주의 Document2.zip 첨부파일

상황 정리:

  • 방금 전, 내 이메일로 나에게 수상한 압축파일이 하나 전달되었음.
  • 리눅스 VM을 열어 파일을 다운로드하고 압축을 해제함.
  • Document 2.zip안에는 RHE3451867925.js 자바스크립트 파일이 있어 파일을 열어본 결과 스크린샷과 같은 내용을 볼수있었음
  • 압축파일은 Locky Ransomware로 파악됨 최근 몇일 사이에 많이 퍼진듯함 (https://myonlinesecurity.co.uk/document1-pretending-to-come-from-your-own-email-address-js-malware-leads-to-locky-ransomware/)
  • 압축 파일은 Document 1.zip이 되기도 하고 Document 7.zip이 되기도하는듯 함.
  • 일단 내 메일주소였기 때문에 Gmail 스팸필터를 통과할수있었음.
  • 이메일 헤더를 보면 아이폰 애플 메일에서 보내진것으로 나오는데, 그렇다면 내 아이폰에서 보냈다는 말인가? 어떻게?
  • 아 도메인에 SPF레코드가 설정이 안되어있어서 위조를 당했구나. 아이폰 메일로 보낸것처럼 위장하다니…
  • 보낸 IP가 69.80.8.72, Saint Lucia/North America http://www.ip-tracker.org/locator/ip-lookup.php?ip=69.80.8.72
  • 구글앱스를 사용하는데 도메인에 SPF 레코드를 확인해보니 구글앱스 레코드가 아니였음. 구글앱스 레코드로 설정 완료 https://support.google.com/a/answer/178723?hl=ko

업데이트: 25/03/2016


 

이메일 제목: Document 2

locky-ransomware-1

 

 

 

 

 

 


 

위조당한 이메일 헤더 정보:

Delivered-To: XXX@chrislee.kr
Received: by 10.50.41.74 with SMTP id d10csp1714947igl;
        Tue, 22 Mar 2016 04:55:38 -0700 (PDT)
X-Received: by 10.194.184.234 with SMTP id ex10mr34161885wjc.8.1458647738906;
        Tue, 22 Mar 2016 04:55:38 -0700 (PDT)
Return-Path: <XXX@chrislee.kr>
Received: <strong>from [69.80.8.72] ([69.80.8.72])</strong>
        by mx.google.com with ESMTP id ln5si36932046wjb.38.2016.03.22.04.55.36
        for <XXX@chrislee.kr>;
        Tue, 22 Mar 2016 04:55:38 -0700 (PDT)
Received-SPF: <strong>softfail (google.com: domain of transitioning XXX@chrislee.kr does not designate 69.80.8.72 as permitted sender) client-ip=69.80.8.72;
Authentication-Results: mx.google.com;</strong>
       <strong>spf=softfail (google.com: domain of transitioning XXX@chrislee.kr does not designate 69.80.8.72 as permitted sender) smtp.mailfrom=XXX@chrislee.kr</strong>
Content-Type: multipart/mixed; boundary=Apple-Mail-F191C416-F656-86F0-9E05-3F1EE3035333
Content-Transfer-Encoding: 7bit
From: <XXX@chrislee.kr>
Mime-Version: 1.0 (1.0)
Date: Tue, 22 Mar 2016 05:55:28 -0600
Subject: Document 2
Message-Id: <Apple-Mail-F191C416-F656-86F0-9E05-3F1EE3035333@chrislee.kr>
To: <XXX@chrislee.kr>
X-Mailer: iPhone Mail (13B143)

--Apple-Mail-F191C416-F656-86F0-9E05-3F1EE3035333
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: 7bit

--Apple-Mail-F191C416-F656-86F0-9E05-3F1EE3035333
Content-Type: application/zip;
	name="Document 2.zip";
	x-apple-part-url=2101C6EF-D21A-462B-A42E-78C45C420622
Content-Disposition: attachment;
	filename="Document 2.zip"
Content-Transfer-Encoding: base64

