The analysis of malspam is uniquely organized compared to prior investigations. Instead, I look at the individual attacks, noting differences in presentation depending on the type of malware attached to the email. Since the attack vector differs depending on the kind of malware, it's essential to understand how the language is framed around transmitting the malware. I realized very quickly when examining Malspam that they mimic various attacks. While these aren't the only ways malware is transmitted, they are illustrative examples of this phishing genre.
Malspam has malware or a malicious redirect script inside of a phishing email, typically as an email requesting someone to examine a file that downloads malware onto the individual's computer. Some famous examples of these types of attacks at work include Cryptolocker, Lokibot, and WannaCry. Malspam can also be in the pharming category, a phishing attack that doesn't necessarily rely on someone falling for the bait. The code is injected into a user's computer from a clicked link, redirecting someone to a malicious site using DNS cache poisoning. This attack changes the information stored in your cache and redirects the user to a website that looks legitimate in both URL and design. That means you're logging into the malicious site until that cache is flushed, even if you type in the website address yourself. It's nearly undetectable after it's happened, and you won't know until after it's happened that your information is compromised. Malspam is a dangerous beast.
The first email I looked at for this analysis came from Joshua Berlinger, a "private inteligent analyst. [sic] " What's interesting is that Joshua Berlinger is a digital reporter and producer from CNN out of Hong Kong, and I presume the phisher used this information in hopes that the recipient would believe that Mr. Berlinger himself is contacting them to save the recipient, their family, and friends. A cursory Google search combining Isgec and Berlinger's names produces no results outside of this phishing email and CNN's profile page; he has no connection to Isgec, as far as I am aware. While the phisher uses a potentially high-profile name and company, their ethos is diminished due to numerous grammatical and spelling errors. While it could be dismissed as a message written urgently to inform the recipient of impending danger, a known reporter and producer from CNN would not have contacted people using these language conventions.
With what appears to be a warning, the author purports to be someone who's obtained intelligence from the dark web about airlines that may "go down" soon, with other airlines' planes meeting the same fate as the Boeing 737 MAX - crashing with no survivors. What we can gather from the sender is that they're using an email address that may have been compromised according to Twitter from Isgec, a heavy engineering company that specializes in a variety of really cool things. I'm not certain why this company has a "private inteligent analyst" contacting others regarding an aircraft crash. Perhaps Isgec sounds familiar as an industrial company and thus is warning people about potential defects? I'm admittedly unsure and was unable to find much in the way of Isgec relating to aerospace, aside from providing some equipment for defense. Still, even then, it was primarily reactors and high-pressurized plant equipment.
It appears the sender is using knowledge obtained in an "information leak from Darkweb," as well as significant news events, to bolster its ethos. Using scary words, as you know, is a classic fear tactic relying on The Media's influence of what any of these terms mean:
The email asserts that the attached file, which contains malware, will give the recipient this hidden knowledge to presumably save their "love ones" from boarding the airlines that are going to "go down soon." The email is addressed as generally as possible and worded so that it could apply to anyone. The author assumes that everyone has loved ones who would fly on an airplane and are now in danger. This information "leak" is the one thing between saving them or having them die mid-flight, after all! The implication that would make someone click on this file would be overwhelming guilt if someone did die and you had the information to save them. In this regard, the generality is particularly useful as it's primarily relying on pathos, especially in this case of emotional manipulation, to deposit its payload onto the target's machine.
Technically speaking, the file in the email contains two trojans, a data-stealer (Adwind), and a remote access worm (Houdini's h-worm). Adwind is especially dangerous: it captures keystrokes, cryptocurrency wallet keys, and cached passwords. It can also access webcam audio and video feeds, capture screenshots, steal VPN certificates, and transfer files. Even though this attack was from early 2019, it has obfuscated variants that are surviving quite well as of October 2019. H-worm is a bit older but still manages to cause a lot of damage by taking control of a computer remotely, allowing it to install/uninstall programs, send identifying information to a remote server, and collect and delete data from the infected machine.
Rhetorically, the email uses a few appeals to persuade the victim to click on this file. As mentioned above, the use of pathos is prevalent in the email. Combining emotional manipulation with scare tactics concerning death figures from the crash can easily convince someone to act - especially if they have someone flying very soon. This email also presents logos via the figures and facts about the Boeing 737 Max 8 jet that crashed. The email mentions the route that "crashed into the Java Sea 12 minutes after takeoff." It also states a death toll, reiterating that all 189 passengers and crew were killed in the accident. Combining these figures with an "information leak" on the dark web from a private intelligence analyst and an implicated threat of the recipient's victims potentially dying is enough exigency to have someone click on that infected file.
