Before we begin

Before you start reading, please delete the email you have received. Do NOT click on the link.

If you have clicked on the link contact IT support to have your password changed.


Seems like people at our school really need a basic computer security training. But that’s OK, because for now we get more emails to analyze!

Clever people may notice that the title now says phishing instead of malware. That’s right, and if you read through the entire post you’ll see why.

This time, I don’t need to beg for malicious emails from friends because I received a personal copy of the spam email! That’s pretty nice, but I guess the problem is now widespread since more people are receiving it. Not nice. More headache for our IT admins.

This is the email we received at 8:38 PM:

malicious-email

Come on, it’s so obvious! “This User uses Ad0be cloud” has multiple capitalization and spelling mistakes – nobody’s going to fall for that. They need better phishing artists.

Looking at the link, it’s obfuscated with the same stupid Office 365 ATP protection. That sucks, but we can see it linking to DuckDNS. What is DuckDNS?

Short rundown on DDNS

DuckDNS is a DDNS service. Think of it as a DNS service, but for rapidly changing addresses. For example, when you type in google.com, it resolves to an IPv4 (or IPv6) address through DNS – that part we pretty much know from basic computer classes. But DDNS is special in that the TTL (time-to-live) is set to a very short interval. TTL dictates how often your computer queries the DNS server. If TTL is set to 2 minutes, for example, if 2 minutes pass between your first query and your second query, your second query will make your computer ask the DNS service again for the IP address.

OK, but why? Because the IP address changes very rapidly. Domains are easy to remember, but IP addresses are not. If your IP address keeps changing, that wouldn’t be any good, would it? And if you used a traditional DNS service, it would display a reference to your old IP address for longer to clients because of the high TTL. This means that if your IP address changes, people cannot access your service (or malware distribution server in this case) anymore. That’s bad for your bad business!

This would indicate that the malware authors are hosting the malware on a residential area, like your average home or apartment, because these IP addresses are dynamic and change very frequently. For DuckDNS, there is usually a daemon/client) that queries your public IP address every couple of minutes and changes the reference on the DDNS server once the dynamic IP address shifts. This keeps the domain pointing to the new IP address so that you can stay in business. OK, back to the main topic!

Visiting the scam

At this point it would be a good idea (for me anyway) to visit the link to see what it is. But I’m afraid of drive-by attacks so I need to enter this website in an isolated VM. Again, DO NOT try this yourself without taking proper precautions. No, Chrome Incognito is not a valid strategy to analyzing drive-by attack websites. You’re just going to end up spreading the virus further.

Now, this entailed me to twenty minutes of reading the URL from the email and typing it into a separate machine designed to be isolated from the network, since copy paste wouldn’t work. Doesn’t top all the weird stuff I do to keep my projects going, though!

…I’m kidding. I got bored 2 minutes in and copy pasted a text file with the URL. Time to test!

office-365-atp-warning-page

Oh my god. Advanced Threat Protection works again! Be right back, need to buy some Microsoft shares. But we want to infect ourselves, so let’s dive deeper. Curiously, the link embedded has no trackers – it’s just one link shown above. (AGAIN, do NOT go into that link.)

Going inside, we’re presented with this page:

malicious-landing-page

So the malware authors decided to be cute and shifted around the subdomains for DuckDNS. Very cute. And no, the guy holding the tablet does not breathe much confidence into your faux DocuSign page.

I got curious as to what DocuSign actually was after analyzing this malware and looked them up. They’re apparently a legit company – it was just bad luck for them to be embroiled in all this phishing mess. But uh, an entire company dedicated to… signing documents. Huh.

docusign-promo

Remind me what solution not to purchase. Oh right. Where were we? So once we wait, we’re dropped to this page:

fake-docusign-login-page

LMAO. “Docusign supports all email domains” but I only count six, and AOL is somehow the first, with Yahoo! Mail being the close second. Seems like people that are living on antiquated technology are more easier targets for scammers. Also, I don’t recount Salesforce and Twitter being email services. Or Facebook. Or LinkedIn… All righty, so think like a user. What happens if you click on the Microsoft/Office 365 icons like the good student you are?

You land in very convincing Office 365/Microsoft login pages.

Phishing game step up

fake-office-sign-in

Seriously. If you somehow faked the URL in the address bar with an exploit, or if I was sleepy and tired, then this would’ve totally flown under even my radar. The only thing giving it away is the non-standard text boxes – on the actual login page they look slightly different. It looks exactly like the real deal, with the background and everything. Very convincing! The phishing team needs to give a raise to whoever designed this page; serious props right there.

