Phishing is one of the most common attack vectors and one of the most popular areas of social engineering. Not surprisingly, we use e-mail every day. In this article, I'll walk through specific examples of phishing emails and show you how to look for surprises in them.
ANALYSIS HEADER
An email consists of three parts - a header, a body (body), and sometimes an attachment. The header contains the routing information of the message. It can also contain other information - content type, sender and addressee data, date of receipt, absolute address of the sender, mail server address and real email address from which or to which the message was sent.
Important headings
Return-Path
The Return-Path email address contains information about the delivery status. The mail server reads the contents of the Return-Path header to process undeliverable or bounced emails. The recipient's server uses this field to identify "fake" emails: it requests all allowed IP addresses associated with the sender's domain and matches them with the IP address of the author of the message. If there is no match, the email is sent to spam.
Received
This field displays information about all the servers that the email passed through. The last entry is the original sender address.
Reply-To
The email address in this field is used to send a reply message. In fake emails, it may differ from the sender's address.
Received-SPF
The Sender Policy Framework (SPF) method verifies that messages from a specific domain were sent from a server controlled by the owner of that domain. If the value of this field is Pass, the source of the email is considered authentic.
DKIM
DKIM (Domain Keys Identified Mail, email with domain keys) marks outgoing mail with an encrypted signature within the headers, and the recipient's mail server decrypts it using the shared public key to ensure that the message has not been altered in transit.
X-Headers
This term denotes experimental or extension headers. They are usually added by the recipient's email service providers. For spam detection, fields such as X-FOSE-Spam and X-Spam-Score are used.
Consider the following email.
Initial data in the email header
ANALYSIS OF THE LETTER BODY
The body of a phishing email is the main part of an email message, and it is its content that is designed to trick the user. The content of the message is addressed personally to the recipient and looks so believable that the victim often falls into the trap of an attacker.
Phishing email related to COVID-19
The spammer claims to be a health insurance provider. The letter contains information about a bill for COVID-19 insurance that the victim allegedly ordered recently.
Phishing email on COVID-19 (continued)
In addition, there is a line at the end of the message "This email has been verified by McAfee." This makes the email look safe.
However, if we hover over the See Details button, we see a link to the OneDrive service. Instead of clicking this link, copy it and open it in a browser.
Downloaded HTML file from OneDrive link
Independent clicks from spam and phishing emails ( hxxps://1drv.ms/u/s!Ajmzc7fpBw5lrzwfPwIkoZRelG4D) are best done in an isolated environment. If you do not have such an environment, install a virtual machine or use a cross-browser testing service, such as Browserling.
The link leads to an HTML page that redirects us to another site:
hxxps://selimyildiz.com.tr/wp-includes/fonts/greec/xls/xls/open/index.htm
Fake Office 365 sign-in page
This web page is similar to a Microsoft Excel online application requesting access to Office 365 to download a document.
WordPress admin panel for selimyildiz.com.tr
To verify the authenticity of the page, we shorten the URL to the domain level and load it. The domain will redirect us to the login page of the admin panel of the WordPress site. Actually, already at this stage it becomes obvious that we are dealing with phishing.
Whois information about selimyildiz.com.tr
According to whois, the domain was not registered by Microsoft and corresponds to the public IP address 2.56.152.159, which also does not belong to Microsoft. These data clearly indicate that the site opened by the link was created by scammers.
Attempting to login with arbitrary credentials for authentication
To check the behavior of the site, go back to the login page, enter an arbitrary username and password and try to download the account. As expected, the page throws an error, and the specified data from the form was safely left by the attackers.
Fake invoice to get attention
So now we know that this is a fake site. What to do next? To test the authentication function, let's re-enter arbitrary details. They are now accepted! This time, the browser opens a PDF invoice that appears to be genuine, sent by some medical company. However, by the time the victim realizes that this is a fake account, his username and password will have already been stolen.
