2-Extended Analysis-Full

Communities @ Risk 33EXTENDED ANALYSIS: 2.2 Cluster AnalysisOn November 11, 2010, China Group 1 received multiple emails addressed to theorganization’s director claiming to be from personal friends. The emails included anexecutable attachment in a password-protected archive, with the password provided inthe body of the email. Packaging attachments in a RAR file makes them less likely tobe discovered by an AV scanner. Password protecting the archive reduces the chancesof AV detection even further. When executed, the malware connected to softwareupdate.8866.org(119.75.218.45). The level of personalization used in the message givesit a social engineering score of 4 and a total TTI of 5.0.On November 19, 2010, China Group 2 received an email containing a story about ahigh-profile, high-rise apartment building fire in Shanghai. The message was written inChinese and repurposed text from a news article on the event.Attached to the email were four images and two executable files (.scr extensions)designed to look like images using the Unicode right-to-left override character. Wheneach executable file is run, it will install and launch the malware, drop an image,open the image, and delete itself. The malware connects to xinxin20080628.gicp.net(114.60.106.156). The attack has a social engineering score of 3 and a total TTI of 3.75.FIGURE 8: Image of a high-rise fire used to trick recipients into running the malware