…Oh right, I’m supposed to be criticizing them. Right, got a bit carried away there. Back on topic.

Testing the phish

Pro-tip: if you feel like you’re being scammed out of your login credentials? Uh, just put fake credentials in there. Yup. Like this:

fake-office-sign-in-test-fake-credentials

If it fails then you can rest a bit easier. If it does not…

after-fake-login

Let’s try the same game here:

fake-recovery-information

Pressing the “View File” button leads me to this PDF file:

bait-document

Huh. “Entrepreneurship Development Strategy: Expert Vision.” Nice document right there. The question is, is this the infection vector? Did we just discover how the scammers started to spread the emails?

If you’re really smart, then you will remember that this blog post’s title is “School phishing email analysis.” And I’m sorry to say, no. This is not a PDF with a malicious payload. It’s just a PDF. Googling for it shows you the original PDF location, as do VirusTotal’s report:

virustotal-results

So the PDF is inert. What’s next?

Who did this?

Let’s find where the server is located. Since the scammers are using DuckDNS, they are probably in a residential area.

Doing a DNS lookup to get the IP address, we find that both subdomains of DuckDNS point to the same IP:

➜  ~ dig kmvqt-DO-NOT-CLICK. duckdns.org

; <<>> DiG 9.10.6 <<>> kmvqt-DO-NOT-CLICK. duckdns.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16665
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;kmvqt-DO-NOT-CLICK. duckdns.org.		IN	A

;; ANSWER SECTION:
kmvqt-DO-NOT-CLICK. duckdns.org.	55	IN	A	172.245.36.127

;; Query time: 223 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Sat Apr 25 01:52:15 CST 2020
;; MSG SIZE  rcvd: 79

➜  ~ dig shryd-DO-NOT-CLICK. duckdns.org

; <<>> DiG 9.10.6 <<>> shryd-DO-NOT-CLICK. duckdns.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55364
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;shryd-DO-NOT-CLICK. duckdns.org.		IN	A

;; ANSWER SECTION:
shryd-DO-NOT-CLICK. duckdns.org.	60	IN	A	172.245.36.127

;; Query time: 231 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Sat Apr 25 01:52:28 CST 2020
;; MSG SIZE  rcvd: 79

Checking out the IP, we see the attackers are based in the United States:

malicious-ip-address

But here’s where it gets interesting. This is apparently not a residential area – the malicious server is hosted in a colocation farm! Colocation is basically the practice where you lease out space to store servers. You get managed services like networking and server racks, but you need to supply the server yourself.

Abuse report

Well, it’s time to report the servers. I filled out the abuse reports:

abuse-report

How did the initial victim get pwned?

Seeing as the email landed in our inboxes at Friday night, 8:38 PM, I have a couple of hunches. Let’s first look at the time frame. A friend of mine also got the email, and he received it on 8:39 PM, indicating that those emails were sent out in a short, quick burst.

First theory – the office computer is infected. I don’t know if teachers at our school shut down their work laptops and desktops when they leave for the day, but if they don’t then the computer would be on sleep mode. If the computer was infected with malware, it would be trivial for the malware to access Outlook, find all of the contacts for the entire school through the Outlook Directory, and then shoot off emails one by one.

This hunch is quite bad because it would mean our school’s internal network is compromised. And judging by how all malicious emails originate from teachers and staff members, I think the network reserved for students and guests is safe. But this means that if the infection spreads through the internal network, it can wreak far nastier attacks. As far as I know, the staff network has more access to the server room, and when I passed by it last year I saw a box running Windows XP. Yikes.

But I think I would focus on the second theory – phished credentials. The staff member that was affected probably wanted an easy solution to add a signature to his or her PDF and probably clicked on the first link that came up on a Google search. He or she would then have been led to the same website as the one we saw above and inputted his or her Office 365 credentials, leading to this attack. As our Office 365 is synced with Active Directory, the contacts list would still be visible to attackers on Outlook Online, and then it would be trivial to shoot off messages with a Python script and IMAP access.

This is also bad, because scammers are not nice people. By the time they’re done they could’ve done all sorts of horrible things to the affected account, including deleting all emails, changing autoresponder settings, profile picture to an anime character, etc.

Seeing as everybody in our school got this email (or mostly everybody) I am guessing that at least some students got phished out of their Office 365 credentials. The problem only gets worse, because our school only allows students to change their passwords on-prem. Got phished on a Friday night? You’ll have to let the scammers in for the entire weekend while your account burns down, and then only change passwords once you’re back to school on Monday.

And God help the 10th graders still stuck at home.