INVESTMENT ANALYSIS
Typically, users send Microsoft Office documents or PDF files as email attachments. These formats are often used by cybercriminals as a tool to download malware. To gain access to the victim's system, attackers inject VBA (Visual Basic Application) or JavaScript elements into such files and distribute them using phishing emails.
In the first part of this section, we will analyze a suspicious Word document. This document contains a VBA macro. Sometimes a macro runs when you open a document, but starting in Microsoft Office 2007, user permission is required to run content with macros. To circumvent this protection, hackers use social engineering techniques. They try to gain the victim's trust in order to induce them to click on the "Allow Editing" button without hesitation.
Analyzing a Word Document
File name: PR_Report.bin.
The utilities we need:
Step 1. Analysis of file properties
Before you start checking a file, you should examine its properties. To get this information on Linux, use the command file.
In this case, the file type is Microsoft Office Word.
Step 2. Applying Yara Rules
Yara is a malware identification and classification tool. It checks files based on signatures. Let's use two ready-made Yara rules from the Didier Stevens Suite software package.
The Yara (maldoc.yara) rule, the flow of which is shown above, found that the magic number of the OLE file (D0 CF 11 E0) matches the HEX identifier (magic bytes) of Microsoft Office documents.
INFO
The magic number is critical data, allocated unique values that should not be the same as other values.
Also, suspicious inclusions were found inside the file - GetProcAddrand LoadLibrary.
This Yara rule ( contains_pe_file.yara) detects any embedded PE files. It then matches the above lines in the file. MZ is the signature of the PE file.
Step 3. Highlighting the content of the document using oledump.py
OLE file contains data streams. Oledump.py parses these streams to further extract macros or objects from the file.
In the picture above, in streams 8, 9, and 15, the letters Mand are visible, Orespectively. Мmeans that the stream may contain a macro, О- an object.
Step 4. Extract VB Script from Macro
Stream 8 contains a method killo. This is a function to save a document with the same file name.
Stream 9 contains a lot of interesting data. The function Document_Open()presents the filenames 5C.pifand 6C.pif, and is 5C.pifcopied to 6C.pifusing the function FileCopy. In the next part, the function calls a method killofrom another module (thread 8).
At the end, the function Document_Close()executes the masked command using a shell. Removing the masking, we can see what 6C.pifruns in the background (using the method vbHide); at the same time a ping request is sent to localhost.
Step 5. Extract the file from the OLE object
Obviously the document contains an embedded file that can be retrieved using the oleobj tool.
As shown above, oleobj, after this extraction from the object, saves the file in the current working directory. The highlighted part of the picture contains information about the original and temporary path where the file saves itself in the system after opening the document.
Step 6. Retrieving static information from the extracted file
So, we have extracted the PE32 executable for Windows. To confirm this conclusion, let's run the tool pecheck.py to detect PE headers inside the file.
Step 7. Behavior analysis
Let's configure a Windows 7 32-bit virtual machine, change the file extension to EXE. Before launching it, you need to enable Apate DNS and Windows Network Monitoring tools.
Domain C&C DNS lookups registered by Apate DNS
5C.exe network traffic recorded when trying to communicate with the C&C server
According to the results of analysis using Apate DNS and Microsoft Network Monitoring, the file created a process named 5C.exe and made several attempts to connect to various C&C servers.
Registry changes captured by Process Monitor
According to Process Monitor, the process 5C.exe made several changes to the registry keys related to Internet connection settings. He disabled the browser proxy by setting the value to 0 for the key ProxyEnableand 09 for the 9-byte key SavedLegacySettings. As a result, the browser began to automatically detect Internet settings directly, without a proxy.
So, the Word document first ran a VBA macro, saved and ran the executable, created a new process, communicated with the C&C servers, and made unauthorized changes to the registry. This information is sufficient to identify the document as malicious. Then we can perform a more detailed analysis - debug the executable file or examine the process dump to learn more about the behavior of the file.
