick you into giving up your login info. But it was obviously targeted at myself and my colleagues - we all got a copy of this email, and the URL itself in the email seems to indicate that it was targeted just at the three of us.

The supposed "sender" is a scholar at that same think tank that was targeted in the August 8 email linked to our defense conference (he has also spoken at the event before). The subject of the email and the text of the link references one of the major news stories on Taiwan defense issues early this week, and is the wording from a statement by the Taiwan Minister of Foreign Affairs on August 8.

I am too paranoid to actually go to the URL referenced in this email. (I really should get some sort of VM set up so I can look at things without being worried about being infected. I will at some point.) But I'm pretty sure it will look very similar to our email login page. Also interesting is that this bears some resemblance to a June 2009 email that I called "scarephishing" for our login info. The URL used in both are fairly similar, both ending with "servicelogin.htm."

I am angry about this email, because it really feels like an attack on me personally. This kind of stuff makes doing my job - which includes promoting events - so much harder. 

I only discovered this particular one because it came back as a return for an email sent to an invalid address at a large and influential think tank. Basically, it's my NGO used as the sender, and the defense conference I plan each year used as the bait, to try to trick the recipients into opening a malicious PDF file named "Conference Registration Form.pdf." The attached malicious PDF had a decent 41% detection rate at VirusTotal. The text and graphics in the email itself (down to the destinations for the links shown in the email) were taken directly from the front page of the conference website, with small adjustments to fit the text colors to the color scheme of the site.

I was able to get a copy from someone else of the original headers for this email, and I found it interesting that it was sent from a computer named "councilpc" - just like a similar email from the 2010 conference. Perhaps there really is a machine out there in attack-land that is dedicated to sending out stuff "from" us? Seems rather random otherwise, but who knows.

Message Subject: Invitation: US-Taiwan Defense Industry Conference 2011 Attachment MD5: ec8a87a00b874899839b03479b3d7c5c Received from: 60.249.181.163

From what I have heard, a very similar email to this one was sent out to some prominent members of the community, including one of my speakers. That email had the same header and sender but was called "Agenda - US-Taiwan Defense Industry Conference 2011" and contained an .exe .src file zipped up in a .zip attachment. Haven't been able to confirm, though, as nobody who I know received it has been able to send me a copy.

Update Someone who reads this blog (thanks!) kindly provided me with some details on this other email, as follows:

The email with the subject "Agenda for US-Taiwan Defense Industry Conference 2011" had similar headers:

Received:     from councilpc (60-249-181-163.HINET-IP.hinet.net [60.249.181.163]) (authenticated bits=0)         by msr10.hinet.net (8.14.2/8.14.2) with ESMTP id p78DnWDd011944 The email has no content, only an attachment called: Agenda - US-Taiwan Defense Industry Conference 2011.zip with md5 61cd38ea5bd91ce96f62540d403bd702. The zip file contains a .SCR file which drops out a common targeted attack backdoor. The backdoor connects to rdaccount.dns1.us. The backdoor is the same as the one which is dropped from the PDF in the other email you mention "Invitation: US-Taiwan Defense Industry Conference 2011."