The Anti-virus Times

Tuesday, July 24, 2018

Many targeted attacks start with emails that have malware attached to them. All in all, spam mailings remain one of the most effective and inexpensive ways to spread Trojans.

Is there a way to make users lower their guard and launch an attached file? Sure. Disguise an executable Trojan file as something else—a document, an image or a self-extracting archive—and provide a potential victim with a convincing reason to take a better look at the attachment.

If a message like this appears in your personal mailbox, you probably won't pay much attention to it. And that's hardly surprising since such mailings target corporate employees, specifically accountants and other finance department staff who process tons of messages containing payment information every day.

Accountants' computers are a tempting morsel for attackers: these computers often run remote banking software which can be hijacked by attackers to funnel corporate funds into their accounts. Criminals can also encrypt a payroll database and paralyse a company's business routines, leaving its employees without their pay checks.

But let's get back to our bogus email. You have probably noticed that the message has been sent via a popular free email service. This offers us two possibilities:

1. the attackers registered an account to send out spam;
2. devious hackers compromised someone else's account and are using it to send bogus emails with a Trojan attached.

Neither of these assumptions factors in one detail. A targeted mailing (and this message obviously doesn’t target any specific group of people and was sent at random) involves zillions of similar messages being sent to various addresses.

Commencing a mailing campaign of this kind over a public email service will immediately arouse suspicion, and the account will be blocked for spamming.

But there is a way to get around that, and attackers frequently take advantage of it. They just need access to a small company’s mail server. Hacking into someone else's server sounds difficult? Not a problem; visit an underground forum, and purchase a login and password for a server that someone has already compromised. Or obtain the credentials of an employee who has access to company email.

Of course, there exist dozens of other tricks, including a rented botnet (which may incorporate infected servers), but we'll speak about those in detail in upcoming issues. Now, let's take a closer look at our email. Let's view the header information—sometimes it yields valuable clues.

The sender address in the "envelope-from" field matches the address in the “From” field you see in your email application. However, other meta data raises a number of questions. The server address from which the email was sent ("client-IP" and "helo" fields) doesn't belong to the company that owns the list.ru domain name. Rather, it is associated with a small server belonging to a Russian company we didn't know existed until the message arrived.

For comparison: Here is header information from a message that has actually been sent from a mail.ru server:

That means that the message was dispatched from a compromised server with a forged sender address. What does this accomplish? First, it can prevent spam filters from rating the message as spam, but similar tricks are also often used to deceive recipients.

#mail #spam #botnet #hacking