Written by: Stephanie Honore
Introduction
As a professional software engineer with a passion for digital forensics, I often find myself drawn to unraveling the complexities of cyber threats in my spare time. With a background in building eDiscovery software and some education in digital forensics, I’ve come to appreciate the power of leveraging open-source intelligence (OSINT) and publicly available information (PAI) to uncover hidden truths.
In this article, we’ll delve into the analysis of a real phishing email purportedly from DocuSign, harboring malware capable of forging electronic signatures on uploaded documents. Despite not being a professional digital forensics investigator, I’ll demonstrate how publicly available tools and techniques can be utilized to dissect and understand threats.
Understanding the Threat
Phishing emails continue to be a prevalent tactic used by cybercriminals to deceive recipients into divulging sensitive information or executing malicious actions. This particular email is masquerading as a legitimate communication from DocuSign. With my background in digital forensics, I was eager to dissect its contents and unearth any hidden threats lurking within.
Preparing for Analysis
Before diving into the investigation, I ensured that my digital environment was adequately secured. I set up a dedicated forensic environment using VirtualBox and CSI Linux, providing a controlled environment for analysis without compromising my primary system .Both VirtualBox and CSI Linux are free to install. I also set up a VPN and for an extra layer of protection, setup a disposable browser. I like to use Proton VPN and SquareX. Proton VPN cost money, but there are free VPNs alternatives you can use.
Email Header Analysis
The first step in analyzing the phishing email involved scrutinizing its header for clues about its authenticity. By examining authentication results, sender information, and encryption protocols, I aimed to assess the legitimacy of the email. Despite initial appearances, thorough analysis revealed potential discrepancies that warranted further investigation.
Email File Examination: With suspicions raised, I proceeded to analyze the email file itself using popular malware analysis tools such as VirusTotal and Intezer. These platforms provided insights into the presence of any hidden malware or malicious payloads within the email. While initial scans yielded no alarming results, continued scrutiny uncovered subtle indicators of potential threats.
Looking at the email header provided, there are several indicators that suggest the email is safe:
- Authentication Results: The email header contains multiple authentication results indicating that DKIM, SPF, and DMARC checks have passed. These protocols help verify the authenticity of the email and ensure it has not been tampered with or spoofed.
- Sender Information: The email appears to be sent from DocuSign; a reputable company known for electronic signature services. The “From” and “Reply-To” fields both reference DocuSign.
- Received Headers: The email passed through servers associated with DocuSign, further confirming its legitimacy. The IP addresses and domains in the “Received” headers align with DocuSign’s infrastructure.
- Encryption: The email was transmitted using TLS encryption, which helps protect the confidentiality and integrity of the message during transit.
- No Suspicious Flags: There are no obvious red flags or anomalies in the header that would suggest phishing or spoofing attempts.
I was still not convinced that the email did not have malware on it so I decided to download the entire email file in my forensic box and run it through a free malware file scanner. I decided to go to my favorite anti-virus farm VirusTotal.com. When you upload a file it does become public so if you are working with PHI, PHI or other confidential information I would not use this approach. None of the security vendors and sandboxes flagged this file on VirusTotal.
I am still suspicious so I decided to try another free malware analysis tool called Intezer. I created an account on Intezer using the “No Endpoint Security” option. Once I had access to the account I clicked on the Scan tab and uploaded the .eml file. When you scan a document on Intezer it is also publicly searchable so (add an, again, statement) do not do this if you are working with PII, PHI, or confidential information. Make sure you select the “File” tab instead of the “Email” table and then upload your .eml file because (I would change because to “, as”) it gives a more comprehensive report.
After doing a static analysis on the email it looks like my suspicions are confirmed. In Intezer the TTPs feature expands the static analysis by showing the actual actions performed during dynamic execution. The TTPs analysis flagged a “Command and Control: Application Layer Protocol [T1071]” during this file’s dynamic execution. The IP address has been seen in other reports with “Generic Malware”.
Leveraging OSINT Techniques
To delve deeper into the origins of the suspicious IP address flagged in the Intezer report, I employed an OSINT technique known as Google dorking, a specialized search method used to extract information from Google’s search engine index.
The investigation into the flagged IP address yielded intriguing findings. According to AlienVault, the IP address appeared whitelisted due to its association with the DocuSign domain. This suggests that the IP address is linked to legitimate activities conducted by DocuSign.
