In recent years, the bait mailbox of Antiy has captured massive malicious emails that uses social engineer techniques to carry out batch propagation. The analysts of Antiy extracted randomly two emails with the same attachment attack method for starter of analysis. The capture data of the first email is April 11, 2015. It is the phishing email that disguises as JPMorgan Chase & Co.. It contained a ZIP compression package that became PE file with PDF icon after being decompressed. The PE file would donwload other files from the backend after it was operated. The capture date of the other email is Aril 13, 2015. The attachment behaviors of them were the same. The CERT analysts of Antiy analyzed the first email sample, then related the propagation methods, techniques of attachment files of both emails, and finally carried out complete correlation analysis and summary by extracting similar features and digging up more similar emails.

2 Analysis of E-mail 1

Content of the first e-mail:

Figure1: Content of original e-mail

2.1 Extraction of Metadata of the E-mail

E-mail subject	JP Morgan Access Secure Message
Time for sending	2015/4/11 (Saturday) 2:24
Sender	JP Morgan Access [service@jpmorgan.com]
Name of attachment 1	JP Morgan Access – Secure.zip
Name of attachment 2	Unnaming attachment 00273.txt

This email was sent by disguising as JPMorgan Chase & Co..

Note: JPMorgan Chase & Co. is an American multinational banking and financial services holding company. It is the largest bank in the United States, with total assets of US$2.6 trillion. It is a major provider of financial services, and according to Forbes magazine is the world’s third largest public company based on a composite ranking. The hedge fund unit of JPMorgan Chase is the second largest hedge fund in the United States. (From Wikipedia)

The email uses social engineering technique to lure users to open. Social engineering attack refers to psychological manipulation of people into performing actions or divulging confidential information for the purpose of information gathering, fraud, or system access. The social engineering attack method of email malware is: luring victims to click attachment by sending emails with fraud and camouflag subjects. This email makes use of the huge user groups of JPMorgan Chase& Co to lure user to click attachment for checking bills by making the sensitive topic of on-line bank accounts as bait. Moreover, the “Confidential notice” claims that the content is confidential. Even if users don’t have the on-line bank account of JPMorgan Chase& Co or receive the email mistakenly, they would also be interested in the attachment out of curiosity after finding the confidential content.

The email attachment is a ZIP package that belongs to downloader virus. The ZIP package is the file with PDF icon and src extention name that is for screen protection program. In fact, it is a PE executable program that can operates PE file automatically by double clicking under the unfamiliar situation.

The following is the figure of email structure and behavioral chain.

Figure2: Structure+ Behavioral chain

2.2 Sample Analysis

Sample tag:

Virus name	Trojan[Downloader]/Win32.Upatre
Original file name	JP Morgan Access – Secure.src
MD5	32E1F5DED6E9C573293BB6343F785A9F
Handler architecture	X86-32
File size	24,064 bytes
File format	BinExecute/Microsoft.EXE[:X86]
Time stamp	2004-09-05 12:06:14
Digital signature	NO
Shell type	None
Compiler language	Microsoft Visual C++
First upload time on VT	2015-03-02
Detection result of VT	48 / 57
Sample characterization	Downloader

2.3 Description of Local Behaviors

General description:

The sample is a kind of executable file with the size of 24KB that has the functionality of anti-debugging. It needs to experience a series of decryption steps to decrypt malware. It makes use of Windows message mechanism to create hidden window and write code into custom functions. After its operation, it would check whether the process duplicate exists in temporary directory: if so, it continues to operate; if not, it copies itself into temporary directory and changes its name as “raturas.exe”. It modifies commands by itself, and encrypts and stores key code in its own process in the form of file. After it decrypts the encrypted data, it carries out another new round of downloading its own process in order to download other process files from network.

Detail description:

The malware creates a thread firstly, then carries out thread switch by message mechanism and puts the thread at the custom functions of message for operation. The malware puts encrypted data in memory 810000, and then experiences the following decryption 1 code field to operate primary decryption. It stores the decrypted data in 820000 filed. Thereafter the malware has finished primary decryption. Then it experiences the second decryption via 403CCC. The finished data is put in 83000, which is a new PE executable file.

Figure 3-1: First decryption

Figure 3-2: Second decryption

Figure 4: Decrypted data

Upon completion of the decryption, the malware creates a sub-process. Then, it applies space, writes code and executes code in the sub-process. Then, the sub-process starts running and connects to the network.

