This article discusses the author’s experience with harvesting phishing emails using a catch-all domain. The author emphasizes the importance of recognizing phishing attempts and outlines the process of analyzing a suspicious email that contained a potential threat. Key insights include examining IP addresses and file hashes to uncover associations with known malware, specifically RedLine Stealer. Proper email filtering practices are also underscored to mitigate phishing risks. Affected: phishing emails, RedLine Stealer, CIBC (Canadian bank)
Keypoints :
- The author bought a domain to create a catch-all email for phishing email analysis.
- Phishing emails can be harvested to investigate current cyber attack patterns.
- Identifying suspicious emails is crucial for cybersecurity awareness.
- An example email was received, allegedly from CIBC, which triggered an investigation.
- Sender’s IP address was obtained and analyzed for malware connections.
- The email contained a link that was subjected to a URL scan for safety checks.
- Common domains associated with the malicious IP were identified during the analysis.
- Emphasizes the necessity of proper email filters to combat phishing attempts.
MITRE Techniques :
- Phishing (T1566) – The attack begins with a phishing email that tricks the recipient into clicking a malicious link.
- Command and Control (T1071) – The malware may establish a control channel over which instructions are sent from an actor.
- Exploitation of Remote Services (T1210) – Exploiting a vulnerability can lead to deployment of the malicious payload.
Indicator of Compromise :
- [IP Address] 154.127.53.77
- [SHA-256] fcc7eb446093f092eec4f1ba25b2608e77326b3e12df5680963504b96afc01f6
- [URL] https://www.virustotal.com/gui/file/fcc7eb446093f092eec4f1ba25b2608e77326b3e12df5680963504b96afc01f6
- [Domain] nhemings@datamail.ca
Full Story: https://medium.com/@ksinclair6/reeling-in-redline-stealer-b54ddf3ecb15?source=rss——cybersecurity-5