Read Time:4 Minute, 0 Second
상황 정리:
- 방금 전, 내 이메일로 나에게 수상한 압축파일이 하나 전달되었음.
- 리눅스 VM을 열어 파일을 다운로드하고 압축을 해제함.
- Document 2.zip안에는 RHE3451867925.js 자바스크립트 파일이 있어 파일을 열어본 결과 스크린샷과 같은 내용을 볼수있었음
- 압축파일은 Locky Ransomware로 파악됨 최근 몇일 사이에 많이 퍼진듯함 (https://myonlinesecurity.co.uk/document1-pretending-to-come-from-your-own-email-address-js-malware-leads-to-locky-ransomware/)
- 압축 파일은 Document 1.zip이 되기도 하고 Document 7.zip이 되기도하는듯 함.
- 일단 내 메일주소였기 때문에 Gmail 스팸필터를 통과할수있었음.
- 이메일 헤더를 보면 아이폰 애플 메일에서 보내진것으로 나오는데, 그렇다면 내 아이폰에서 보냈다는 말인가? 어떻게?
- 아 도메인에 SPF레코드가 설정이 안되어있어서 위조를 당했구나. 아이폰 메일로 보낸것처럼 위장하다니…
- 보낸 IP가 69.80.8.72, Saint Lucia/North America http://www.ip-tracker.org/locator/ip-lookup.php?ip=69.80.8.72
- 구글앱스를 사용하는데 도메인에 SPF 레코드를 확인해보니 구글앱스 레코드가 아니였음. 구글앱스 레코드로 설정 완료 https://support.google.com/a/answer/178723?hl=ko
업데이트: 25/03/2016
- 보안뉴스 참고: 록키(Locky) 랜섬웨어 변종, 이렇게 대처하세요
- 한국랜섬웨어침해대응센터: Locky 랜섬웨어 침해 레포트
이메일 제목: Document 2
- 보낸사람: XX@chrislee.kr
- 받는사람: XX@chrislee.kr
- 내용: 비었음
- 첨부파일: Document 2.zip
위조당한 이메일 헤더 정보:
Delivered-To: XXX@chrislee.kr Received: by 10.50.41.74 with SMTP id d10csp1714947igl; Tue, 22 Mar 2016 04:55:38 -0700 (PDT) X-Received: by 10.194.184.234 with SMTP id ex10mr34161885wjc.8.1458647738906; Tue, 22 Mar 2016 04:55:38 -0700 (PDT) Return-Path: <XXX@chrislee.kr> Received: <strong>from [69.80.8.72] ([69.80.8.72])</strong> by mx.google.com with ESMTP id ln5si36932046wjb.38.2016.03.22.04.55.36 for <XXX@chrislee.kr>; Tue, 22 Mar 2016 04:55:38 -0700 (PDT) Received-SPF: <strong>softfail (google.com: domain of transitioning XXX@chrislee.kr does not designate 69.80.8.72 as permitted sender) client-ip=69.80.8.72; Authentication-Results: mx.google.com;</strong> <strong>spf=softfail (google.com: domain of transitioning XXX@chrislee.kr does not designate 69.80.8.72 as permitted sender) smtp.mailfrom=XXX@chrislee.kr</strong> Content-Type: multipart/mixed; boundary=Apple-Mail-F191C416-F656-86F0-9E05-3F1EE3035333 Content-Transfer-Encoding: 7bit From: <XXX@chrislee.kr> Mime-Version: 1.0 (1.0) Date: Tue, 22 Mar 2016 05:55:28 -0600 Subject: Document 2 Message-Id: <Apple-Mail-F191C416-F656-86F0-9E05-3F1EE3035333@chrislee.kr> To: <XXX@chrislee.kr> X-Mailer: iPhone Mail (13B143) --Apple-Mail-F191C416-F656-86F0-9E05-3F1EE3035333 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --Apple-Mail-F191C416-F656-86F0-9E05-3F1EE3035333 Content-Type: application/zip; name="Document 2.zip"; x-apple-part-url=2101C6EF-D21A-462B-A42E-78C45C420622 Content-Disposition: attachment; filename="Document 