Short Summary:
The article details various email payloads used in phishing attempts, specifically focusing on different types of attachments and the malware associated with them. The payloads target multiple users and utilize various compression formats to deliver malicious software.
Key Points:
- Date of incidents ranges from September 2, 2023, to September 30, 2024.
- Common email subjects include invoices, quotations, and shipment documents.
- Attachments include various formats such as rar, 7z, lzh, iso, and zip.
- Malware identified includes Formbook, VIPLogger, SnakeKeylogger, XLoader, and Remcos.
- Targeted users range from 2 to 12 in different incidents.
MITRE ATT&CK TTPs – created by AI
- Credential Dumping (T1003)
- Procedure: Use of keyloggers to capture credentials.
- Data Obfuscation (T1001)
- Procedure: Use of compressed file formats (rar, 7z, lzh, iso, zip) to hide malicious payloads.
- Remote Access Software (T1219)
- Procedure: Use of Remcos for remote access and control.
- Input Capture (T1056)
- Procedure: Use of keyloggers to capture user input.
|
Date,Details,Email Payload Type,Users Targeted |
|
9/2/2023,<email address> You have an incoming invoice; rar -> formbook,Attachment,3 |
|
9/2/2024,QUOTE – REQUIRED ITEMS_4001244; rar -> viplogger,Attachment,2 |
|
9/2/2024,Business /lease agreements.; 7z -> vbe -> snakekeylogger,Attachment,2 |
|
9/2/2024,JUSTIFICANTE -Carta de pago; rar -> viplogger,Attachment,3 |
|
9/2/2024,Quote #011698; lzh -> xloader,Attachment,3 |
|
9/3/2024,New Order PO#86637 03_09_2024; lzh -> xloader,Attachment,3 |
|
9/3/2024,Re: Urgent; 7z -> vbe -> snakekeylogger,Attachment,3 |
|
9/4/2024,New Shipment – Order 103; lzh -> xloader,Attachment,3 |
|
9/5/2024,New Order PO 011824; lzh -> xloader,Attachment,3 |
|
9/8/2024,Re:Formal Salary Revision; rar -> snakekeylogger,Attachment,3 |
|
9/9/2024,Bill of Lading & Invoices; 7z -> bat -> guloader -> remcos,Attachment,4 |
|
9/9/2024,RE: AW: WG: AW: PO 09110124 EXPRESS SYSTEM-SESB24066; lzh -> xloader,Attachment,2 |
|
9/9/2024,Request for Quotation; txz -> remcos,Attachment,4 |
|
9/9/2024,Thank you for your online payment.; link -> bat -> xworm,Link,12 |
|
9/11/2024,Request for Quotation; rar -> xloader,Attachment,2 |
|
9/11/2024,Shipment Document No – 100184429; rar -> snakekeylogger,Attachment,6 |
|
9/11/2024,AW: Addition to Order 2024/Request for PI; iso -> xloader continued to 9/16,Attachment,4 |
|
9/11/2024,shipment doc; rar -> xloader,Attachment,2 |
|
9/17/2024,RFQ#z0055-09062024 SJGYNIQKMJl ; img -> xloader,Attachment,22 |
|
9/18/2024,Re: R: R: R: R: R: new orders; iso -> xloader,Attachment,2 |
|
9/19/2024,Request for quotation; gz -> xloader,Attachment,2 |
|
9/19/2024,RE: Request for Proforma Invoice; lzh -> xloader continued to 9/20,Attachment,4 |
|
9/20/2024,RE: AIR SHIPMENT// SGN-FRA///|Signed Contract for order #23312|PAYMENT FOR AUGUST SOA; zip -> xloader,Attachment,3 |
|
9/22/2024,QUOTATION; gz -> remcos,Attachment,3 |
|
9/22/2024,PO For Bulk Order; zip -> xloader,Attachment,3 |
|
9/23/2024,Re: Purchase Order; gz -> remcos,Attachment,4 |
|
