Introduction

Many of you have experienced phishing attacks, which often come in the form of attempts to illicitly gather personal information by impersonating a person or organization that is a known entity to the target. This may come in the form of an email purporting to be from your bank that actually connects to a compromised web site being used to gather your bank login information, or an email pretending to be from a friend or relative who claims to be stranded in Cyprus without cash or credit cards, and is in desperate need of $3,000 to “get out of a bind.”  Attacks such as these have in the past been relatively easy for the moderately cautious netizen to recognize—one phone call can verify that a relative is at home in Jersey and not in Cyprus, and a close look at the link in the bank email usually reveals a URI that does not actually resolve to the bank’s servers.

Over the past several years, however, attacks have become increasingly sophisticated, well researched, and targeted.

Over the past several years, however, attacks have become increasingly sophisticated, well researched, and targeted. These spearphishing attacks, so named because of their highly targeted nature, tend to target specific individuals in an organization, and contain personal information about the purported sender as well as the target. These attacks attempt to build trust in the target to get them to overlook any attributes that would reveal the email’s malicious nature. The emails usually contain a malware attachment or a link to a malware archive that the user downloads and executes locally, compromising their system and sometimes their entire organization’s network.

Earlier efforts at this type of malware campaign generally contained subtle (or not so subtle) cues in the language, grammar, or spelling in the body of the email that were enough to indicate to the target that the email was not actually from the claimed source. More recent iterations of these campaigns reveal much more attention to detail and polished language, making them ever more difficult to ferret out. This post analyzes the social engineering aspects of one such malware campaign.

The Attack

(N.B. actual names and other identifying information have been changed for the purposes of this post).

The individual being impersonated (we’ll refer to him as “Mark”) in this particular attack had been an employee of the client organization for over two years, and had recently left for a position in a different organization. After his departure, the organization removed his biographical information from their web site, and the new organization added his biography to theirs. The person also updated their (public) LinkedIn profile to reflect the change. All of this is normal operating procedure, but it also provides several data points to potential attackers whose job it is to track people in these organizations and look for opportunities to strike.

Lo and behold, a little over a month after the move, three members of the specific team that Mark worked with received an email substantively identical to the following:

Email 1

Seemingly innocuous email form a recently departed colleague.

At first blush, the above email appears to be a harmless notification sent by a former colleague in order to update his former co-workers. Although there are a few language cues that appear irregular, email is often written quickly and used in an informal manner. Small grammatical and spelling issues are likely to be excused or overlooked in this context. In addition, there may be non-native English speakers in the targeted organization for whom such errors may go unnoticed. Below we look at other elements of this email that add to its credibility:

Email 2

Elements of the Targeted Email.

Vínsula’s Execution Engine revealed a file that was attempting to gain access to the command shell and execute malicious code.

This email has a valid return address that appears to belong to Mark, was sent to three specific members of Mark’s immediate team, and references Mark’s new place of work. Closer inspection reveals that the provided link points to a .zip archive on “cnnnewsdaily.com” that contains a malicious executable file masquerading as a PDF. Fortunately, although one member of the team followed the link to download the .zip archive, the organization’s cyber-security training kicked in, and the targeted individual raised his suspicions with a network admin.  Analysis in Vínsula’s Execution Engine revealed a file that was attempting to gain access to the command shell and execute malicious code on the target machine.

Notably, even 72 hours after this attack, it was missed by 40 out of 42 AV engines when submitted to virustotal.com. For good measure, the organization’s network administrator sent the file off to one of their AV vendors, who after conducting their own analysis confirmed that the file was indeed malicious, and that they would be creating a virus definition to be added to their database of viruses to be caught in the future.

Vendor

The vendor confirms that they will catch it next time–unhelpful to the target organization, who needs it caught the first time.

Conclusion

Since this attack, we have noticed increasing sophistication in the background research and language skills being employed by attackers. At times, we’ve seen noted academics impersonated by using snippets of their own writing in the body of the email to add credibility. In one such case, and attached archive contained several of that person’s actual articles, most of which were harmless, but one of which contained a zero-day malware exploit. Recently, I’ve also come across suspicious PDFs being sent to professors and other thought leaders in the U.S. claiming to be CVs from students in China. This could present a new and somewhat easier attack vector for the perpetrator since it eliminates language as a cues that have been traditionally used to indicate that the email may be malicious and does not require impersonation of a known entity—the attacker can literally create a new “student” identity for each campaign, and these individuals would be extremely difficult to perform due diligence on, since they are presumably not prominent individuals with long electronic or media trails.

The best bet when receiving an unsolicited email from a suspect source is to err on the side of caution. Do not engage the individual sending the email and do not follow any links or open any attachments sent by that person. If you have received a link or attachment that you suspect may be malicious, feel free to send a copy of it to john AT vinsula DOT com, or contact us through our web site.