Handout A: Spear-Phishing Email Sample

One of the phishing emails recovered from Advanced Materials Technology Corporation during the Poison Ivy incident. This email impersonates a known industry contact and was specifically targeted at a research engineer known to work on materials projects.

Email Message

From: David.Park@AdvancedMaterials.com
To: research_eng@amtc-corp.com
Date: September 14, 2011, 10:45 UTC
Subject: Re: Composite Materials Specifications - Updated Formulations

Hi James,

It was great seeing you at the Materials Science Conference in Denver last month.
I've been thinking about our discussions regarding advanced composite formulations
for aerospace applications, and I wanted to follow up with you directly.

I've attached the updated specifications document we discussed. The attached file
contains the latest work on composite tensile strength properties and testing
protocols. I think you'll find it particularly relevant to the work your team
is doing on lightweight structural applications.

Please review the attached spec sheet and let me know your thoughts. Are your
test results aligned with these values? I'd like to coordinate some collaborative
testing if it makes sense for your organization.

Feel free to call or email with any questions.

Best regards,
David Park
Advanced Materials Technology Corporation
Research Director - Aerospace Materials Division
Phone: +1-858-555-0147
Email: David.Park@AdvancedMaterials.com

P.S. - I'll be in San Diego next month. Let me know if you want to grab lunch!

IM NOTES (Do Not Show to Players): Analysis of this spear-phishing attempt:

  1. Legitimate Contact Impersonation: David Park is a real research director at a real materials company. The attacker researched and impersonated an actual industry contact.

  2. Conference Reference: The mention of “Materials Science Conference in Denver last month” suggests prior reconnaissance. The attacker knows which conferences the target attended.

  3. Technical Credibility: The email discusses legitimate aerospace materials research and testing protocols. This isn’t generic phishing; it’s specifically tailored to someone working on composite materials.

  4. Relationship Exploitation: The casual tone (“It was great seeing you…”) and personal details (“Let’s grab lunch”) build false familiarity to lower the target’s guard.

  5. Urgent Technical Interest: The attachment is framed as specifically relevant to the target’s work – making the target likely to open it immediately without hesitation.

  6. Real Details: Phone number, company division, email address – all researched and authentic-looking. A target might even verify the email came from someone named David Park and assume it’s legitimate.

This represents the sophistication of the Nitro Attacks: highly targeted, using legitimate business pretexts, impersonating real industry contacts, and researched to match the target’s specific technical interests.

Attachment: composite_specs_v2.7.exe (Disguised as .doc)

File Properties:
  Filename: composite_specs_v2.7.exe
  Displayed Name: composite_specs_v2.7.doc (double extension trick)
  File Size: 245 KB
  File Type: Executable (EXE) disguised with document icon
  Creation Date: September 12, 2011
  Compilation: Poison Ivy RAT backdoor

File Icon Spoofing:
  Windows displays Word document icon instead of executable icon
  Target sees: "composite_specs_v2.7.doc" (appears to be a Word document)
  Reality: Direct executable containing Poison Ivy malware

Execution Flow:
  1. User clicks attachment in email
  2. Windows recognizes .exe extension but file has .doc icon
  3. User assumes it's a legitimate document
  4. Double-click executes the EXE file
  5. Poison Ivy RAT installs with user privileges
  6. Malware spawns a decoy document (blank Word doc) to avoid suspicion
  7. System now compromised; attacker gains remote access

RAT Installation:
  • Copies itself to: C:\Documents and Settings\[user]\Local Settings\Temp\
  • Registry entry added to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Creates mutex "PoisonIvy" to prevent duplicate infections
  • Begins beacon to C2 server: 202.165.127.43:25655 (encrypted)
  • Harvests user credentials from browser cache
  • Enables keylogging and screen capture

IM NOTES (Do Not Show to Players): Technical sophistication:

  1. File Extension Spoofing: The double extension (.exe disguised as .doc) exploits Windows file handling. By default, Windows hides file extensions, so users see only “composite_specs_v2.7” and assume it’s a document.

  2. Icon Impersonation: The executable uses a stolen Word document icon, further reinforcing the impression it’s a legitimate document.

  3. Decoy Document: When executed, the malware spawns a real (blank) Word document so the user doesn’t realize anything went wrong. The attacker gets control while the user thinks they just opened a document with no content.

  4. User-Level Execution: Poison Ivy didn’t require admin privileges. It ran with the user’s permissions and could still access sensitive files and credentials.

  5. Persistent Backdoor: Unlike traditional malware that might crash the system or be obvious, Poison Ivy silently established a persistent remote access channel while the user continued working.

This was the documented attack vector in the Nitro Attacks (Symantec, October 2011). Defense contractors and chemical companies received similar carefully-crafted phishing emails with Poison Ivy RAT.

Key Discovery Questions

  • Why would a research engineer from one company send technical specifications to a competitor?

The email frames this as industry collaboration and personal networking. In real industry relationships, engineers do share general technical specifications, attend the same conferences, and discuss professional topics. This is what makes the phishing credible.

  • What should have raised suspicion about this email?
  1. Attachment format: Technical documents usually come as PDFs or via secure file sharing, not random email attachments
  2. File extension warning: A .doc file that’s actually an .exe should trigger Windows prompts
  3. Unsolicited attachment: Even from a known contact, technical specifications might normally come through official channels
  4. Pressure element: The casual “let’s collaborate” framing could be seen as social engineering

But in practice: Engineers get emails with attachments from colleagues all the time. The attacker chose a legitimate business pretext that’s difficult to distinguish from authentic industry communication.

  • How would you verify this email was legitimate without opening the attachment?
  1. Call David Park directly using a known phone number (not from the email)
  2. Ask if he sent the email and what was attached
  3. Request the file through official company channels or secure file transfer
  4. Check if similar emails went to other employees
  5. But: The attacker counted on the target not taking these precautions

IM Facilitation Notes

This handout shows:

  • Highly targeted spear-phishing using legitimate industry contacts
  • Social engineering exploiting professional interests
  • File extension spoofing and icon manipulation
  • Weaponized executables disguised as documents
  • Use of decoy documents to avoid user suspicion