UEsDBBQAAgAIAHpidkjkYxih7AsAANgZAAAQAAAAUkhFMzQ1MTg2NzkyNS5qc5VZe3PbNhL/
/2buOzC8tkNFihT7OmmaNM3I8UO246fkxB5ZnYFIUIJFAhQeouS7fPfbXVAPP9rm7IxFgdjF
vve3iGgf3sefD4and8GHIAzKsch4EMEvz3gOS/jRDxKhg0FQC376iRaaUiW8tyh48OLDh+BX
ePGfQKQV0frlB3i5tX5ptZMxsxy53F04rhfVKbWmMFHgpBUZ7Mb9Q83Z5H3wLciZjcc8aRbO
jJe7cf1boLl1Wi43wNr78P0//5FyPXLmEAR/Dd+6Vgs5ahZaWWVBomaspNUsEcYKGVuhJGxM
XfUY4ckVWzsWpmnc0FgdvW4EW3goMJwxHbir655WQNiPwozJhLmwEZZMm7Eo4EmGtXo4Hof1
KIyVk4ZnSsNywbQwY3gQ0hScDiQyy4GQJ/CcdZDy02k7CxtB2A7robiEP6fEyhSoiYFtJh4r
lQ3VAp5B1IKD2SSHL/Eu0sudzgLp94B0XjBJxGChnOEWBfLoGbNiRhQqB9PkwuAXfFIoFoPz
w2RPzoRWpEzOgZe08AftiQzBiqCOgn1DrVhiRIIcUL5aI4jCFN6jqHyOmiJvbhQuOAMCwydy
/REZZeALjm/SjHPc2dvDdyfnP6IOuMMykzMpvPRZhpYbZkSiCq6ZJeM2kYjPQQg43SglubFk
6pgVLBYWbXWJe5xc2jZGfYTEp5V6YBVSr8hcjgpxoM9R3pkA4gi2o0bSeOsxHY/hCUXJnSar
5UIq7Y+TMckEzgHGMzyCX4M8uDDDMzSYRJOVYqW1DwhixRMRM03Hnw3Fkg3QrzndcZL9geBo
5yA0+5ZlV/i0n7VvTnpkEAj32OlKahBg7IxgZCBjeVHg6lc8pRtvsoXtGr8XdLTEdyQ8b4ZB
Hc3MIBmBdKQ5l5gH8NxF/4ftfNZhV/fnHX1O5wsJKtkcqDHKYaehfDDG50ACHwvjcHGMYqyc
EoGJxT0EJBrbJRRvZswmFGuWts5QKtpqVSmrDGSpUpYcpBkekAlKjJi2QWRQtuVKjlRGccUp
yq3w4aYL5jIhKWpHzMt1z/KhD0GuLaOXM56RsldH8Um2k07O2mj1A5JaSjSeYXrhE9+KWBSQ
6fBtIoX1AujL9j6ee8yQJnETnii0J8/AN6IKWp6mAsnA47C1p/CMk82o9RboVhFFhYXc7IrK
JZAVOTxjllyv7EABBXnKIJUSymJ2L8AYqJgVacokHm5cHFN6WSKceTvzeCzF1FHcx5mKJ4a8
6kZjKFDwePL5kRMhKZLUYXpIPmMJW3rPB4YpnEUxkJtgmUBuoBQG/TYGGuT2A24ThjWdUfBq
RbGwUSLAdkatD0ANXOYDDzrDTDlNAQfeGfH1QdcnmFo+Ockumo0wXL0DIfbVmGvPhQ2Nf5iR
Rz53nq0iPfjonYcD6Bj6otvZ/bRzPaT2iv1DS84T8wlqJJ9bWPWtsAmlRTepmzU3N1BX8y2n
aYpMxDz6pREs21w92K7B+3jshsMF8PIb+1v1n+tbA9pvo3BZdkDi5p0SMoL6W/WyTLev9dUx
UGLD63s+KHabFbtzNUehD6HDnU7HroeSGBULbqFmw5sIDCxGUqRQsCSVn8wlmSrxqSM+n+8L
fIIaLVJqScUX3d3pyE/n8/Owhq6dDPPj43KStb9AlXvamyOU0o45lFRuqgNnLHOAAowhhtCs
uZbM+vIbhPeiU04v50cOv2BsMfAkp8LY3fmylzJ/7nxvej+dXF5+mf/psZtI4s3KA/213bcG
a3M/WK0/Xf334DkO28gh3HOd096Z2cAu9foTj28csPb9q+Dn2hO+T6X6njA4U8cG4FogebkM
CXj7RBVUzhPdnGdfb0ZlQkGdKg3o7n0g4R8ygfid2y60aSgIa/QnH+NCQIGS8KNHdbDvIdiT
Huk9b5nv8MR36H2/Mz1y9rD3SPVlFgGbpeZIcXw60nezeJXIxqtoNjAkSN1Y64ObKp0QLg4e
INTWh2C7EmPnPJdnHAE4OaL/SJlXECqD6Mnilhcqvrs+37MOpfozUKz5jEO3TrjPIax/xsMF
qKUTTrnEbxa8M8584ugKTuwNb7IDbbrjo5HPnOlXd7NX/lXWLMG0kwmcmgFIS6JCGS4ShaYB
OgCcMVgHdwfwY/UCvwTVD9rjDponx3K2NAyc3MJwXJI/jcz3nsPnO3eXXTywRVVeAaYUfoCA
YDCNDY+t3FURREsSIduAIKohpRFMHbQnaMcaNv8evMLBBqNXKothCrEaVkIso6ofKhR6XTLr
wdoToJIMBxGGp4EKWbVAlo24pk6GXQdMrKBVEeLFlzkGtCOsfUD+2GQHbQvaBscGB0JiZx1X
EBgrJNIkPBXSN+keYpe1W1KWGe4diApcxOUuTw6u9siQlTVSkUGxfRDr2LJ8uINBwQ6roN+Y
HU0/eB34yH9gm3VdR9HHoIaXbMndf+OkJlhpwhFt85RCVU6d0NRSZhdH9rBAmAnQftkWAOxC
t46FD2w5z5LJYVX5DxYu1henLrmfPh/E/jR4QQDOdzXYU9ktCD/tJTszk+9St+Nsxi2bVK80
R+zuG1Fychp3d5OTvft9f3B5PN/NulI/f+qAsgftUx50TVe23RFVGV84K8OitWH1NnwHK9Et
