From Targeted Attack to Rapid Detection
Yesterday I was hit with a targeted phishing email that was incredibly good. The email was terse and had a 7 hour time window for which I needed to open the attachment and verify the invoice. The attachment was named after me and even came from a valid business domain. Simple yet effective and no broken English. It looked good, minus one thing….nobody ever wins free money and if you want me to send you money, I’m sure you will call me and not password protect my invoice.
I’ve been extremely cautious with email based on the recent Gmail phishing data-uri technique, and this email fell on me while I was alert. What to do? Turn this email into a handful of signals and feature vectors for JASK, lets get to it.
Step One: I searched the web for a match of the file hash and nothing came up. Not surprising. Still, evidence is evidence and I put this into JASK as a piece of threat intel.
Step Two: Using oledump I checked out what might be inside.
No macros were showing up in the file. Maybe that’s because it’s password protected? I’m no Word file or oledump expert and my goal is to quickly transform this to actionable intelligence. I tried unzipping as well and received what looks like a corrupted file message:
Since EncryptedPackage seemed like an interesting string in the file, I decided to start focusing on detecting encrypted Word Doc files in JASK with a Yara signature.
I settled on the EncryptionTransform piece in the file and pulled out the hex for its equivalent:
My goal would be to detect Word files with EncryptionTransform in them. Maybe I’ll get a lot of false positives, but I’ll let JASK handle the decision-making process.
Step 3: Write the Yara signature for detecting encrypted Word files:
I originally predicted this file would have a malicious macro in it and I wanted to find word files with macros in them. A yara signature was already floating on the web and can be read about in the link provided. This saved me some work on writing that signature.
Step 4: One last piece of evidence was the SMTP headers from. I figured why not, the more evidence I can pile into JASK the better. First, I would prototype something in notebooks and see what my SMTP meta-data fields looked like. The headers.mailfrom field I would search for my phishing attempt sender. To protect the compromised business and users email and prevent more spam or targeted phishing attempts, I’ve replaced some IP’s and email addresses with my own for this screenshot.
The results of this modified query searching for the from address, results show six other hosts on our network received a number of emails from this specific sender. A possible sign of emails that hit the spam filter or other security devices and maybe just my slick well crafted email made it through.
Once I have my query completed, I can quickly turn this headers.from address into a pattern and give it an initial weight and kill-chain attribute for JASK to use.
I’m done. I’ve added a handful of feature vectors for identifying this phishing attempt. I casted my net wide to create signals matching macros and encrypted Word documents and some specific signals to match file hashes and the sender related to this specific attack.
Lesson of the day? Don’t sleep on intelligence. If your users are going to get phished, you need to rapidly turn as many features of that attempt into actionable intelligence to have an early warning next time.