The analysis of malspam is uniquely organized compared to prior analyses. I look instead at the individual attacks, noting differences in presentation depending on the type of malware that's attached to the email. Since the attack vector differs depending on the kind of malware, it's essential to understand how the language is framed around transmitting the malware itself. I realized very quickly looking at Malspam that they mimic a variety of examples. While these aren't the only ways in which malware is transmitted, they are illustrative examples of this phishing genre.
Malspam has malware or a malicious redirect script inside of a phishing email, which typically comes across as an email requesting someone to examine a file that downloads malware onto the individual's computer. Some famous examples of these types of attacks at work include Cryptolocker, Lokibot, and WannaCry. Malspam can also include the category of pharming, which is a phishing attack that doesn't necessarily rely on someone falling for the bait. The code is injected into a user's computer from a clicked link, which redirects someone to a malicious site using a technique called DNS cache poisoning. This attack changes the information stored in your cache and redirects the user to a website that looks legitimate in both URL and design. That means you're logging into the malicious site until that cache is flushed, even if you type in the website address yourself. It's nearly undetectable after it's happened, and you won't know until after it's happened that your information is compromised. Malspam is a dangerous beast and one that deserves attention. I'm going to approach the Malspam analysis a bit differently than the others for a few reasons.
The first email I looked at for this analysis was one that comes from Joshua Berlinger, a "private inteligent analyst. [sic] " What's interesting is that Joshua Berlinger is a digital reporter and producer from CNN out of Hong Kong, and I presume the phisher used this information in hopes that the recipient would believe that Mr. Berlinger himself is contacting them to save the recipient, their family, and friends. A cursory Google search combining Isgec and Berlinger's name produced no results outside of this phishing email and CNN's profile page; he has no connection to Isgec as far as I am aware. While the phisher is using a potentially high profile name and company, their ethos is diminished due to numerous grammatical and spelling errors. While it could be shrugged off as a message written urgently to inform the recipient of impending danger, a known reporter and producer from CNN would not have contacted people using these language conventions.
ent as what appears to be a warning, the author is purporting to be someone who's obtained intelligence from the dark web about airlines that may "go down" soon. My first thought was that it seemed to be a warning about other airlines' planes meeting the same fate as the recent (at the time of this phishing attempt) Boeing 737 MAX - crashing with no survivors - but I'm not exactly sure as the wording isn't that explicit. What we can gather from the sender is that they're using an email address that may have been compromised according to Twitter from Isgec, a heavy engineering company that specializes in a variety of really cool things. What we're not certain of is why this company has a "private inteligent analyst" contacting others regarding an aircraft crash. Perhaps Isgec sounds familiar as an industrial company, and thus is warning people about potential defects? I'm admittedly not sure and was unable to find much in the way of Isgec relating to aerospace in any way, aside from providing some equipment for defense. Still, even then, it was mostly reactors and high pressurized plant equipment.
It appears the sender is using knowledge obtained in an "information leak from Darkweb," as well as significant news events, to bolster its ethos. Using scary words, as you know, is a classic fear tactic relying on The Media's influence of what any of these terms mean: hackers are evil (implied from the information leak, of course), the dark web is scary, and they know who's going to die soon. The email asserts that the attached file, which contains malware, will give the recipient this hidden knowledge to presumably save their "love ones" from boarding the airlines who are going to "go down soon."
The email is addressed as generally as possible and worded that it could apply to anyone. The author assumes that everyone has loved ones who would fly on an airplane and are now in danger. This information "leak" is the one thing between saving them or having them die mid-flight, after all! The implication that would make someone click on this file would be overwhelming guilt if someone did die, and you had the information to save them. In this regard, the generality is particularly useful as it's mostly relying on pathos, especially in this case of emotional manipulation, to deposit its payload onto the target's machine.
Technically speaking, the file in the email contains two trojans, a data-stealer (Adwind), and a remote access worm (Houdini's h-worm). Adwind is especially dangerous: it captures keystrokes, cryptocurrency wallet keys, and cached passwords. It can also gain access to webcam audio and video feeds, capture screenshots, steal VPN certificates, and transfer files. Even though this attack was from early 2019, it has obfuscated variants that are surviving quite well as of October 2019. H-worm is a bit older but still manages to cause a lot of damage by taking control of a computer remotely, allowing it to install/uninstall programs, send identifying information to a remote server, and collect and delete data from the infected machine.
Rhetorically, the email uses a few types of appeals to persuade the victim into clicking on this file. As mentioned above, the use of pathos is prevalent in the email. Combining emotional manipulation with scare tactics concerning death figures from the actual crash that occurred, it easily can convince someone to act - especially if they have someone flying very soon. Logos is also present in this email via the figures and facts stated about the Boeing 737 Max 8 jet that crashed. The email mentions the route which "crashed into the Java Sea 12 minutes after takeoff." It also states a death toll, reiterating that all 189 passengers and crew were killed in the accident. Combining these figures, with the admission of an "information leak" on the dark web from a private intelligence analyst, and an implicated threat of the recipient's victims potentially dying, is more than enough exigency to have someone click on that infected file.
