Anatomy of a targeted spam email

We all get spam, some trying to sell us stuff, some trying to get us to part with our money on the promise of riches and some trying to infect our computers with malware.

Some of these messages are laughable in their execution; poor grammar, overuse of capital letters, a lack of individualisation, etc. make them relatively easy to spot and discard. Others are far more sophisticated and clearly have some research behind them.

If there is one thing to take away from this article, it should be that spammers will try to make their email look genuine, and will go to some lengths to maximise the chance of the recipient opening their attachment. It is also important to realise that even if you have been targeted it is unlikely you have been singled out. Many other people within your company, and many other companies than yours will also have been targeted.

We have gone through one particular email and looked at the email headers and payload, which is one of many we have seen with a similar appearance. There are plenty of articles already written on how to understand email headers and how to spot forged headers; so I won’t go into too much detail here. There is however one detail that we will need to know.

Email can take several hops to be delivered and each of these hops will add its own header information so that you can follow the chain back to the originator of the email. However, there is no authentication of the headers created by previous hops from the point of view of the current one. This means that they can, and often are in the case of spam, fake. The only headers you can trust are the ones created by the last hop, i.e. your local mail server. With that in mind let’s have a look at the one header line we can believe, it tells us the machine that connected, plus some details of how and when:

Received: from 197-89-XXX-XXX.XXX.XXX.co.za ([197.89.XXX.XXX])
	by smtp-sink (smtp-sink) with ESMTP id 7ea33bf3;
	Thu,  2 Jul 2015 12:40:38 +0000 (UTC)

Note that we have hidden the details of the IP address and domain name. They are not important for this article and is not our intention to embarrass anyone.

Next we have the headers provided by the sender that we can not trust:

Received: from 0640.EXAMPLE.co.uk (10.154.219.96) by EXAMPLE.co.uk (10.0.0.160) with Microsoft SMTP Server id 601SQ9L5; Thu, 18 Sep 2014 07:31:34 GMT
Date: Thu, 18 Sep 2014 07:32:32 GMT
From: "Incoming Fax" <[email protected]>
Message-ID: <[email protected]>
To: [email protected]
Subject: Internal ONLY

This is a crude attempt to make us believe that the email has come from within the organisation. However, the dates are in the past; so maybe this header is copied from a genuine email but was not updated to reflect the new sent date? Finally we have a subject possibly designed to pique the interest of the recipient.

The body of the email contains two parts, some text and a binary attachment. The text is fairly brief:

**********Important - Internal ONLY**********

File Validity: 02/07/2015
Company : http://EXAMPLE.co.uk
File Format: Adobe Reader
Legal Copyright: Adobe Corporation.
Original Filename: Internal_report_02_07_2015_2773099.pdf

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.

Now the dates agree with when we received the email, but the text is so perfunctory that it could be ignored. We can not find an example email from this company, so can not confirm if that legal notice is copied from a genuine communication… In any event, no-one actually reads them right? (I’m pretty sure I’m breaching it in this article, I’m equally sure that the spammer will not pursue it.)

The real payload is the attachment, which we have been told is a pdf file with a report, but do we believe anything in this email? Well as it turns out, unsurprisingly, we shouldn’t. The final section begins:

Content-Type: application/zip;
name="Internal_report_02_07_2015_2773099.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="Internal_report_02_07_2015_2773099.zip"

So we have a zip file attached; however, if we extract and unzip it we get, not a pdf, but an executable “Internal_report_02_07_2015.exe”. Submitting this to an online virus scanner showed that it was not being detected as malicious at the time, but within a matter of hours it had been identified as a trojan commonly known as “upatre”. (A trojan is a beachhead infection; its job is to infect and then download some other malware onto a system.) While not new malware in itself, the particular strain we had caught was unknown at the time.

Some conclusions:

  • If something looks odd, look twice. Small things might serve to confirm (or deny) the authenticity of an email.
  • Don’t worry if you think you are being targeted, you will not be alone.
  • Unexpected attachments should be viewed with extreme suspicion.
  • Anti-virus will often not be able to help.

30th July 2015

#spam