LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 25
Details
EventID: 25
Event Time: Oct. 29, 2020, 6:40 p.m.
Rule: SOC101 - Phishing Mail Detected
Level: Security Analyst
SMTP Address 157.230.109.166
Source Address aaronluo@cmail.carleton.ca
Destination Address mark@letsdefend.io
E-mail Subject UPS Your Packages Status Has Changed
Device Action Blocked
Email
UPS Your Packages Status Has Changed From: aaronluo@cmail.carleton.ca Oct. 29, 2020, 6:40 p.m. To: mark@letsdefend.io Oct. 29, 2020, 6:40 p.m. The status of your package has changed. Exception Reason: A transportation accident has delayed delivery. Exception Resolution: We've missed the scheduled transfer time. This may cause a delay. Please see attachment. Attachments 5a3de19f198269947bb509152678b7d2.zip
送信元 157.230.109.166
送信元のIPを確認する。
VirusTotal 8/90: https://www.virustotal.com/gui/ip-address/157.230.109.166
AbuseIPDB: https://www.abuseipdb.com/check/157.230.109.166
ip-sc: https://ip-sc.net/ja/r/157.230.109.166
IP元はDigitalOceanであり、様々な攻撃に利用されているようだ。
VTでは登録数は少ないが、AbuseIPDBが真っ赤になっているのは珍しい。
playbook
Are there attachments or URLs in the email?
Attachments
5a3de19f198269947bb509152678b7d2.zip
Answer:Yes
Analyze Url/Attachment
Attachments 5a3de19f198269947bb509152678b7d2
Attachmentは、
$ md5sum 0c55dae4a75373696f7af6d0a7db5092fbe4f15c3c92d8dc9433949837b5db92.docx 5a3de19f198269947bb509152678b7d2 0c55dae4a75373696f7af6d0a7db5092fbe4f15c3c92d8dc9433949837b5db92.docx $ olevba -a 0c55dae4a75373696f7af6d0a7db5092fbe4f15c3c92d8dc9433949837b5db92.docx (snip) +----------+--------------------+---------------------------------------------+ |Type |Keyword |Description | +----------+--------------------+---------------------------------------------+ |AutoExec |Document_open |Runs when the Word or Publisher document is | | | |opened | |Suspicious|Create |May execute file or a system command through | | | |WMI | |Suspicious|CreateObject |May create an OLE object | |Suspicious|showwindow |May hide the application | |Suspicious|Hex Strings |Hex-encoded strings were detected, may be | | | |used to obfuscate strings (option --decode to| | | |see all) | |Suspicious|Base64 Strings |Base64-encoded strings were detected, may be | | | |used to obfuscate strings (option --decode to| | | |see all) | +----------+--------------------+---------------------------------------------+ (snip)
.docxのvbaはここでは省略するが、
LetsDefend level 1 alert SOC109 - Emotet Malware Detected event-id 39 - 4ensiX で扱ったドキュメントのvbaに似ている。つまり、emotetなのでは。
VirusTotal 37/57: https://www.virustotal.com/gui/file/0c55dae4a75373696f7af6d0a7db5092fbe4f15c3c92d8dc9433949837b5db92
ANYRUN: https://app.any.run/tasks/d1e97947-9b4c-4472-9711-3487035abb31/
VTではemotetとは言われていないが、関連するURLを調べるとemotetに関するレポートに当たる。
ANYRUNでもemotetのタグが付いている。emotetでありMaliciousなドキュメントであることは間違いない。
Answer:Malicious
Check If Mail Delivered to User?
Device Action Blocked
Answer:Not Delivered
Add Artifacts
| Value | Type | Comment |
|---|---|---|
| aaronluo@cmail.carleton.ca | E-mail Sender | |
| cmail.carleton.ca | E-mail Domain | 157.230.109.166 - VT 8/90 |
| 5a3de19f198269947bb509152678b7d2 | MD5 Hash | emotet document |
End
そういえばUPSといえば、最近といっても3週間前だが
Researchers discover critical vulnerabilities in APC Smart-UPS devices | TechSpot
TLStorm: Three critical vulnerabilities discovered in APC Smart-UPS devices can allow attackers to remotely manipulate the power of millions of enterprise devices.
UPSの脆弱性の話題があった。ネットワーク越しにステータスが見れるだけでなく、ステータスの変更を行える機能もあるのですか。
あまり、UPSに詳しくないがステータスの確認だけでも良いと思うのだが。