Analyze PDF Document
A PDF document is a collection of objects that describe how pages are displayed within a file.
In order to entice the user to download or open a PDF document, such a file is most often sent via e-mail. When a PDF is opened, it usually runs JavaScript in the background. This script can exploit a vulnerability in the Adobe PDF Reader application or silently save an embedded executable file.
A PDF file has four components. These are the title, body (body), links, and trailer (end label).
Instruments:
Step 1. Scan a PDF document using PDFiD
PDFiD is a component of the Didier Stevens Suite. It scans a PDF document using a list of strings to detect JavaScript elements, embedded files, actions when documents are opened, and count the number of specific lines inside the PDF.
As you can see from the scan results, PDFiD detected several objects, streams, JS, JavaScript and OpenAction elements in the Report.pdf file. The presence of such elements means that the PDF contains JavaScript or Flash scripts.
The element /Embedded fileindicates the presence of other formats inside PDF files. Elements /OpenAction, AA, /Acroformsuggest to us that when you open or view the PDF document is performed for some automatic action.
Streams are data within an object.
Step 2. Viewing the contents of objects
So, we found out that there is JavaScript inside the PDF file. This will be the starting point of the analysis. To find an indirect JavaScript object, run the tool pdf-parser.py.
According to the scan result, JavaScript runs the virus file every time the PDF is opened, so our next step is to extract this file.
Step 3. Extract the embedded file using peepdf
Peepdf is a Python tool that contains all the necessary components for parsing PDF. To take advantage of its opportunities, type a command peepdf --i file_name.pdf. The key -ienables the interactive mode of the script.
For more information, see the help (option help).
The peepdf parsing result indicates that there is an embedded file in object 14. On closer inspection of this object, we will see that it points to object 15; in turn, object 15 points to object 16. Finally, we find signs of the file virus inside object 17. Judging by the contents of the PDF, there is only one stream in it, which also points to object 17. Thus, object 17 is a stream with an embedded file.
Stream 17 contains a file signature that starts with MZand a hex value that starts with 4d 5a. These are signs pointing to a PE executable.
Next, we will save the stream as an executable file virus.exe.
Step 4. Behavior analysis
Now let's run this file in a virtual machine under Windows 7 32-bit.
Process Explorer displays processes created by virus.exe
As you can see in the Process Explorer window, it virus.execreated two suspicious processes ( zedeogm.exe, cmd.exe) that were stopped after starting.
Process Monitor component logs system changes made by virus.exe
According to Process Monitor, a file was saved within the running processes zedeogm.exe. Then he changed the Windows Firewall rule. In the next step, the file was launched WinMail.exe. After that, the program started cmd.exeto execute the file tmpd849fc4d.batand stopped the process.
Thus, we have gathered enough evidence that this PDF file is malicious. Then you can take additional preventive measures - for example, perform binary debugging and examine the memory of the extracted IOCs in order to find other threats.
CONCLUSION
In this article, we looked at how to look for signs of phishing in an email and how it helps prevent unknown threats. The areas in which to look for these signs have been identified. We learned how criminals hide malicious URLs in the body of an email and what steps are required to verify them.
What to do to keep yourself safe:
ANALYSIS HEADER
An email consists of three parts - a header, a body (body), and sometimes an attachment. The header contains the routing information of the message. It can also contain other information - content type, sender and addressee data, date of receipt, absolute address of the sender, mail server address and real email address from which or to which the message was sent.
Important headings
Return-Path
The Return-Path email address contains information about the delivery status. The mail server reads the contents of the Return-Path header to process undeliverable or bounced emails. The recipient's server uses this field to identify "fake" emails: it requests all allowed IP addresses associated with the sender's domain and matches them with the IP address of the author of the message. If there is no match, the email is sent to spam.
Received
This field displays information about all the servers that the email passed through. The last entry is the original sender address.