2.zip" Content-Transfer-Encoding: base64 UEsDBBQAAgAIAHpidkjkYxih7AsAANgZAAAQAAAAUkhFMzQ1MTg2NzkyNS5qc5VZe3PbNhL/ /2buOzC8tkNFihT7OmmaNM3I8UO246fkxB5ZnYFIUIJFAhQeouS7fPfbXVAPP9rm7IxFgdjF vve3iGgf3sefD4and8GHIAzKsch4EMEvz3gOS/jRDxKhg0FQC376iRaaUiW8tyh48OLDh+BX ePGfQKQV0frlB3i5tX5ptZMxsxy53F04rhfVKbWmMFHgpBUZ7Mb9Q83Z5H3wLciZjcc8aRbO jJe7cf1boLl1Wi43wNr78P0//5FyPXLmEAR/Dd+6Vgs5ahZaWWVBomaspNUsEcYKGVuhJGxM XfUY4ckVWzsWpmnc0FgdvW4EW3goMJwxHbir655WQNiPwozJhLmwEZZMm7Eo4EmGtXo4Hof1 KIyVk4ZnSsNywbQwY3gQ0hScDiQyy4GQJ/CcdZDy02k7CxtB2A7robiEP6fEyhSoiYFtJh4r lQ3VAp5B1IKD2SSHL/Eu0sudzgLp94B0XjBJxGChnOEWBfLoGbNiRhQqB9PkwuAXfFIoFoPz w2RPzoRWpEzOgZe08AftiQzBiqCOgn1DrVhiRIIcUL5aI4jCFN6jqHyOmiJvbhQuOAMCwydy /REZZeALjm/SjHPc2dvDdyfnP6IOuMMykzMpvPRZhpYbZkSiCq6ZJeM2kYjPQQg43SglubFk 6pgVLBYWbXWJe5xc2jZGfYTEp5V6YBVSr8hcjgpxoM9R3pkA4gi2o0bSeOsxHY/hCUXJnSar 5UIq7Y+TMckEzgHGMzyCX4M8uDDDMzSYRJOVYqW1DwhixRMRM03Hnw3Fkg3QrzndcZL9geBo 5yA0+5ZlV/i0n7VvTnpkEAj32OlKahBg7IxgZCBjeVHg6lc8pRtvsoXtGr8XdLTEdyQ8b4ZB Hc3MIBmBdKQ5l5gH8NxF/4ftfNZhV/fnHX1O5wsJKtkcqDHKYaehfDDG50ACHwvjcHGMYqyc EoGJxT0EJBrbJRRvZswmFGuWts5QKtpqVSmrDGSpUpYcpBkekAlKjJi2QWRQtuVKjlRGccUp yq3w4aYL5jIhKWpHzMt1z/KhD0GuLaOXM56RsldH8Um2k07O2mj1A5JaSjSeYXrhE9+KWBSQ 6fBtIoX1AujL9j6ee8yQJnETnii0J8/AN6IKWp6mAsnA47C1p/CMk82o9RboVhFFhYXc7IrK JZAVOTxjllyv7EABBXnKIJUSymJ2L8AYqJgVacokHm5cHFN6WSKceTvzeCzF1FHcx5mKJ4a8 6kZjKFDwePL5kRMhKZLUYXpIPmMJW3rPB4YpnEUxkJtgmUBuoBQG/TYGGuT2A24ThjWdUfBq RbGwUSLAdkatD0ANXOYDDzrDTDlNAQfeGfH1QdcnmFo+Ockumo0wXL0DIfbVmGvPhQ2Nf5iR Rz53nq0iPfjonYcD6Bj6otvZ/bRzPaT2iv1DS84T8wlqJJ9bWPWtsAmlRTepmzU3N1BX8y2n aYpMxDz6pREs21w92K7B+3jshsMF8PIb+1v1n+tbA9pvo3BZdkDi5p0SMoL6W/WyTLev9dUx UGLD63s+KHabFbtzNUehD6HDnU7HroeSGBULbqFmw5sIDCxGUqRQsCSVn8wlmSrxqSM+n+8L fIIaLVJqScUX3d3pyE/n8/Owhq6dDPPj43KStb9AlXvamyOU0o45lFRuqgNnLHOAAowhhtCs uZbM+vIbhPeiU04v50cOv2BsMfAkp8LY3fmylzJ/7nxvej+dXF5+mf/psZtI4s3KA/213bcG a3M/WK0/Xf334DkO28gh3HOd096Z2cAu9foTj28csPb9q+Dn2hO+T6X6njA4U8cG4FogebkM CXj7RBVUzhPdnGdfb0ZlQkGdKg3o7n0g4R8ygfid2y60aSgIa/QnH+NCQIGS8KNHdbDvIdiT Huk9b5nv8MR36H2/Mz1y9rD3SPVlFgGbpeZIcXw60nezeJXIxqtoNjAkSN1Y64ObKp0QLg4e INTWh2C7EmPnPJdnHAE4OaL/SJlXECqD6Mnilhcqvrs+37MOpfozUKz5jEO3TrjPIax/xsMF qKUTTrnEbxa8M8584ugKTuwNb7IDbbrjo5HPnOlXd7NX/lXWLMG0kwmcmgFIS6JCGS4ShaYB OgCcMVgHdwfwY/UCvwTVD9rjDponx3K2NAyc3MJwXJI/jcz3nsPnO3eXXTywRVVeAaYUfoCA YDCNDY+t3FURREsSIduAIKohpRFMHbQnaMcaNv8evMLBBqNXKothCrEaVkIso6ofKhR6XTLr wdoToJIMBxGGp4EKWbVAlo24pk6GXQdMrKBVEeLFlzkGtCOsfUD+2GQHbQvaBscGB0JiZx1X EBgrJNIkPBXSN+keYpe1W1KWGe4diApcxOUuTw6u9siQlTVSkUGxfRDr2LJ8uINBwQ6roN+Y