Here, we have a guest post from Zaza Sophia Handy, Senior Incident Responder at NTT.
Being able to quickly confirm that an email or its components are malicious and identifying other observables and indicators linked to a phishing attack is useful in prioritising an investigation, determining the accurate scope of the incident, reducing the dwell time of the incident and time to eradication post compromise indicators.
Not too long ago, I was documenting a set of playbooks for a client and needed to add a step for the analysts to safely and quickly obtain the hash of attachments in the phishing email and to document all URLs included in the email along with their reputation score. Oftentimes, analysts and handlers resort to manual checking of URLs in emails and other diverse and cumbersome methods to obtain attachments for further analysis.
Based on several interviews I have conducted in the past, some resort to hovering over a link to see the actual URL. Others, including myself, have relied on the view source option on Outlook to obtain the URL included in Outlook emails. Every now and then, I have come across environments that deployed commercial tools like Cisco Threat Grid or similar capable of analyzing phishing emails in a sandbox and generating reports.
I am sure there may be several open source or other methods that others adopt for meeting above requirements but I was reminded recently of Mutt mail which is a text based Linux mail client. I revisited this tool and will share its capabilities that analysts may leverage in conjunction with other built-in and analysis tools for analyzing suspicious mails.
I recommend using a dirty (test) machine with internet connection outside your corporate connection. The setup does not involve execution of malware (although in my setup I also have the option to send the URL or file to cuckoo sandbox within the virtualized isolated host only environment).
In my setup I had the following:
- Virtual machine running Ubuntu. I used SIFT workstation running Ubuntu. I chose SIFT as it already comes preinstalled with loads of tools such as volatility that I employ in the sandbox.
- An external email I forward all my suspicious emails to.
- Mutt mail client installed on Ubuntu and configured to use the mailbox with the email address above.
- URLView tool installed on Ubuntu for use with Mutt mail.
- VirusTotal CLI tool installed on Ubuntu.
- Optional Cuckoo sandbox in a virtual environment
Install Mutt mail on SIFT workstation
There are several documentation available online for installing Mutt mail on nix Operating Systems. I used a guest on Virtualbox but this will also work on any other virtualization software.
I installed Mutt on my SIFT workstation. I also created an account with the username used in my external email. This may not be necessary but I found that it made it much more straightforward. For example, if my email is email@example.com, I created the username ‘test’ and installed a mailbox for that user using my mail settings.
To install Mutt enter the following commands:
$ sudo apt-get install mutt
$ mkdir -p ~/.mutt/cache/headers
$ mkdir -p ~/.mutt/cache/bodies
$ mkdir -p ~/.mutt/certificates.
After installing Mutt, you need to create the muttrc file which holds the configuration that specifies the mailbox and smtp settings as well as other options. As I only use Mutt to retrieve emails for analysis, I did not require the extensive village of attributes that can be set to make Mutt more user friendly. The ~\muttrc file contains configuration settings for single mailbox.
To create a muttrc file, follow the instructions below:
$ vi ~/.muttrc
Enter the configuration settings as described in the below screenshot for imap mailbox.
Press :wq to save and exit.
Test that the installation and configuration using below:
echo “ “| mail -s “subject” [recipient email address]
URLView is required so that you can retrieve URLs from emails opened with the Mutt email client.
To install URLView, issue the below command:
$ sudo apt-get install URLView
Install VirusTotal CLI (vt cti)
- Download VirusTotal Cli executable from https://github.com/Virustotal/vt-cli
- You can also compile from the source code.
- Register with VirusTotal to obtain an API key (community or premium).
- Unpack the zip archive file and enter the following command to move the vt file to usr/bin directory.
- mv ~/Downloads/vt usr/bin
- To avoid entering the apikey all the time, enter the
- vt init
- Copy and paste the VirusTotal API key then press ENTER.
How to obtain hash of attachment from Mutt mail client
- Obtain the headers of the original email.
- Forward the email with the headers pasted in it.
- Press 'v' to list available attachments
- Navigate to each attachment and press the |(pipe) key
- On the pipe to: prompt type md5sum. This will generate the hash of the email. You can copy the generated hash into other tools for hunting or further analysis.
You can pipe to any relevant command. What I do is pipe it to the vt cli tool using the md5sum value as an argument.
If you will be using the md5sum value as an argument in another piped command be, advised that the output has a trailing new line hence you may get errors where one argument is expected.
e.g. vt file contacted_ips$(md5sum ~ cut –d’ ‘ –f1)
Querying VirusTotal CLI or Gui
To understand the vt commands to use, issue the vt help command.
Also, you can type help for each command e.g. vt help file will show available commands for querying using has of file already analyzed. Also vt file contacted_ips$(md5sum ~ cut –d’ ‘ –f1) will show IP addresses contacted by the file.
So to obtain the hash of the attachment and query Virustotal for analyzed report, I use the command below:
vt file $(md5sum)
The output of above can be quite long so as my objective is to quickly determine reputation I apply the include option (--include or use grep or egrep for certain keywords like malicious.
vt file $(md5sum) | egrep ‘malicious|phish|dangerous|troj|malware|downloader|ransom’
You may opt for just copy the hash and paste on VirusTotal:
If you have deployed a tool like sysmon you can use the hash to search for other systems or locations where the file may have been dropped.
Retrieving URL from Mutt mail client
- Open the mail
- Press CTRL + B key. This will list the URLs in the mail. If you didn’t install URLView, it will not work.
- Right click on a link and choose Copy Link Address
You can copy the URL to any reputation assessment tool e.g zulu.zscaler.com or pass to cuckoo sandbox, vt cli.
To use vt cli for querying existing analysis of URL, use the command below:
vt url [url]
Example: vt url http://update.c0rn.net/doc.php | egrep 'malicious|spam|suspicious|harmful|phish|ransom|troj'
I also used the domain optionvt domain [domain name].
The whois information also provided additional lead for further investigation. The domain was newly registered. The recipient did not have any interests or business links in the country of registration. The administrative email documented is bordering on gibberish. I pivoted on the IP address 184.108.40.206 retrieved from the vt domain command.
VirusTotal search indicates that the URL is hosted by the IP which is linked to several malicious malware downloads and domains.
You may prefer to stay on the CLI and query for additional information e.g to identify all URLS related to the IP issue the following on a terminal vt ip URLs '108[.]170[.]60[.]156'
To view list of downloaded files and their reputation vt ip downloaded_files ‘[IP address]’
The command is verbose and provides reputation and behaviour information for each file.
All the artefacts seen indicate that the email is linked to phishing and malware sites. The analysts could also install cuckoo sandbox and forward the URLor actual attachment to the sandbox for full analysis.
As you can see from above, the analyst would use the information obtained from the initial investigation to mitigate the incident. E.g. block all malicious URLs on your web filters, block all malicious hashes on your EDR if available, search for additional infected hosts on your network using hashes, URLs, IP addresses, filenames, email addresses or any other indicators or observables identified.
Using this method to assess the risk score of an email in an environment where there is no means of assessing a suspicious email is useful and free.