Reply-To
The email address in this field is used to send a reply message. In fake emails, it may differ from the sender's address.
Received-SPF
The Sender Policy Framework (SPF) method verifies that messages from a specific domain were sent from a server controlled by the owner of that domain. If the value of this field is Pass, the source of the email is considered authentic.
DKIM
DKIM (Domain Keys Identified Mail, email with domain keys) marks outgoing mail with an encrypted signature within the headers, and the recipient's mail server decrypts it using the shared public key to ensure that the message has not been altered in transit.
X-Headers
This term denotes experimental or extension headers. They are usually added by the recipient's email service providers. For spam detection, fields such as X-FOSE-Spam and X-Spam-Score are used.
Consider the following email.
Initial data in the email header
- In the example above, you can see that the return path does not match the address in the From field. This means that all undelivered emails will be returned to the first address.
- In the Received field, the domain name from which the email was sent is hiworks.co.kr (the site to disguise the sender of emails), not gki.com. We can conclude that the letter is fake. In addition, according to the results of the test, the IP address (142.11.243.65) does not match the address of gki.com.
- The From address is different from the address in the Reply-To field. Thus, the reply to the letter will be sent to the mailbox at the @ gmail.com domain, not @ gki.com.
- Received-SPF is neutral; the domain gki.com does not give permission or prohibition with respect to the IP address (142.11.243.65). Further examination of the Whois revealed that this domain is not associated with the IP address 142.11.243.65.
- The DKIM field is none. This means that the email has not been signed.
ANALYSIS OF THE LETTER BODY
The body of a phishing email is the main part of an email message, and it is its content that is designed to trick the user. The content of the message is addressed personally to the recipient and looks so believable that the victim often falls into the trap of an attacker.
Phishing email related to COVID-19
The spammer claims to be a health insurance provider. The letter contains information about a bill for COVID-19 insurance that the victim allegedly ordered recently.
Phishing email on COVID-19 (continued)
In addition, there is a line at the end of the message "This email has been verified by McAfee." This makes the email look safe.
However, if we hover over the See Details button, we see a link to the OneDrive service. Instead of clicking this link, copy it and open it in a browser.
Downloaded HTML file from OneDrive link
Independent clicks from spam and phishing emails ( hxxps://1drv.ms/u/s!Ajmzc7fpBw5lrzwfPwIkoZRelG4D) are best done in an isolated environment. If you do not have such an environment, install a virtual machine or use a cross-browser testing service, such as Browserling.
The link leads to an HTML page that redirects us to another site:
hxxps://selimyildiz.com.tr/wp-includes/fonts/greec/xls/xls/open/index.htm
Fake Office 365 sign-in page
This web page is similar to a Microsoft Excel online application requesting access to Office 365 to download a document.
WordPress admin panel for selimyildiz.com.tr
To verify the authenticity of the page, we shorten the URL to the domain level and load it. The domain will redirect us to the login page of the admin panel of the WordPress site. Actually, already at this stage it becomes obvious that we are dealing with phishing.
Whois information about selimyildiz.com.tr
According to whois, the domain was not registered by Microsoft and corresponds to the public IP address 2.56.152.159, which also does not belong to Microsoft. These data clearly indicate that the site opened by the link was created by scammers.
Attempting to login with arbitrary credentials for authentication
To check the behavior of the site, go back to the login page, enter an arbitrary username and password and try to download the account. As expected, the page throws an error, and the specified data from the form was safely left by the attackers.
Fake invoice to get attention
So now we know that this is a fake site. What to do next? To test the authentication function, let's re-enter arbitrary details. They are now accepted! This time, the browser opens a PDF invoice that appears to be genuine, sent by some medical company. However, by the time the victim realizes that this is a fake account, his username and password will have already been stolen.
INVESTMENT ANALYSIS
Typically, users send Microsoft Office documents or PDF files as email attachments. These formats are often used by cybercriminals as a tool to download malware. To gain access to the victim's system, attackers inject VBA (Visual Basic Application) or JavaScript elements into such files and distribute them using phishing emails.
In the first part of this section, we will analyze a suspicious Word document. This document contains a VBA macro. Sometimes a macro runs when you open a document, but starting in Microsoft Office 2007, user permission is required to run content with macros. To circumvent this protection, hackers use social engineering techniques. They try to gain the victim's trust in order to induce them to click on the "Allow Editing" button without hesitation.
Analyzing a Word Document
File name: PR_Report.bin.
The utilities we need:
- Oletools;
- Yara;
- Didier Stevens Suite;
- Process Monitor;
- Windows Network Monitor (Packet capture tool).
Step 1. Analysis of file properties
Before you start checking a file, you should examine its properties. To get this information on Linux, use the command file.
In this case, the file type is Microsoft Office Word.
Step 2. Applying Yara Rules
Yara is a malware identification and classification tool. It checks files based on signatures. Let's use two ready-made Yara rules from the Didier Stevens Suite software package.
The Yara (maldoc.yara) rule, the flow of which is shown above, found that the magic number of the OLE file (D0 CF 11 E0) matches the HEX identifier (magic bytes) of Microsoft Office documents.
INFO
The magic number is critical data, allocated unique values that should not be the same as other values.
Also, suspicious inclusions were found inside the file - GetProcAddrand LoadLibrary.
This Yara rule ( contains_pe_file.yara) detects any embedded PE files. It then matches the above lines in the file. MZ is the signature of the PE file.
Step 3. Highlighting the content of the document using oledump.py
OLE file contains data streams. Oledump.py parses these streams to further extract macros or objects from the file.
In the picture above, in streams 8, 9, and 15, the letters Mand are visible, Orespectively. Мmeans that the stream may contain a macro, О- an object.
Step 4. Extract VB Script from Macro
Stream 8 contains a method killo. This is a function to save a document with the same file name.
Stream 9 contains a lot of interesting data. The function Document_Open()presents the filenames 5C.pifand 6C.pif, and is 5C.pifcopied to 6C.pifusing the function FileCopy. In the next part, the function calls a method killofrom another module (thread 8).
At the end, the function Document_Close()executes the masked command using a shell. Removing the masking, we can see what 6C.pifruns in the background (using the method vbHide); at the same time a ping request is sent to localhost.
Code:
shell cmd.exe /c ping localhost -n 100 && start Environ("Temp") & "\6C.pif", vbHideStep 5. Extract the file from the OLE object
Obviously the document contains an embedded file that can be retrieved using the oleobj tool.
As shown above, oleobj, after this extraction from the object, saves the file in the current working directory. The highlighted part of the picture contains information about the original and temporary path where the file saves itself in the system after opening the document.
Step 6. Retrieving static information from the extracted file
So, we have extracted the PE32 executable for Windows. To confirm this conclusion, let's run the tool pecheck.py to detect PE headers inside the file.
Step 7. Behavior analysis
Let's configure a Windows 7 32-bit virtual machine, change the file extension to EXE. Before launching it, you need to enable Apate DNS and Windows Network Monitoring tools.
Domain C&C DNS lookups registered by Apate DNS
5C.exe network traffic recorded when trying to communicate with the C&C server
According to the results of analysis using Apate DNS and Microsoft Network Monitoring, the file created a process named 5C.exe and made several attempts to connect to various C&C servers.
Registry changes captured by Process Monitor
According to Process Monitor, the process 5C.exe made several changes to the registry keys related to Internet connection settings. He disabled the browser proxy by setting the value to 0 for the key ProxyEnableand 09 for the 9-byte key SavedLegacySettings. As a result, the browser began to automatically detect Internet settings directly, without a proxy.
So, the Word document first ran a VBA macro, saved and ran the executable, created a new process, communicated with the C&C servers, and made unauthorized changes to the registry. This information is sufficient to identify the document as malicious. Then we can perform a more detailed analysis - debug the executable file or examine the process dump to learn more about the behavior of the file.
