Over two months ago, we wrote about phishing emails that contained zip files containing html downloaders to versions of CryptoWall. Fast forward to now, and we’re still seeing the same phishing story, but different attachments. Here’s a screenshot:

E Figure 1

Figure 1. Phishing Email

Here’s a previous example:

E Figure 2

Figure 2. Phishing email

…And yet another.

E Figure 3

Figure 3. Phishing email

While many of these files are coming through as .doc files, by looking at their magic bytes they are actually the docx format. This can be seen by the presence of “PK” as the magic bytes.

E Figure 4

Figure 4. PK magic bytes for docx file

Once opened, we’re presented with the same “secure document” to enable the macro that we’re all too familiar with.

E Figure 5

Figure 5. More macros!

Many times, analysts will write rules and signatures on the attachments and call it a day. This is good (and with Yara rules, defense in depth!) but let’s take a different approach here.

For the attacker, they are bad storytellers. For any of us in the industry, if we had a quarter for each time we saw a fax themed phishing attempt or a fake IT email…we would all be rich. This is what we’re going to be exploiting for the attackers, and attempt to reverse engineer the language they are using for the email.

If you look back at figures 1, 2, and 3, there are three key pieces to this story, a greeting, a reference to the file, and a request for feedback. For the greeting, while “hello my name is” and “hi my name is” are each different, we can pinpoint to “my name is” in these examples. Likewise, the attacker refers to the PDF or resume being attached, and the wording is also similar. The same goes for the request back for response! With enough emails, you’re able to start building out what the “random” pieces of information should be.

E Figure 6

Figure 6. Building out the story, Yara rule editor in Triage

And by looking at these three key areas, we can create a Yara rule that will trip if one of the conditions of a greeting is met, as well as one reference to the file / resume and reference to a request for information. While we could do something like this in regex, Yara gives us even more power and flexibility to do creative things. Plus it supports regex!

E Figure 7

Figure 7. Identification of Cryptowall and docx macro, even before opening the malware

In figure 7, we have a screenshot from within Triage where Yara rules were created for different aspects of a phishing email. Here, you can see that our Yara rule for Cryptowall phish tripped (based off of the story of a resume phish) as well as a Yara rule which looks for a macro inside of a .docx file. (Which is normally rare, but becoming more of a norm) So even before opening the email, throwing the attachment into a sandbox, running a non-attributed connection, detonating the sample, and waiting for stage 2-X to be downloaded…we have a good idea of what family of malware we’re dealing with. By taking a different look at the attackers and trying to attack further up the kill chain, we’re able to hinder the attacker.

For Triage customers, these rules are already pushed out and picking up this badness. For everyone else, you can download a copy of the Yara signatures here.