9/24/2024,NEW ORDER; 7z -> xloader,Attachment,2 |
|
9/24/2024,Request For Wire Details; 7z -> snakekeylogger,Attachment,4 |
|
9/24/2024,RE: FW: URGENT Purchase Order Oct-2024; lzh -> xloader,Attachment,2 |
|
9/24/2024,Ref_0120_03_0015 PNEUMATIC ACTUATORS SERIES 929; 7z -> vbe -> snakekeylogger,Attachment,2 |
|
9/30/2024,RE: UNI SOURCCE TREEND INDIA – SMILEY WORLD TRIMS 30.09.2024 UNI SOURCCE TREEND INDIA; zip -> xloader,Attachment,6 |
|
9/30/2024,Invitation To Bid (202411/000100/418); gz -> originlogger,Attachment,2 |
|
|
|
originlogger, 103df9c2f3a2592830ff9d610176280942829477f2b89a36d9695248f0f4f843, ftp://cash4cars.nz |
|
originlogger, 245ee760d71dc45da0f6df037798b8b5beaa01850483a35cc340a916cce946af, ftp://ftp.fosna.net |
|
originlogger, 2e9d474f90a5c43d767c73004a0461ab4375e969fa4f1c30aa6fc3262042f91c, ftp://inhanoi.net.vn |
|
originlogger, 317d4b1683e217b6af80de147bbeb8581255f320dd11ca5c13b0796f837d42aa, mail.mahesh-ent.com |
|
originlogger, 4753f11e296430bb40e328ad38fe44ecf72aafcdf12cfed22bf16d3f8a0ade34, ftp://inhanoi.net.vn |
|
originlogger, 5fc47ca65df767fcb09cc074dff3d5d02ab6c61ffff00b409ea2fa4107e080ce, techniqueqatar.com |
|
originlogger, 67a8b2077a1aa43d393b1f843e556fd030c13dbe7a0e041d41c86fe233bddb38, mail.mahesh-ent.com |
|
originlogger, 88d3cc80c59d933c2e6305771e60a4ed5171b0b63431aee31bba315e43625669, mail.chemsareus.com |
|
originlogger, a60bf25d5fe0114b515c2989851b95ca25e1fd474f83b640fac77bba2b80834a, phoenixblowers.com |
|
originlogger, c4152d490edfcc1620c4579bc9e9455b8cb71cb9efecb38140a22385ea95a9ce, ftp://cash4cars.nz |
|
originlogger, c41893463c861e8d6274f2d5f5335ba4d23dfe4c6d6d65d8bc08eec140b4890d, us2.smtp.mailhostbox.com |
|
originlogger, d94771673d1423312105db073fd108e8659ea22c7fabcf413ca9a1c1ab5c216b, mail.naveentour.com |
|
originlogger, da049cf547f66a701590bd333a9d61d0f7c448e3b798018f3d50497cc94445c7, phoenixblowers.com |
|
originlogger, db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6, ftp://cash4cars.nz |
|
originlogger, fd9725ecc7ed625c2174660e7f51f647fff9474f4c21c8ed84e0608bbcc5a409, mail.mahesh-ent.com |
|
purelogs, 1003f84d9b7d55fed67cfc07dfab36c949db35a2db71f44805d5c9d913004585, 154.216.20.37:5888 |
|
purelogs, 9de43c4f64870d45e1c753095d0edf49ed4ef763bd86f27f8688789f5e513cfb, 154.216.20.37:5888 |
|
redline, 55dd90013201853f29bb56e9e832f1a6483da1d154e500b7d08c86335e7f037b, 198.12.90.244:49780 |
|
redline, 7bfbcf807fd0a90ba6ab963cfae6a7921dbbc7482995d80fb316423ab3d67013, 212.162.149.159:37004 |
|
redline, 91d247506a8b08669201d3309ab9d9977cd711452ccde0c20647c2ec77a42855, 198.12.90.244:49780 |
|
redline, c2c6b39213e84adde43e4a8a5ee1c8fa89035812e1f2d373545bc63b479b2534, 198.12.90.244:49780 |
|
remcos, 1c022ec2400c0c5197aa32cef3182a09a13213dedfe1db71fc18c6d399571ed9, spacesave.duckdns.org:14645 |
|
remcos, 699ab96ab77fb83fb6468bfc51531a91899fe94048e526ae232fb6fe9ac52290, 192.3.64.152:2559 |
|
remcos, 8f2c4543e4bc9194d1c1a9bc946a75d49162b0eee2715df4ba626980892107b5, nnamoo.duckdns.org:59321 |
|
remcos, cd76524a5a1a193336ce0a72efa54af99367743c2d380d0416a1d09a516fad8b, nnamoo.duckdns.org:59321 |
|