Analyze PDF Document
A PDF document is a collection of objects that describe how pages are displayed within a file.
In order to entice the user to download or open a PDF document, such a file is most often sent via e-mail. When a PDF is opened, it usually runs JavaScript in the background. This script can exploit a vulnerability in the Adobe PDF Reader application or silently save an embedded executable file.
A PDF file has four components. These are the title, body (body), links, and trailer (end label).
- The header contains information about the version of the document and other service information.
- The body of a PDF contains various objects (objects are made up of streams that are used to store data).
- The cross-reference table points to each object.
- The trailer points to the cross-reference table.
Instruments:
Step 1. Scan a PDF document using PDFiD
PDFiD is a component of the Didier Stevens Suite. It scans a PDF document using a list of strings to detect JavaScript elements, embedded files, actions when documents are opened, and count the number of specific lines inside the PDF.
As you can see from the scan results, PDFiD detected several objects, streams, JS, JavaScript and OpenAction elements in the Report.pdf file. The presence of such elements means that the PDF contains JavaScript or Flash scripts.
The element /Embedded fileindicates the presence of other formats inside PDF files. Elements /OpenAction, AA, /Acroformsuggest to us that when you open or view the PDF document is performed for some automatic action.
Streams are data within an object.
Step 2. Viewing the contents of objects
So, we found out that there is JavaScript inside the PDF file. This will be the starting point of the analysis. To find an indirect JavaScript object, run the tool pdf-parser.py.
According to the scan result, JavaScript runs the virus file every time the PDF is opened, so our next step is to extract this file.
Step 3. Extract the embedded file using peepdf
Peepdf is a Python tool that contains all the necessary components for parsing PDF. To take advantage of its opportunities, type a command peepdf --i file_name.pdf. The key -ienables the interactive mode of the script.
For more information, see the help (option help).
The peepdf parsing result indicates that there is an embedded file in object 14. On closer inspection of this object, we will see that it points to object 15; in turn, object 15 points to object 16. Finally, we find signs of the file virus inside object 17. Judging by the contents of the PDF, there is only one stream in it, which also points to object 17. Thus, object 17 is a stream with an embedded file.
Stream 17 contains a file signature that starts with MZand a hex value that starts with 4d 5a. These are signs pointing to a PE executable.
Next, we will save the stream as an executable file virus.exe.
Step 4. Behavior analysis
Now let's run this file in a virtual machine under Windows 7 32-bit.
Process Explorer displays processes created by virus.exe
As you can see in the Process Explorer window, it virus.execreated two suspicious processes ( zedeogm.exe, cmd.exe) that were stopped after starting.
Process Monitor component logs system changes made by virus.exe
According to Process Monitor, a file was saved within the running processes zedeogm.exe. Then he changed the Windows Firewall rule. In the next step, the file was launched WinMail.exe. After that, the program started cmd.exeto execute the file tmpd849fc4d.batand stopped the process.
Thus, we have gathered enough evidence that this PDF file is malicious. Then you can take additional preventive measures - for example, perform binary debugging and examine the memory of the extracted IOCs in order to find other threats.
CONCLUSION
In this article, we looked at how to look for signs of phishing in an email and how it helps prevent unknown threats. The areas in which to look for these signs have been identified. We learned how criminals hide malicious URLs in the body of an email and what steps are required to verify them.
What to do to keep yourself safe:
- Never trust the sender of an email. Always check your basic credentials before replying to an email.
- Do not follow links or open attachments if the sender of the letter is not who he said he was.
- Attackers often use arbitrary domain names. For this reason, carefully check the site address for "typos" - this may be a resource registered specifically to mislead you.
- Double-check the origin of the site before entering your personal information - name, address, access details, financial information and others.
- If you realized that you have entered the access details on a suspicious site, change your password immediately.
