Perched | Security Education, Consulting, and Support
Security Solutions

Perched Blog

Business Email Compromise - A Brief Analysis - Artifact Collection (2/3)

Introduction

This is the second of a three part series on a Business Email Compromise campaign that we recently observed.

  1. Part 1: Preparation

  2. Part 2: Artifact Collection

  3. Part 3: Artifact Analysis - Coming Soon

Recap

Last week, we published the first in a three part series on a BEC email that we received. We decided that instead of just marking it as spam, we could use this as an opportunity to make sure our analysis skills were still on point.

You can check out Part 1 above or continue on to the collection process for the email artifacts.

Artifact Collection

Finally, let’s make some magic!

Now that we have the .eml file, made an analysis copy, and checked to make sure we didn’t hose something up in the Preparation phase, let’s take a look at it and see what we can see.

Note: There a lot of great analysis tools out there, but I believe that to understand what you’re looking at, doing things the hard way using native tools is best. Once you’ve got the fundamentals down, then you can speed up your analysis with a more automated approach.

Now, let’s make sure we got what we think we did. Let’s check the file type to make sure we have everything we need for analysis. To do that, let’s use the File command. File is native on Linux and macOS systems.

file spam.eml.working
spam.eml: SMTP mail text, ASCII text, with CRLF line terminators

Great, we got an email file (SMTP mail text) with all of the headers. Let’s take a peek inside using the less command (you can use more if you’re more comfortable with that). Press q to exit.

less spam.eml.working
Delivered-To: [removed]@perched.io
Received: by 2002:a17:90a:2669:0:0:0:0 with SMTP id l96csp1946407pje;
        Fri, 29 Mar 2019 06:36:10 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxE76VQRlNhB562l9ESWcXNhHYFRlFSH1ZEqCiVyGf/0BfSPQOmrB8jVMNOqLHEjFNx25pH
X-Received: by 2002:a62:6490:: with SMTP id y138mr33870321pfb.230.1553866570201;
        Fri, 29 Mar 2019 06:36:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553866570; cv=none;
        d=google.com; s=arc-20160816;
...

As we can see, there’s a bunch of great header data in there. You can move up and down using the arrow keys, Enter for 1 line at a time, or Space for page-by-page. This isn’t an email header analysis post, so we’ll just focus on the big bits.

Let’s see what the actual email address is.

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@naver.com header.s=s20171208 header.b=DH1HtAAd;
       spf=pass (google.com: domain of l1l100011@naver.com designates 125.209.224.239 as permitted sender) smtp.mailfrom=l1l100011@naver.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=naver.com
Return-Path: <l1l100011@naver.com>

Hm, l1l100011@naver.com (it’s hard to tell, but those are 1’s and l’s, not all 1’s). That seems like an odd email address for a person. Let’s see what our friend Google has to say about this address.

Note: Google has some pros and cons, as well as other search engines that have a different take on the “do not index” requests of some sites, like Yandex and Baidu. There’s a lot more to say on OSINT research, but I wanted to call out that this is in no way a complete OSINT search, just an example.

Well, that’s curious. Most email addresses exist somewhere out there. Okay, moving on. What’s naver.com?

Naver (Hangul: 네이버)is a South Korean online platform operated by Naver Corporation. It debuted in 1999 as the first web portal in Korea to develop and use its own search engine. It was also the world's first operator to introduce the comprehensive search feature, which compiles search results from various categories and presents them in a single page. Naver has since added a multitude of new services ranging from basic features such as e-mail and news to the world's first online Q&A platform Knowledge iN.

Source: Wikipedia

Okay, so they’re the Google of South Korea. Odd that someone from South Korea would email me and even odder that they’d use an email address with the Display Name of the CTO of a company that shares a similar name with ours (as we discussed in Part 1).

In either case, Naver appears to be fairly anonymous, let’s keep going and see what Mr. l1l100011 wanted to chat about.

Further on down the email, again using less, here we see the Base64 encoded Content-Type: text/plain message. This is very common, I think I’d be a bit surprised to see any emails that are not Base64 encoded nowadays.

-------Boundary-WM=_7f0b3abf4700.1553866567501
Content-Type: text/plain;
        charset="utf-8"
Content-Transfer-Encoding: base64
...ZXBseS4gCSmFyZWQKlbnQgZnJvbSBtb2JpbGUuIFBsZWFzZSBleGN1c2UgbXkgQnJldml0eQo=

Note: I’m truncating the Base64 encoded strings to prevent those who are following along at home from just repeating these steps in the blog and finding out who the targeted CTO is at the other company. You can use any exported email to accomplish these tasks.