Disclaimer: See corpus for the text-only pastebin examples I used for the emotet analysis.
The emotet malspam generally seemed to operate as personal solicitation emails do. They either mimic a conversation between people, or a dialogue exchange occurs, with the attacking party sending a file. The examples I used all requested the recipient to check in on a recent payment or invoice submitted, which is the file sent in the email containing the malware. The audience appears to be either an employee working on financials for the company or a C-level executive in charge of making or receiving payments for the company. Generally, these emails notably lack pathos, unlike the Boeing email, and rely heavily on ethos and logos to succeed. Being as impersonal as possible and conducting business in the typical exchange format makes these phishing attacks so successful. The form fits general conventions: "please find attached remittance advice for our recent payment to you," stating you can contact them with any question. There are also requests to open a document. What's interesting about the email that asks you to open the attached file is that it also gives the password in the same email itself - certainly not best practices by any stretch of the imagination, but unfortunately, a pretty common occurrence. Generally, this would be done through a separate channel such as SMS or even a separate email (although I wouldn't advise that tactic for security reasons). A big red flag that this is not legitimate. However, it wouldn't be to some unless they had proper training and remembered it, which is most likely why they chose to approach the email this way.
Ethos is established using the "previous conversation" tactic or an existing business relationship. Some of these emails also use tactics like the Boeing 737 Max email, using a "big name" to build their credibility; one of the emails stated that it was sent from Steve Wolfram. My first reaction was thinking, "Wow, the CEO of Wolfram Research," which is most likely what the phisher intended. Upon closer inspection, the email is email@example.com, masked as "firstname.lastname@example.org." If we look just a bit into this, we can see that Mr. Wolfram's email is email@example.com. You can find that information on his webpage. However, even if mimicking Mr. Wolfram wasn't the intent, I only noticed the discrepancy due to previous interactions with his products. There was still the potential to give just enough of a clue of familiarity to cause a potential victim to click on that file. Because of the implication of an existing business relationship, these emails are pretty successful in that if a non-C level employee who would not have been privy to the original conversation, they may not think twice about the attached conversation in hand, only that it was "official." Also, these attacks are very successful against C-level employees as well. The Verizon 2019 Data Breach Investigation Report states that they "are always under pressure to deliver and so they casually click on every email they get without thinking about security and phishing attacks," are "12 times more vulnerable to cyber attacks," and "9 times more [vulnerable] to data breaches." That's quite a staggering figure, and it's no wonder these emails work so successfully, given the context - they prey on overloaded employees trying to conduct their business as efficiently as possible! Even when the email is littered with strange grammar and typos, it's unsurprising that human error would occur in typing an email quickly to get business complete. Phishers use this "relatability" to their advantage.
Concerning intent, these emails are all about completing a task at hand, most often financial. The urgency presented in these emails is typical in business communications - the faster you pay or get paid, the faster the job is done. Plus, everyone wants to be paid on time for their work, and realistically why shouldn't they be? Offering a point of contact for any questions regarding the email is also a common theme and makes the email appear more legitimate. One interesting choice of wording in these emails that stuck out was a request to contact the person in the email but listed their full name instead of being self-referential. If Melinda O'Toole sent the email, why would they state, "If you have questions on this please contact Melinda O'Toole for more information?" It's a curious use of phrasing, and I would never direct someone to contact Eva Mead if they had any questions - I would ask them to contact me. This referential faux pas is a direct hit to their ethos and one they would be well to correct if they want to make their phishing tactics even more successful. It's certainly something to remember when creating defensive materials - these are the language markers to be on the lookout for.
Overall, these emails fit well with the style and form they were going for, and, unsurprisingly, they are an incredibly successful method of transmission. The Department of Homeland Security has deemed Emotet one of the "most costly and destructive malware," and is responsible for an average of $1,000,000USD of cleanup per incident. Emotet is very dangerous to an individual or organization, as it gains access to all stored credentials on a machine, even those you have saved in your browser. It also can access emails on an infected device, opening the infected victim up to even more trouble. Emotet is a banking trojan, a program that looks like a legitimate file until installed (hence the name). It captures passwords, keystrokes, and any other type of data that tends to redirect information about banking and financials to an external server. It can also update itself, making fighting this malware even more difficult. It's been so successful that 57% of all activity from banking trojans in the first quarter of 2018! These examples also follow the highest trend in phishing, using an invoice or payment as 15.9% of all malware transmitted, with a scanned document coming in at 11.9%. It is imperative to understand how the transmission vectors - the phishing emails - operate to help protect potential victims.