2.4 Description of Network Behavior

Once executed, the malware communicates with the remote server to download files. It visits the following domain names and servers:

Domain Name	IP	GET	result
checkip.dyndns.org	**********		Local IP
milbrookelt d.co.uk	192.185.86.160	/cufon/sdocn.pdf	Failed
nationalpalletdelivery.com	192.185.86.183	/demo/documentation/sdocn.pdf	Failed
	190.111.9.129		Failed

1) First, the malware creates a TXT file named r657temp.log in the system temporary directory, the content is:

C : J P M o r g a n A c c e s s – S e c u r e . e x e

Then, it calls the “delete” command to get the file deleted. The PE file is a copy created by the sample.

2) The malware connects to domain name checkip.dyndns.org, though which the local IP address can be obtained. The malware uses this domain name to test whether the network connectivity is normal. After obtaining the local IP address, it links to milbrookelt d.co.uk and nationalpalletdelivery.com to download the specified files. Finally, it links to IP address 190.111.9.129. These steps loop. The following figure shows the entire process of the malware.

Figure 5: Program flow chart

2.5 Sample Summary

The email first uses social engineering method. When the user click on an attachment, the file copy is hidden in the temporary directory and executes network connection. The sample is a “downloader”, not involving any startup function. Its code is both concise and effective.

3 Analysis of Email 2

Figure 6: Body of the email

3.1 Email Metadata Extraction

Subject	Invoice*****
Sensing time	2015/4/14 12:24
Sender	******
Name of Attachment 1	Invoice_***.zip
Name of Attachment 2	unnamed attachment 00625.txt

3.2 Sample Tag

Name	Trojan[Downloader]/Win32.Upatre
Original filename	Invoice_004AP71
MD5	6093329DBDA17782BB8DC31CF223A188
Processor architecture	X86-32
File size	31232 bytes
File format	BinExecute/Microsoft.EXE[:X86]
Timestamp	2006-05-11 20:46:41
Digital signature	NO
Shell type	none
Compilation language	Microsoft Visual C++
VT first update	2015-04-13
VT test results	41 / 56
Sample characterization	Downloader

3.3 Description of Local Behavior

The local behaviors are the same with those of email 1 sample.

3.4 Description of Network Behavior

Domain name	IP	GET	result
checkip-iad.dyndns.com	**		Local IP
kapil.amsinformatics.com	216.245.213.210	GET /images/monuk14.png	Failed
syc.mxserver.ro	176.223.122.103	GET/wp-includes/images/monuk14.png	PDF file

When the attached file executes, it tries to download 2 files to the machine and executes them. One download fails and the other is a PDF file. As is shown in Figure 7, the PDF file appears to be real, but actually, it finishes downloading malware before being opened.

Figure 7: PDF file

The content of the PDF file doesn’t correspond with that of the social engineering email (invoice-related). Analysts from Antiy Labs speculate that mass emails using several social engineering techniques causing confusion. The second explanation is the email author failing to consider the consistency. Another possibility is: attackers do this on purpose, trying to convince users it is not a “junk” email.

4 Homology Analysis

Two emails were both captured in April 2015. We analyzed the homology between them by observing the overall structure and the code of the attachment. We assumed they are from the same author’s batch attack. Below is the association and comparison from 3 aspects.

structure chain
code behavior
code structure

4.1 Structure Chain Comparison

Figure 8: Structure + behavior chain comparison

The structure chains of the two emails are almost identical. They are a compressed package, which extracts a PE file with a PDF icon. The PE file downloads other files from the network once executed.

4.2 Code Behavior

Figure 9: Similar derived file directories and icons

As shown above, the samples create a copy in the temporary directory once executed. In email 1, the file name is raturas.exe; in email 2, the file name is docfree.exe. They both call CMD command line by creating a text file in the temporary directory, so as to delete the copy in Disk C.

Figure 10: Sample’s self-deletion method

4.3 Code Structure

Figure 11: Message mechanism

Figure 12: Structure of decrypted code

The two samples both write codes based on the message mechanism, writing the malware into the custom functions. They both decrypt the code for execution, and all APIs are accessed dynamically. As shown above, the code structures of the two samples are almost identical.

4.3.1 Network Behavior

Figure 13: Similarity of network behaviors

The two samples both first visit domain name checkip-iad.dyndns.com to test the network connectivity status. So, their networking method is also consistent.

4.4 Summery

By analyzing the structure, structure chain, sample local behavior, network behavior, sample code and other aspects of the two emails, we found they are highly homologous.

Based on the structure chain, attachment behavior and code structure, Antiy analysts extract more emails from the database for batch analysis.

