Common Patterns Used in Phishing Campaigns Files
Phishing campaigns remain a common way to infect computers. Every day, I'm receiving plenty of malicious documents pretending to be sent from banks, suppliers, major Internet actors, etc. All those emails and their payloads are indexed and this morning I decided to have a quick look at them just by the name of the malicious files. Basically, there are two approaches used by attackers:
- They randomize the file names by adding a trailing random string (ex: aaf_438445.pdf) or the complete filename.
- They make the filename “juicy” to entice the user to open it by using common words.
This is the second approach that looks interesting. I extracted all the IOC of type ‘filename’ from my MISP[1]. The raw export contained 4692 filenames (4247 unique). I also exported all payloads from my archive (574.879 unique files). I extracted interesting strings based on:
- words
- common brands
- abbreviations
Warning: This list is provided "as is" and is not intended to be used to quality files as malicious or not (it will generate too many false positives).
abuse account acompte advice agreement airline alert archive bill bitcoin booking brochure budget caller cancellation card caution certificate changes christmas client company complaint confirmation contact contract controls copy credit cv date debit debt decrypter delivery details dll diplomatic directory document download draft-msg dropbox dscf ebay ecard egift efax email energy engineer employee eps epson eula extract express exported facebook facture fax file finance financial flash flight free gdpr gift-card google-drive googleupdate help history hp holidays-gift-card hotel human-resource img important inf information install Instruction invite invoice insurance javaupdate label lettre letter license log login-required logmanager mail malware message microsoft-hotfix microsoft-upgrade money msg myresume mote officeupdate order overdue package parcel password payslip photo pic pid picture pdf po proposal purchase poster powerpoint privacy private project quotation quote ransom readme receipt remittance report resume restore sale salary safe scan screenshot security secure selfie service settings setup sheet shipping skype specialoffer ssh ssl staff statement statistics strike support swift tax task tracking trade trademark transaction transfer travel unpaid untitled upcoming update urgent us user vcd video visa voice vpn vmware webmail wifi windows youtube
[1] https://www.misp-project.org/
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments