When the phishes slip through the net

by Dan Saunders

11 June 2020

A woman working on her laptop at night

Phishing attacks are on the rise and no one’s immune, not even an incident response team member.

Yes, you’ve got it. I was on a client call discussing methods for the automation of reporting phishing emails when, low and behold, I received a phishing email in my mailbox (you can’t make this stuff up). As if that wasn't enough, just a few hours later, I was hit with a second phishing email. I followed our security protocol and reported the emails before swiftly deleting all traces from my mailbox. However, I may have also retained copies (don’t try this at home kids) to do some digging and see what information I could gather from a quick triage of the raw EML files.

A man working on his laptop while on his phone

Phishing attacks are on the rise, and no one’s immune

The first email in question was very suspicious from the start. First of all, I’ve had no dealings from South Africa in terms of purchasing or invoicing (other than security incident engagements) and, secondly, the layout of the emails raised flags, as did the recipient email address. The good news is, I didn’t click the link. However, I may have hovered over it to see what the URL link was.

Let’s take another look at the email content, in ASCII, to see the actual text. As you can see, we have a delivery web URL and following a quick simple check via VirusTotal, it appears to be flagged as malicious. By exploring the additional details, you’ll uncover the serving IP address for the domain, which is linked to other malicious infrastructure. So, what now?

Let’s review the email header and source IP. Received: from za-smtp-delivery-200.mimecast.co.za (HELO za-smtp-delivery-200.mimecast.co.za) (41[dot]74[dot]201[dot]200). This header was viewed to extract the source IPv4 address for the email, however it resolves back to Mimecast, South Africa. What I should probably mention at this point is this email was originally sent to an old email address of mine (which I no longer use) and a mailbox forwarding rule sent it onto my new email address.

Digging deeper it was possible to uncover another IPv4 address from the true source. Received: from mail6.bemta25.messagelabs.com (195[dot]245[dot]230[dot]46). Now we’re getting somewhere. We have some detections, courtesy of open-source research. Additional IP addresses extracted from the email header depict additional links to a variety of malicious malspam campaigns and subsequent payloads containing malicious Trojans. At this point, I created a sandbox environment to carry out some dynamic analysis to understand the behaviour. Low and behold, once the web URL link is clicked, IE is launched and attempts to communicate to several command and control (C2) servers.

The additional IP addresses for the C2 servers were triaged and, again, the servers were found to host a wide variety of malicious payloads, waiting to be deposited onto the system. One of the C2 servers was found to be: Domain: web[dot]tresorit[dot]comIPv4 address: 40[dot]112[dot]93[dot]201.

A woman working on her computer while at home

The primary malware family was found to be Emotet, which is a well-known banking Trojan designed to steal sensitive credentials

You can see how easy it is to uncover loads of valuable information - just by carrying out a small amount of triage and open-source research. This provided me with indicators of compromise (IOC) including, but not limited, to IP addresses of C2 servers, hash values for malware and a range of other IOCs. The primary malware family was found to be Emotet, which is a well-known banking Trojan designed to steal sensitive credentials. Emotet can be difficult to contain, due to its polymorphic nature allowing it to avoid detection. In more recent samples, Emotet has evolved to have more stealth capabilities. If Emotet is not bad enough on its own, this could also result in subsequent TrickBot infections (another banking Trojan widely linked to deploying Ryuk ransomware), which maintains close ties with Emotet.

As mentioned, having just recovered from this ordeal, a second email came through. This time from a Protonmail address. Protonmail is a secure end-to-end encrypted email system and, while designed to optimize users’ privacy, it’s often used by threat actors to communicate with their victims. This email was, again, very suspicious from the start. First of all, the email titled ‘payment’ contained a single web URL link, to a PDF file hosted online on Adobe Document Cloud. The same process was repeated to triage the content and it was clear this was also a viable threat.

There's no slowing down for phishing, as discussed in our latest Global Threat Intelligence Report, and its vital employees stay alert when jumping around their inbox, to ensure they don’t trigger the next security incident.

Dan Saunders

Dan Saunders

Senior Incident Response Consultant