As I mentioned above, there are lots of different ways to skin a cat here, and I usually use a plugin for Atom to decode Base64 for me, but let’s see if we can just do this without any special tools.

Copy the Base64 encoded string and then use the base64 tool to decode it for you.

echo ...ZXBseS4gCSmFyZWQKlbnQgZnJvbSBtb2JpbGUuIFBsZWFzZSBleGN1c2UgbXkgQnJldml0eQo= | base64 --decode

And we see the decoded string dumped to STDOUT (I added the [Removed] to protect the innocent.

I have a request for you today. Are you available right now? I am in a meeting and can not talk but will look for your reply.

[Removed]

Sent from mobile. Please excuse my Brevity

As I mentioned above, and now and we can see what the content of the email was, it certainly sounds like a phish and, in my experience, possibly a BEC. Let’s not stop there, we talked about not opening emails to download them, let’s dig a bit deeper and find out why.

If we keep looking down the email, we see a Content-Type: text/html Base64 encoded message. Now, here’s where things could get interesting.

-------Boundary-WM=_7f0b3abf4700.1553866567501
Content-Type: text/html;
        charset="utf-8"
Content-Transfer-Encoding: base64
...
b3VyIHJlcGx5Ljwvc3Bhbj4mbmJzcDs8L3A+PGJyPjxicj5KYXJlZDxicj48YnI+U2VudCBmcm9t
IG1vYmlsZS4gUGxlYXNlIGV4Y3VzZSBteSBCcmV2aXR5PC9kaXY+PC9ib2R5PjwvaHRtbD48dGFi
bGUgc3R5bGU9J2Rpc3BsYXk6bm9uZSc+PHRyPjx0ZD48aW1nIHNyYz0iaHR0cHM6Ly9tYWlsLm5h
dmVyLmNvbS9yZWFkUmVjZWlwdC9ub3RpZnkvP2ltZz0xWEttS0FKbks2d1Nwb21zS3h1bUZBRXFN
NnVYTXhnWEZBTWRLNEVsRnFwNGF6RWRLekpvYXpVJTJGYXhFZHR6RlhwNlVtS3hLNVc0ZDVXNHBa
TUxsR1dxJTJGc002bHZiNGtYdEhJMGI0RmNwNnQ1MTZZJTNELmdpZiIgYm9yZGVyPSIwIi8+PC90
ZD48L3RyPjwvdGFibGU+

So let’s use the same process as above to decode this and see what we’re looking at.

<html><head><style>p{margin-top:0px;margin-bottom:0px;}</style></head><body><div style="font-size:10pt; font-family:Gulim, sans-serif;"><p><span style="font-size: 10pt;">I have a request for you today. Are you available right now? I am in a meeting and can not talk but will look for your reply.</span>&nbsp;</p><br><br>[Removed]<br><br>Sent from mobile. Please excuse my Brevity</div></body></html><table style='display:none'><tr><td><img src="https://mail.naver.com/readReceipt/notify/?img=...oazU%2FaxEdtzFXp6UmKxK5W4d5W4pZMLlGWq%2FsM6lvb4kXtHI0b4Fcp6t516Y%3D.gif" border="0"/></td></tr></table>

Mildly interesting, we can see font-family:Gulim which is a Unicode font designed especially for the Korean-language script. Font families aren’t smoking guns anymore, but it’s another thing that is odd in that the Display Name is an American name but it’s coming from a South Korean service provider and using a Korean language pack.

Okay, so basically the same thing with some HTML formatting. Nothing too inter..es…ting…what have we here? An image? I wonder if that’s just a logo or something or anything a bit neater?

In reading through it, the …/readReceipt/notify/?… looks like a tracking image. So, in the event that I’d opened that, it would load that image and Mr. l1l100011 would know that the email made it to an actual mailbox and was opened.

Based on the %3D at the end of the .gif file, I can see that this is a URL encode string and, using the awesome CyberChef utility by our friends over at GCHQ, I can decode that using CyberChef and see that it’s actually a Base64 encoded string.

Encoded
...oazU%2FaxEdtzFXp6UmKxK5W4d5W4pZMLlGWq%2FsM6lvb4kXtHI0b4Fcp6t516Y%3D
Decoded
...zEdKzJoazU/axEdtzFXp6UmKxK5W4d5W4pZMLlGWq/sM6lvb4kXtHI0b4Fcp6t516Y=

I did some poking around with that Base64 encoded string and I couldn’t really get it into anything of value. Maybe it’s something, maybe it means something on the far side, but I couldn’t turn this string into the gif.

Please join us for the final post that will cover the analysis of these artifacts.