Disclaimer: See corpus for the text-only pastebin examples I used for the emotet analysis.
The emotet malspam generally seemed to operate like personal solicitation emails do, in that they either mimicked a conversation had between people, or a dialogue exchange occurred, and then a file was sent. The examples I used all requested the recipient to check in on a recent payment or invoice submitted, which is the file sent in the email containing the malware. The audience appears to be either an employee working on financials for the company or a C-level executive who is in charge of making or receiving payments for the company. Generally, these emails are notably lacking pathos, unlike the Boeing email, and rely heavily on ethos and logos to be successful. Being as impersonal as possible, and conducting business in the typical exchange format, is what makes these phishing attacks so successful. The form fits general conventions: "please find attached remittance advice for our recent payment to you," asking them to contact with any questions, or requests to open a document. What's interesting about the email that asks you to open the attached file is that it also gives the password in the same email itself - certainly not best practices by any stretch of the imagination, but unfortunately a pretty common occurrence. Generally, this would be done through a separate channel such as SMS, or even a separate email (although I wouldn't advise that tactic either for security reasons,) and was a red flag to me that this was not legitimate. However, it wouldn't be to some unless they had proper training, and remembered it, which is most likely why they chose to approach the email this way.
Ethos is established using the "previous conversation" tactic, or an existing business relationship. Some of these emails also use tactics much like the Boeing 737 Max email did, in using a "big name" to build their credibility; one of the emails stated that it was sent from Steve Wolfram. My first reaction was thinking, "Wow, the CEO of Wolfram Research," which is most likely what the phisher intended. Upon closer inspection, the email is firstname.lastname@example.org, masked as "email@example.com." If we look just a bit into this, we can see that Mr. Wolfram's email is firstname.lastname@example.org, and you can find that information right on his webpage. However, even if mimicking Mr. Wolfram wasn't the intent, and I only noticed it because of my previous interactions with his products, it still had the potential to give just enough of an inkling of familiarity to cause a potential victim to click on that file. Because of the implication of an existing business relationship, these emails are quite successful in that if a non-C level employee who would not have been privy to the original conversation, they may not think twice about the attached conversation in hand, only that it was "official." Also, these attacks are very successful against C-level employees as well. The Verizon 2019 Data Breach Investigation Report states that they "are always under pressure to deliver and so they casually click on every email they get without thinking about security and phishing attacks," are "12 times more vulnerable to cyber attacks," and "9 times more [vulnerable] to data breaches." That's quite a staggering figure, and it's no wonder these emails work so successfully, given the context - they prey on overloaded employees trying to conduct their business as efficiently as possible! Even when the email is littered with strange grammar and typos, it's unsurprising that human error would occur in typing an email quickly to get business complete, and phishers potentially use this "relatability" to their advantage.
Concerning intent, these emails are all about completing a task at hand, most often financial. The urgency presented in these emails is typical in business communications - the faster you pay or get paid, the faster the job is done. Plus, everyone wants to be paid on time for their work, and realistically why shouldn't they be? Offering a point of contact for any questions regarding the email is also a common theme, and makes the email appear more legitimate. One interesting choice of wording in these emails that stuck out was a request to contact the person in the email but listed their full name as opposed to it being self-referential. If Melinda O'Toole sent the email, why would they state, "If you have questions on this please contact Melinda O'Toole for more information?" It's a curious use of phrasing, and I would never direct someone to contact Jennifer Mead if they had any questions - I would ask them to contact me. This referential faux pas is a direct hit to their ethos, and one they would be well to correct if they want to make their phishing tactics even more successful. It's certainly something to remember when creating defensive materials - these are the types of language markers to be on the lookout for.
Overall, these emails fit well with the style and form they were going for and is unsurprising that they are an incredibly successful method of transmission. The Department of Homeland Security has deemed Emotet as one of the most costly and destructive malware," and is responsible for an average of $1,000,000USD of cleanup per incident. Emotet is very dangerous to an individual or organization, as it gains access to all stored credentials on a machine, even ones that you have saved in your browser. It also can access emails on an infected device, opening the infected victim up to even more trouble. Emotet is a banking trojan, which is a program that looks like a legitimate file until installed (hence the name). It captures passwords, keystrokes, and any other type of data that tends to redirect information about banking and financials to an external server. It also can update itself, which makes fighting this malware even more difficult. In fact, it's been so successful that 57% of all activity from banking trojans in the first quarter of 2018! These examples follow the highest trend in phishing as well using an invoice or payment being 15.9% of all malware transmitted, with a scanned document coming in at 11.9%. It is especially important to understand how the vectors of transmission - the phishing emails - operate to help protect potential victims.
