Spear Phishing In Action

Recently, while monitoring an infected system we uncovered activity that showed a good example of attackers selectively emailing malware to a specific group (in this case a country).

After conducting analysis of the threat, network traffic, and hosts involved, we believe that the attackers were directly targeting companies located in the Middle East—Saudi Arabia, to be exact.

In the following examples we can see the sequence of events leading up to the spear phishing as well as the tactics used to seek out targets for the attack (aka the “reconnaissance”).

Figure 1 shows an infected system making a series of interesting HTTP requests.

1

Figure 1. Initial HTTP requests

Looking at the HTTP requests, we can see that one of the requests is for the location of a text file as shown here in Figure 2.

2

Figure 2. Response from server showing location of a .txt file

Figure 3 shows us the contents of the text file, and it appears to be a list of email account credentials. 

 3

Figure 3. Response from server showing contents of the requested .txt

The next request again seeks a .txt file, "key_link.txt," and this is where it starts to get really interesting.

 4

Figure 4. Note: the value for "key" as returned by the server

The value for “key” is a search string, and as Figure 4 above shows, we can see the value is .sa. In this case, .sa is the tld suffix for Saudi Arabia.

What happens next is quite interesting. The infected system initiates a series of Bing searches on the site www.skymem.com.

Skymem.com?

www.skymem.com dubs itself as a "service for extracting emails and other data from text." Looking through some of the "other" data hosted on skymem.com, it becomes evident that the site is being used for more than just innocently extracting emails from text.

 5

Figure 5. Example results page from a skymem search

How could Skymem.com be used (or abused) by spammers or attackers?

In order to search out and harvest emails from skymem.com, the spammers (or attackers) simply craft a Bing query. In this case the attacker is looking for the string ".sa" inside of the www.skymem.com site. (Remember that "key=.sa" from Figure 4 earlier.)

6

Figure 6. Bing query crafted by the malware

7

Figure 7. Search results for ".sa" on skymem.com (emails scrubbed)

After harvesting emails from skymem.com, it’s time to start the phishing.

In Figure 8, we can see that  <victim>@<somewhere>.com.sa is the recipient. A common social engineering tactic is employed as can be seen in the message body of the email:

"Dear <victim>,
You have exceeded your

email limit quota.
Failure to recover

your quota may result in loss of important Information.
You need to delete any

SPAMs manually or simply employ the cleaning tools automatically.

 Thank you for using

our email.

--------------------------------------------------------------------------------

Copyright 2012 Webmail

Service Department."

8

Figure 8. Crafted email headers

9

Figure 9. Malware payload

As Figure 9 shows, the email is attempting to deliver the attached file "AutoCleanTool.rar"—which as you probably guessed would result in a malware infection.

Looking closer at the email address and domain in the attack, we see that it belongs to someone in an HR/Recruiting role at a large Saudi Arabia-based contracting services firm.

Ironically enough, this company’s client list includes some well-known Saudi Arabia-based oil and energy companies, one of which was the victim of a recent large-scale breach.

In this example of an attack we saw how the attackers leveraged publicly available search engines and 'sketchy' data warehouses to seek out potentially high value targets for delivering malicious payloads. People behind this attack can change the target of the attack at will in a greatly automated fashion, all leading to a more flexible infrastructure for advanced malware to fulfill their mission.