Lokibot is another trojan transmitted much like the Emotet malspam examples above. They are disguised as personal communications, with a general request to view a document. Lokibot is an old-school contender but making headlines again due to newer obfuscated program versions. Steganography is even being used in a recent variant, putting in the code necessary for unpacking the program into an image. It isn't proving easy to detect with these advanced transmission methods, which makes understanding the email as a vector even more important.
These emails are sent for various "reasons," mainly consisting of requests for quotations, purchase orders, or to look over the attached files. The author presents themselves as someone who already has a working relationship with the client or is looking to gain business with them. The lokibot phishing emails establish ethos using company logos and official titles, following the general conventions of business communications. In that regard, authority is displayed by company logos, corporate jargon, and titles that would befit someone contacting an organization for those specific requests, such as "Global Sourcing Specialist."
The intent is apparent with the author directing the victim to view an attachment or send information back in response to an attached document. Generally, the real intention of the email is masked through the use of industry-specific terms or somewhat formal requests for product information. Still, many of these fail to do this properly. For instance, one example states: "Please findattachedproforma for your acknowledgement and kindly send thefinal PI in order to proceed with the request foradvance payment."
This statement is riddled with typos and is even addressed to "Dearsir/madam," both of which are a dead giveaway that someone appearing to conduct sales is not who they seem to be. But these emails are hoping that the lack of proper grammar becomes misconstrued as a language barrier, as many of these emails appear to originate from outside of the potential victim's country of origin. Other attempts to mask that it's a phishing email include statements such as "thank you very much for your time during the Fair," implying a previous interaction with the individual.
The audience of these emails appears to be in charge of making purchasing or work contracts. Frequently, you see the use of the PI abbreviation, which generally means "purchase invoice." In the context of these emails, I assume that's what the author intended to mean when requesting PI from a potential victim. The use of "in" language in these emails implies that the victim and phisher have a shared sense of identity - they are both business people conducting business with the hope that both will profit from the venture. While the emails don't explicitly state that they are requesting another audience, it could infer they would be forwarded to an appropriate person if needed.
The rhetorical appeals in these emails tend to be ethos and logos. There are generally no emotional appeals in business communications unless it is a proposal (but even then, not often.) Ethos is present primarily in how the authors present themselves and the company they're "representing." Some go quite far and have an entire footer in an email talking about their company. Some have copyright notices, while others have mentioned "going green" by not printing the email. These are not uncommon, and I've observed similar email footers from legitimate senders. It's a great way to make it seem like the email is from a "real" person instead of a phishing scam. Logos presents contact information for the "real" person, including phone numbers, addresses, and websites. Also, the use of specific invoice numbers and product SKUs is a fantastic example of the phisher using logos to make it seem like what is communicated is truthful, and not an attempt to deposit a virus payload onto someone's computer.
The Hancitor emails operated much like a clonephishing email, mimicking notices from corporations like DocuSign and HelloFax. For brevity's sake, please see the detailed analysis for clonephishing regarding how these emails operate rhetorically. I have found no difference, aside from the phisher's end goal. As opposed to phishing campaigns that look to obtain credentials from a user inputting them outright, Hancitor acts as a gateway to do that without having the user enter anything. Classified as a macro-based malware, Hancitor operates by installing banking trojans as the primary payload from remote servers. Remember, banking trojans compromise computers by accessing their saved credentials and target financial information, and getting these payloads through a macro is a pretty ingenious way to run undetected.
Hancitor malware is often transmitted through a downloadable file inside a link encoded with the victim's email address. In the past, Hancitor was inserted as a macro in a Word document, but the increase in quality of email virus and spam filters tend to catch these. This increase in detectability has made Hancitor distribution evolve, and now files are generally hosted on independent servers, either manufactured and mimicked or legitimate and compromised. Sometimes, the email address is added to a database of phished victims, presumably to understand better which systems are and (or aren't) scanning for malware. The DocuSign and HelloFax examples provided in the corpus exemplify that. For further reading, check out this excellent technical post from Palo Alto Networks' Unit 42 which discusses Hancitor's new transmission methods.
Overall, I would say that the malspam emails have appeared to be the second most effective so far, next to clonephishing. What makes these types of emails work so well is that they not only prey on busy, overworked employees but do so in a way that isn't exactly unusual for business communications. By requesting a quote on products or offering an invoice, it's creating a situation that would usually exist but doesn't - mimicking a standard, everyday routine. Realistically, no one is on guard 100% of the time, which is why it's so important to understand what makes these work language-wise to prevent future attacks.
Please continue on to the personal solicitation email analysis.