Analyzing a Spear Phishing Email

Home » Sled Meta Blog » Incident Response » Analyzing a Spear Phishing Email
About every week or so I receive one of those obvious Phishing Emails telling me a package was not deliverable or some such foolishness. After being very careful not to click on the attachment, I typically permanently delete these Emails. When I got another one of these Emails a few days ago, my curiosity got the best of me, so I decided to figure out how the cyber-punks build these social engineering attacks, and how they work.

I documented my analysis in a Research Paper, “Analyzing a Spear Phishing Email.” You can download the report here.

The findings of my research are summarized below:

1. The appearance of the Phishing Email is very primitive, alleging the postal service could not deliver a package. The from Email address was completely unrelated to the signature line. (k(at) karastel,ru, Eugene Lee.

2. The weaponized payload was a JavaScript file that has “.doc.” in its name, embedded in two zip files. This means the recipient has to open two zip files and click on the JavaScript file for the bad guys to win.

3. The JavaScript file uses Microsoft’s ActiveX framework to create an Object to connect to the Internet and download a malicious dropper JavaScript dropper file. This script is run using an Eval() statement. The script also connects to the Internet and downloads a malicious Window PE file.

4. The miscreants compromise legitimate web sites to host the malicious binaries. The scripts contain multiple dowload URL’s to protect against detection of compromised servers.

5. The Malicious PE file is a Cerber Ransomware binary that encrypts files in the logged on user’s Documents folder, and any attached USB devices.

6. There is a sophisticated web site on the DarkNet that instructs a victim how to obtain BitCoins and pay the ransom.

7. The cyber-punks who send out these Emails bank on economies of scale. If they send out 1 million weaponized Emails, if they have a 5% hit rate – that is 50,000 victims.

8. The ransomware problem is not going away anytime soon. In fact, evidence suggests the cyber-crimnals are getting more aggressive in their tactics. Not only are they encrypting files, they are also wiping out the master boot record (MBR) on compromised systems preventing them from booting.

We are continually adding enhancements to the PacketSled Platform to identify advanced ransomeware compromise techniques.

in Incident Response by Mike Spohn Comments are off

© 2017 PacketSled, Inc.