4.5 Social Engineering Method

Through the characteristics of attachment and genetic relationship of structures, security analyst of ANTIY CERT extracted 110 emails, the size of the attachments are between 23 ~ 32kb, some of these emails treat bank cheque as a decoy while some treat a copy file as a decoy. Statistically we adopted labeling to these emails, as a result there are 14 kinds of tags:

document
credit detection
no text
fixed signature
greetings
salary
annual report
scanned copy
bank statement
transaction
auto insurance
cooperation partner
online bank upgrade
password reset

Classification Declaration:

Document

Attachments of this kind of phishing email all added word document in its names. While the topics and texts varying from time to time, including bank cheque or no text etc.. Please note that the attack codes that these attachments contained are same. For example:

Figure 14: An Example of an Email which its Text Related to Cheque

Figure 15: An Example of an Email which its Text Related to Bank

No Text

Figure 16: An Email Has No Text

Such kind of email has no text:

Message id: EmMO48_762419.

Sent date: Wed, 01 Apr 2015 11:01:48 +0100.

Such kind of email has no text:

Fixed Signature

Figure 17: Fixed Signature

Through analysis, we observed that the attack time and attacker maybe same of one kind of email, as shown above, in the next section we will do a polymerization analysis on these 110 email about their sending time.

The picture below shows that most phishing emails choose to add word document to the name of attachment, credit detection, no text, fixed signature and greeting also are the common techniques for attacking.

Figure 18: Attack Technique Statistics

4.6 An Analysis on Attacking Time

After analyzing the social engineering techniques and sending time of these 110 emails, we observed that almost all the emails which use the same social engineering technique were sent at a fixed time. See the figure below:

Figure 19: Extracting the Attacking Time of All Samples

Figure 20: Time and Number of Attacks

Through time extraction of the attacks and analyzing, we observed that for the same kind of email, attackers are prefer mass sending, in other words, attackers will launch a large-scale attack at a certain time point. We also found that, the emails which are similar with what we analyzed now were detected as early as 2014, in March 2015, there appears a batch of attacks, and in April 2015, attacker launched a large-scale attack.

5 Conclusion

Phishing attacks is common in nowadays, as early as 1999,there is an out breaking of Happy99 virus, Melissa viruses, the two were regrade as the ancestor of e-mail virus, later following the Melissa’s source code, the LoveLetter and Magistr appeared. These viruses belong to the “worm” type, with the ability of self-diffusion, wide spreading and quick spreading, they brought a lot of pressure to network, meanwhile the are likely to be perceived and detected. But the entries of today’s email are totally different from the old fashioned “naive virus era”, there are macro viruses and other binary samples sent by API automatically, also there is APT attacks. The methods of attacks from e-mail attacks, phishing attacks, to spear phishing attacks. Now attackers use sophisticated methods instead of rough way in the past. Attack targets vary from “proliferation”, “strafe” to “snipe”.

Although the samples used for analyzing are not highly directional, it may exhibit the characteristics of selectively sending. This will also bring some lost to the victims. After introducing more sophisticated social engineering skills, there must be a certain percentage of users will be deceived in the attack. To victims, such kinds of attack lead to the same consequences to them as directional attack. As ANTIY CERT indicated in the report WPS Samples: The Blackmailer that we published before. Email threats still rampant in such an environment that browser, host, server system are strengthening, email threats is a good way to connect with users directly, which means that the email attack will last a long time, no matter it’s advanced threats, or botnets diffusion and other type of cybercrime.

（Liang Hongzhi at National Computer Virus Emergency Response Center did a great contribution to compile this report）

Appendix 1: References

WPS Samples: The Blackmailer
Link Address: http://www.antiy.com/response/CTB-Locker.html

Appendix 2: About Antiy

Anity Labs has developed as leading provider of advanced security products with four R&D centers, monitoring and warning capability covers nationwide, products and services radiates several countries. Starting from an antivirus engine R&D team, Anity has formed massive security threat knowledge library after 15 years’ accumulation, and put forward advanced products and solutions against APT (Advanced Persistent Threat) through combining with the experience of application network detection, host protection, evaluation of unknown threats, big data analysis and security visualization. The technical strength of Anity has been confirmed by industry administrative institutions, clients and our partners. Anity has earned the qualification of nation-level security emergency support units four years in a row. Anity is one of the six first-level support units of CNNVD. The mobile detection engine of Anity is the first Chinese product that won the annual award of AV-TEST (2013), More than ten security vendors around the world choose Anity as their partners of detection capability.

For more information about antivirus engine of Antiy:	https://www.antiy.net
For more information about anti-APT products of Antiy:	http://www.antiy.cn

Security Response

Association Analysis on Some Group Mail Samples Using Social Engineering Techniques