HU0/eB34yH9gm3VdR9HHoIaXbMndf+OkJlhpwhFt85RCVU6d0NRSZhdH9rBAmAnQftkWAOxC t46FD2w5z5LJYVX5DxYu1henLrmfPh/E/jR4QQDOdzXYU9ktCD/tJTszk+9St+Nsxi2bVK80 R+zuG1Fychp3d5OTvft9f3B5PN/NulI/f+qAsgftUx50TVe23RFVGV84K8OitWH1NnwHK9Et 5QMu1WGpdhuu4w+plnZuGgvtEUoUVJvXr2uPM+18ePa513lU/iIavIYuLyiaSpZ5FWFuAshT nPnRNgfg5pdxqrQQmJYwIcOBIKHQs3wE3Z++7O40vSFwivTYE3QH7Qlfg0IYDAR5E5jyYJhG XKcJnbEcjAbZmzHohGGB5oVJd2kw/PFaNKHWyGhz/XJW8t6xFidoTIJeBiTOeI+NsBIGrT9+ i/q35atBvXZrXt62Pv4efXz3223rduv3/9Z+aEFOh09PsdTBgu3t4GUQbW1DIX5LrRiUewMP 0dugFWxjA9qUhJ3t9r6wy/GiWIkiTFdAQiOv1h/N/h/v/nXbv202Bi9/aD1zbB9wNN4VSD8X gGcKqFY+r0sRT8hTictThYUXLV6i8XBcB8gOhWZdlGAF7xXAWTSrQEes/MicVhprj+Yjl7Hq iqLADcS+wOsA0GwzdUOEvTuKWMUgUJYtqIxxP9smi7A22DQEv/qi094hm1J8H6IBsCAjz0Ak 2Kdjlq1KDBQFuyB8UVUfmGkoH1ZtphRSqnKzsK/K9LokURoti7rZX9WvzYq+0QC+q2M0AkE0 rZfBHcydoMKrr6+33gYvW0s2L16s+DdBqWxFt0IID9rHcz7fbB3QTOrhLs0nOZuLXNzTOJ8P cczFwhcOWTwplaLxOuFDZ1ejGzpunUJYvFY+rA2qu7Ll2frq8uTrzf6nru+iZLu1IisM9//a 62GH9Q0C1N90wd+ZIzSMpl2crtQ+1SimOQUcVIyRj1F/n4UJoACdwZyKlQjaJ9RYDysafmRa 8j66393vxDfl5cxuKIxJrtIN6VDWW8JLcgSldxVVqzRu4s3C34WUj+JoM0bX9qJoXVfxjZID Y7bhDyqb4yft9snpeUeUXuoNSb/jsMfnPAs7EUOvjQaDR3jYPR7fQIMja4R7ZXd3WhzFVwCn g/Li+uCgvW5alQENxxs7yN8XT+23edOKiL9rIX6j1c3wirS20mQVUUjupw5B0QsfvwUw58ND vf4k5bHhQgc3xDPtw+ZBg4596COrHfdXy9/wxdpC3xAXfQtiBNVB1BEXTk/l7hGSflthpvGV mN2f3qAFlvaXMNNbQGIRSitk8m4jJdbaVZAJqgLIQWNCg+SsZvIG6gXPuNSEx5EdU26AUJsQ GyAUoB4cxP3FLsAXmnz9lZq1VbYMWUIXsYkYCSrQmRuNqo0u9xfV71otpCnLsplh+0jxUsPh HQfHu5gY61DeMgv4MMSXpSnoQjlnYlVm1aXghDBA6oyvU8izlWHqjujmFwLBCbqFhJxNBV2u FDDRx0ssPFSSwIEhcX59i1TS5dxftabMZdYjvnD8C+4YvgHmb4B5OEQ56To4XFyeJZM2lMQq e071RXl5dz69zu4eTAkEVSv7rufT5/474+M6v2TiL2y46VbuXNZ4AmY12Nv3pW4QvAPHwp9n aJc4+kkZ/csa+oxo75eBi1Pf/wBQSwECFAAUAAIACAB6YnZI5GMYoewLAADYGQAAEAAAAAAA AAABACAAAAAAAAAAUkhFMzQ1MTg2NzkyNS5qc1BLBQYAAAAAAQABAD4AAAAaDAAAAAA= --Apple-Mail-F191C416-F656-86F0-9E05-3F1EE3035333--
실제 아이폰으로 보내진 이메일 헤더
Return-Path: <XXX@chrislee.kr> Received: from [192.XXX.1.X] (14-XXX-78-XXX.XXXX.XXXX. [14.XXX.78.XXX]) by smtp.gmail.com with ESMTPSA id w27smXXXX2321pfa.67.2016.03.22.06.27.07 for <XXX@chrislee.kr> (version=TLSv1/SSLv3 cipher=OTHER); Tue, 22 Mar 2016 06:27:08 -0700 (PDT) From: Chris Lee <XXX@chrislee.kr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (1.0) Subject: Test email from iPhone Message-Id: <1F96CFE1-D76A-4783-8E52-8EDF36823AA2@chrislee.kr> Date: Wed, 23 Mar 2016 00:27:05 +1100 To: XXX@chrislee.kr X-Mailer: iPhone Mail (13E233) Sent from my iPhone
Document 2.zip안에 RHE3451867925.js 파일