Lokibot is another trojan which is transmitted much like the Emotet malspam examples above. They are sent disguised as personal communications, with a general request to view a document. Lokibot is an old-school contender but making headlines once again due to newer obfuscated versions of the program. Steganography is even being used in a recent variant, putting in the code necessary for unpacking the program into an image. It's proving difficult to detect with these advanced methods of transmission, which is what makes understanding the email as a vector even more important.
These emails are sent for a variety of "reasons," mostly consisting of requests for quotations, purchase orders, or to look over the attached files. The author presents themselves as someone who already has a working relationship with the client or someone who is looking to gain business with them. The lokibot phishing emails tend to establish ethos using company logos, official titles, and following the general conventions of business communications. In that regard, authority is displayed by company logos, corporate jargon, and titles that would befit someone contacting an organization for those specific requests, such as "Global Sourcing Specialist."
The intent is apparent in the majority of these emails, with the author directing the victim to view an attachment or send information to the author in response to a document that's been attached. Generally, the real intention of the email is masked through the use of industry-specific terms or somewhat formal requests for product information, but many of these fail to do this properly. For instance, one example states: "Please findattachedproforma for your acknowledgement and kindly send thefinal PI in order to proceed with the request foradvance payment."
This statement is riddled with typos, and is even addressed to "Dearsir/madam," both of which are a dead giveaway that someone who is appearing to conduct sales is not who they seem to be. These emails are hoping that the lack of proper grammar is misconstrued as a language barrier because many of these emails appear to originate from outside of the potential victim's country of origin. Other attempts to mask that it's a phishing email include statements such as "thank you very much for your time during the Fair," implying that there was a previous interaction with the individual.
The audience of these emails appears to be in charge of making purchasing or work contracts. Frequently, you see the use of the PI abbreviation, which generally means "purchase invoice." In the context of these types of emails, I assume that's what the author was intending to mean when requesting PI from a potential victim. The use of "in" language in these emails implies that the victim and phisher have a shared sense of identity - they are both business people, conducting business, with the hope that both will profit from the venture. While the emails don't explicitly state that they are requesting another audience, it could be inferred that they would be forwarded to an appropriate person if needed.
The rhetorical appeals present in these emails tend to be ethos and logos - there are generally no emotional appeals in business communications unless it is a proposal (but even then, not often.) Ethos is present primarily in how the authors present themselves and the company they're "representing." Some go quite far and have an entire footer in an email talking about their company. Some have copyright notices, while others have mentioned "going green" by not printing the email. All of these are not uncommon, and I've observed similar email footers from legitimate senders. It's a great way to make it seem like the email is from a "real" person as opposed to a phishing scam. Logos is present with contact information for the "real" person, including phone numbers, addresses, and websites. Also, the use of specific invoice numbers and product SKUs is a fantastic example of the phisher using logos to make it seem like what is communicated is truthful, and not an attempt to deposit a virus payload onto someone's computer.
The Hancitor emails operated much like a clonephishing email would, mimicking notices from corporations like DocuSign and HelloFax. For brevity's sake, please see the detailed analysis for clonephishing regarding how these emails operate rhetorically. I have found no difference, aside from what the end goal of the phisher is. As opposed to phishing campaigns that look to obtain credentials from a user inputting them outright, Hancitor acts as a gateway to do that without having the user enter anything. Classified as a macro-based malware, Hancitor operates by installing banking trojans as the primary payload from remote servers. Remember, banking trojans compromise computers by accessing their saved credentials and target financial information, and being able to get these payloads through a macro is a pretty ingenious way to run undetected.
In the early days, Hancitor was inserted as a macro in a Word document, but the increase in quality of email virus and spam filters tend to catch these. This increase in detectability has made Hancitor distribution evolve, and now files are generally hosted on independent servers, either manufactured and mimicked or legitimate and compromised. The Hancitor malware is transmitted through a downloadable file inside a link encoded with the victim's email address. In some instances, the email address from the link gets added to a database of phished victims, presumably to get a better understanding of which systems are and (or aren't) scanning for malware. The DocuSign and HelloFax examples provided in the corpus are an example of that. For further reading, feel free to check out this excellent technical post from Palo Alto Networks' Unit 42 which goes into depth about Hancitor's new transmission methods.
Overall, I would say that the malspam emails have appeared to be the second most effective so far next to clonephishing. What makes these types of emails work so well is that they not only prey on busy, overworked employees, but do so in a way that isn't exactly unusual for business communications. By requesting a quote on products, or offering an invoice, it's creating a situation that would usually exist but doesn't - mimicking a standard, everyday routine that probably wouldn't be noticed unless you were paying attention. Realistically, no one is on guard 100% of the time, which is why it's so important to understand what makes these work language-wise to prevent future attacks.