Furthermore, analysis from a report published on Joe Sandbox Cloud revealed another .eml file reported as phishing, mentioning the same IP address (162.248.184.187). However, this analysis report did not classify the IP address as malicious. Instead, it whitelisted the IP address and was identified as the ASN Name as DOCUS-6-PRODUS, indicating a DocuSign Production server likely located in the United States.
Uncovering Malicious Images
I still wanted to find the actual malware script, so I went back to VirusTotal . This time I analyzed the images in the email file. One of the images, the download button, came from the same IP address that was reported malicious from the email analysis report. I decided to download this image and scan it for malicious code in VirusTotal, Recorded Futures Triage, and Intezer. It turns out that this image had malware. I also ran the image through an online EXIF scanner and online Steganography decoders, StegOnline or Aperi’s Solve.
I decided to investigate the other images further as well. The image, docInvite-white.png, also had malware scripts embedded in the file. This image runs scripts that creates a hidden or system file and also establishes an encrypted channel for C2 (Command and control).
IP Address Analysis
Finally, I delved into the analysis of IP addresses associated with the phishing email, to find geolocation and domain registration information. Through DNS analysis tools such as dig, traceroute, ICANN Lookup and MX Lookup, I traced the origins of the suspicious IP addresses and uncovered additional evidence linking it to potentially malicious activity. It is possible to do geo-spoofing to a specific city by utilizing a residential proxy like the ones offered by Oxylabs, so more evidence would be needed to support if this IP address belonged to the malicious actor.
Fortifying Your Computer and Network to Mitigate Future Attacks
Basic security checks, including firewall and antivirus scans, were conducted to mitigate any future cyber attacks.
- Check your software firewall and anti-virus
- If you are running a software anti-virus then run a scan on your device. If it is a 0 day your anti-virus may not detect the malware on your machine.
- See if your firewall is turned on. If it is not on then turn it on.
- Check router and network configurations
- Log into your router’s portal and see what devices are connected to your network. Block any unfamiliar devices.
- If you have IoT devices on your network then put the m n a guest network (subnet or VLAN) so they are separate from your computer.
- Make sure you update the credentials to not use the default password.
- Disable UPNP if that is an option.
- Ensure your hardware firewall is on. If your router doesn’t have a hardware firewall then you can get one from Best Buy. Ensure that the router specifications have the following:
- Data Encryption – Yes
- Encryption Type – WPA3
- Firewall Type – SPI
- Parental Controls – Yes
- Guest network access
Conclusion
In conclusion, the journey through the analysis of this phishing email provided valuable insights into the tactics employed by cybercriminals to deceive unsuspecting victims. Despite initial appearances of legitimacy, thorough examination revealed subtle indicators of potential threats hidden within the email. For those interested in exploring digital forensics further, here are links to some of the tools mentioned in this article:
- CSI Linux: CSI Linux
- VirtualBox: VirtualBox
- ProtonVPN: ProtonVPN
- SquareX: SquareX
- VirusTotal: VirusTotal
- Intezer: Intezer
- Google Dorking: Google Dorking
- ExifInfo: ExifInfo
- Aperi’s Solve: https://www.aperisolve.com/
- StegOnline: https://www.georgeom.net/StegOnline/extract
- Geolocation: Geolocation
- ICANN Lookup: ICANN Lookup
- MX Lookup: MX Lookup
- MITRE ATT&CK’s website: https://attack.mitre.org/techniques/T1071/
- Caniphish: https://caniphish.com/
- Oxylabs: https://oxylabs.io/products/residential-proxy-pools
Forensic-Impact Articles
Digital Privacy: A Computer Crimes Investigator Perspective
Guest Blogger: Jacob SipeIn my years of service with the military, I had the unique opportunity to dive into computer forensics and digital privacy. As a computer forensics analyst and Computer Crime Investigator, I developed my skills in understanding and dissecting...
Become a Digital Forensics Entrepreneur: A Quick Guide
Building a business is like raising a child. You invest time, energy, and love into its growth. After 25 years with Paraben, I'm filled with pride and gratitude to see how far it has come. It's a testament to the hard work and dedication of our team, and I'm thrilled...
Critical Infrastructure and IoT Survivability
Guest Blogger: Luther "Chip" (Chip) HarrisThis content represents a particular viewpoint and may not reflect the views of all individualsHere is what is going to affect the current landscape that we deal with in the Integrating the Internet of Things (IoT) into...