5QMu1WGpdhuu4w+plnZuGgvtEUoUVJvXr2uPM+18ePa513lU/iIavIYuLyiaSpZ5FWFuAshT
nPnRNgfg5pdxqrQQmJYwIcOBIKHQs3wE3Z++7O40vSFwivTYE3QH7Qlfg0IYDAR5E5jyYJhG
XKcJnbEcjAbZmzHohGGB5oVJd2kw/PFaNKHWyGhz/XJW8t6xFidoTIJeBiTOeI+NsBIGrT9+
i/q35atBvXZrXt62Pv4efXz3223rduv3/9Z+aEFOh09PsdTBgu3t4GUQbW1DIX5LrRiUewMP
0dugFWxjA9qUhJ3t9r6wy/GiWIkiTFdAQiOv1h/N/h/v/nXbv202Bi9/aD1zbB9wNN4VSD8X
gGcKqFY+r0sRT8hTictThYUXLV6i8XBcB8gOhWZdlGAF7xXAWTSrQEes/MicVhprj+Yjl7Hq
iqLADcS+wOsA0GwzdUOEvTuKWMUgUJYtqIxxP9smi7A22DQEv/qi094hm1J8H6IBsCAjz0Ak
2Kdjlq1KDBQFuyB8UVUfmGkoH1ZtphRSqnKzsK/K9LokURoti7rZX9WvzYq+0QC+q2M0AkE0
rZfBHcydoMKrr6+33gYvW0s2L16s+DdBqWxFt0IID9rHcz7fbB3QTOrhLs0nOZuLXNzTOJ8P
cczFwhcOWTwplaLxOuFDZ1ejGzpunUJYvFY+rA2qu7Ll2frq8uTrzf6nru+iZLu1IisM9//a
62GH9Q0C1N90wd+ZIzSMpl2crtQ+1SimOQUcVIyRj1F/n4UJoACdwZyKlQjaJ9RYDysafmRa
8j66393vxDfl5cxuKIxJrtIN6VDWW8JLcgSldxVVqzRu4s3C34WUj+JoM0bX9qJoXVfxjZID
Y7bhDyqb4yft9snpeUeUXuoNSb/jsMfnPAs7EUOvjQaDR3jYPR7fQIMja4R7ZXd3WhzFVwCn
g/Li+uCgvW5alQENxxs7yN8XT+23edOKiL9rIX6j1c3wirS20mQVUUjupw5B0QsfvwUw58ND
vf4k5bHhQgc3xDPtw+ZBg4596COrHfdXy9/wxdpC3xAXfQtiBNVB1BEXTk/l7hGSflthpvGV
mN2f3qAFlvaXMNNbQGIRSitk8m4jJdbaVZAJqgLIQWNCg+SsZvIG6gXPuNSEx5EdU26AUJsQ
GyAUoB4cxP3FLsAXmnz9lZq1VbYMWUIXsYkYCSrQmRuNqo0u9xfV71otpCnLsplh+0jxUsPh
HQfHu5gY61DeMgv4MMSXpSnoQjlnYlVm1aXghDBA6oyvU8izlWHqjujmFwLBCbqFhJxNBV2u
FDDRx0ssPFSSwIEhcX59i1TS5dxftabMZdYjvnD8C+4YvgHmb4B5OEQ56To4XFyeJZM2lMQq
e071RXl5dz69zu4eTAkEVSv7rufT5/474+M6v2TiL2y46VbuXNZ4AmY12Nv3pW4QvAPHwp9n
aJc4+kkZ/csa+oxo75eBi1Pf/wBQSwECFAAUAAIACAB6YnZI5GMYoewLAADYGQAAEAAAAAAA
AAABACAAAAAAAAAAUkhFMzQ1MTg2NzkyNS5qc1BLBQYAAAAAAQABAD4AAAAaDAAAAAA=

--Apple-Mail-F191C416-F656-86F0-9E05-3F1EE3035333--

 

실제 아이폰으로 보내진 이메일 헤더

                                                                                                                                                                                                                                                             
Return-Path: <XXX@chrislee.kr>
Received: from [192.XXX.1.X] (14-XXX-78-XXX.XXXX.XXXX. [14.XXX.78.XXX])
        by smtp.gmail.com with ESMTPSA id w27smXXXX2321pfa.67.2016.03.22.06.27.07
        for <XXX@chrislee.kr>
        (version=TLSv1/SSLv3 cipher=OTHER);
        Tue, 22 Mar 2016 06:27:08 -0700 (PDT)
From: Chris Lee <XXX@chrislee.kr>
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Subject: Test email from iPhone 
Message-Id: <1F96CFE1-D76A-4783-8E52-8EDF36823AA2@chrislee.kr>
Date: Wed, 23 Mar 2016 00:27:05 +1100
To: XXX@chrislee.kr
X-Mailer: iPhone Mail (13E233)



Sent from my iPhone

Document 2.zip안에 RHE3451867925.js 파일

locky-ransomware-2

 

 

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.