Malicious or spam emails are frequent but one of the best ways to get a system/host infected.
Recently I received an email from one of the Big 4 banks of Australia – Westpac.
Very first thing was I am not a customer so definitely it was a phishing scam.
Actual email is a bit unprofessional. The URL is ending with Bankingx. Email is coming from firstname.lastname@example.org.
Looking at the email headers the originating IP address is 184.108.40.206. Email headers also shows the email came from IP 220.127.116.11. Geo location of both IP address is Kenya.
Virustotal results : https://www.virustotal.com/en/ip-address/18.104.22.168/information/
IP Address does have few malicious URL’s detected previously.
Clicking on the URL in the email it re-directs to http://antoniahallcommunications.com/referrer/. The site is identified as Phishing attack by Google Chrome.
So disabled the phishing and Malware protection from the browser settings and access the site again. No signatures were triggered on Security Onion Snort. Received following response :
The site resolves to 22.214.171.124 – ehub36.webhostinghub.com – a free webhosting.
The site actually belongs to Antonia Hall a publicist.
Below are the IOC’s:
I did not find anything malicious besides this being a unsuccessful attempts for a user to click on a link. Also, the URL is not accessible anymore.
Received an email from UN@ – no email domain on the sender list and that’s why my email identified as spam.
Attachment was a doc file – ATM_CARD_1.doc – Checked various websites (malwr.com, virustotal, shodun) but no information about mentioned DOC file.
MD5 : 2134a6afb12a5a2bcdd77b09e43a8e29 – not reported.
Uploaded the file on virustotal but did not find any hits – https://www.virustotal.com/en/file/058767db41be4365c137dfd2ed857e86211c724a3037c561f7a9d0f994e6c829/analysis/1443706261/
xifTool Version Number : 8.60
File Name : ATM_CARD__1_.doc
Directory : .
File Size : 86 kB
File Modification Date/Time : 2015:10:01 13:01:39+00:00
File Permissions : rw-r—–
File Type : DOC
MIME Type : application/msword
Author : FullNameHere
Template : Normal
Last Modified By : SONY
Revision Number : 2
Software : Microsoft Office Word
Total Edit Time : 2.0 minutes
Last Printed : 2010:11:24 17:52:00
Create Date : 2015:09:28 02:38:00
Modify Date : 2015:09:28 02:38:00
Pages : 1
Words : 436
Characters : 2491
Security : None
Company : OrgHome
Lines : 20
Paragraphs : 5
Char Count With Spaces : 2922
App Version : 12.0000
Scale Crop : No
Links Up To Date : No
Shared Doc : No
Hyperlinks Changed : No
Title Of Parts :
Heading Pairs : Title, 1
Code Page : Windows Latin 1 (Western European)
Hyperlinks : http://www.yahoo.com/_ylt=AkJ_84uMIDD6A0cgsAd.wbubvZx4;_ylu=X3oDMTNoamk4OG9oBGEDMTAwODE3IFNFRyBzaGluZSBpZGVudGl0eSB0aGVmdCB0BGNwb3MDMwRnA2lkLTM2MjMyBGludGwDdXMEcGtndgM4BHBvcwMxBHNlYwN0ZC1mZWF0BHNsawNpbWFnZQRzbHBvcwNGBHRlc3QDNzAx/SIG=13ip2d9rl/EXP=1282263418/**http%3A/shine.yahoo.com/event/financiallyfit/13-things-an-identity-thief-wont-tell-you-2299277/, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF
Comp Obj User Type Len : 39
Comp Obj User Type : Microsoft Office Word 97-2003 Document
Last modified by seems interesting as it says SONY. The attachment has no links for a user to click. However, it requests personal information and informing to pay 250 K Pounds.
Email within doc : email@example.com – personal email for UN 🙂
Email also had a number 0044-7010057597. Based on research the number is in london obviously but no information about a business. Likely a personal number.
No malware found – just a social engineering attempt.
Spam are targeting most vulnerable entity in cyber world – HUMANS.
Been using Security Onion for a while now. A very good OS for analysis and getting IDS alerts on the go without installing expensive hardware. But recently, due to some updates been facing some issue with regards to internet connections.
Not sure what the Network-Manager updates do but while installing Security Onion if you select “Install Updates while Downloading” for some reason network-manager shows attitude and internet connection just gets lost after setting up the management and monitoring interfaces.
Have searched lot on the forums and multiple ideas. This worked to get the internet start.
“sudo service network-manager restart” and also deleting interface details from /etc/network/interfaces
This does started internet but somehow monitoring on the interfaces doesn’t work.
Also, realised that the machine gets slower for some reason regardless of it being a VM or Security Onion as host operating system.
Than tried not to select the updates during installation and Lock the Version of Network-Manager from Synaptic Package Manager. Than updated the system and rebooted.
Internet was working. Checked Sguil and but no alerts for testmyids.com. tcpdump does shows traffic.
Did a reboot and wallah….all working properly. Can see alerts on Snorby and Sguil.