snakekeylgoger, 9392f0f0a6118130802e67cee0597d20dd9891b426ccf34893e8ff6f5d2bbf5f, bisttro.shop |
|
snakekeylogger, 2708fc0dd1f37e545533dbe8565658ff819ded88f33b3856cebb0b3a531965ad, https://api.telegram.org/bot6523340491 |
|
snakekeylogger, 365b8dab76c07e3c7ea3cd4a9d683265db5210b6b9a30e9dc520f358b829d30d, jertcot.shop |
|
snakekeylogger, 505741d52f89c89dc156768a0714a0e500d1ecae923de1eff6cea7b393cace78, api.telegram.org/bot4579221711 |
|
snakekeylogger, 643ce59d197d6910d9bb5f5f24ffb95e57fa3c9ad93a8548a5ffa1cb4917df4d, alphagasea.com |
|
snakekeylogger, bf8ed8b44d90746ce366918ac669a952de5e84864520565ea2644648f3fe8a88, bisttro.shop |
|
snakekeylogger, d4b8fbd59d002c8c6f147ace0ec43bed581b761b231ebc843b019827df2cc909, ftp.lifechangerscare.com |
|
snakekeylogger, eb7b6182f2f6ccd5b150c810e5eaf94b7e22a638e6968e566d96f8f5f1ed85b1, pakcentar.ba |
|
vipkeylogger, 0003cf72e0eda9f0e4b36d4fdb7017c9d56260f37b8f0e114a9cadb0a57b9ce4, us2.smtp.mailhostbox.com |
|
vipkeylogger, 4ffad08e9b831394159944b7c719bd9a80efcde000ebfa788de1a23f64007b91, us2.smtp.mailhostbox.com |
|
vipkeylogger, 68917e12e63c559b219ea1d2a032a684d28eb43feaf12ea6a2210cac1e774116, mail.sogicarafa.com |
|
vipkeylogger, 8d2f607c12b2b959f829346e3aada4c28bee98c7ddcc0719b6d18883df69c415, https://api.telegram.org/bot6647096303 |
|
vipkeylogger, c803bffcf528efc9a204a34a6a9285128f9dce25d165020fc37198d16ee50c11, mail.jhxkgroup.online |
|
vipkeylogger, e40aa2ac74b12d2b000617839127a60a5faa81d7cae5087b738ba2b45c040537, https://api.telegram.org/bot7985888771 |
|
vipkeylogger, 9db5bbb69dd91dbd2c917316fd724814ee5c5207540d66c8e1e2de1cf1a5dbfc, https://api.telegram.org/bot6514469045 |
|
vipkeylogger, e17d0c2ad100bd30c86f2e8f5416b7f669a0267ae51f004c7c8879cf6b85908a, mail.bellstone.in |
|
xloader, 1a52416bc054c0f2a46f2fd215d73d3285334fcdacf02ed449935bd93fb70863, ftersaleb.top/c89p |
|
xloader, 1dab7f07bfa344e601226bc0657decbabd3b421fd207e031ae99ccfbc5637414, ftersaleb.top/c89p |
|
xloader, 1e9749562a2a6f8c1369071ba34ed60bb57d42fb3493f841015694dcea7ccaf4, www.syvra.xyz/h2bb |
|
xloader, 220527f91eba446d157c6ef8b0d29b0a47907f6e74e5a4a307efe667be6b084b, ellinksa.shop/e62s |
|
xloader, 3333f033f3cc296e233ad4b64e5116994e5fe2595956999052daba5f70fb58a6, www.mardin.xyz/wlme/ |
|
xloader, 36421bdf90ea83d4e677a54710f4d35e2bc15a1222c4abb17e78996029f53c97, ftersaleb.top/c89p |
|
xloader, 42758436a8d96f2920b1488154897758fd30cb1240e86715642c4ac7954bdf92, www.route4.org/65ev |
|
xloader, 444c7700cea589c8eadd8a51a9253cc1889900faf0eef882fb31bff858e34350, ellinksa.shop/e62s |
|
xloader, 46ebc69cda5d6bc3414f2cd289c8a703d42ca315aaf1374ffe142d53f9ea0405, ellinksa.shop/e62s |
|
xloader, 4a29c020657514662d82cf92cf660922d45184e961473f08326817611afbbb94, edplanethomes.homes/g29o |
|
xloader, 4fe0627df409d563c49daaace6f559559c940ccf1d19e73dc3480a33f86ed9a3, ollow-the-bit.online/bi05 |
|
xloader, 6cc54bd57057a1fc07c2726c351a42f47caef4ae05a2693fbf6b9f693c6761c6, www.academy-training.xyz/1ki5 |
|
xloader, 70038b71f248dc262f64149d12a08c94e07a73e7bd72502b541a4dfb155446e0, www.eworld.org/ire3 |
|
xloader, 76fe69849ddbda008d54ff757bf77599f77c33245dd8f28d3b1c53e3940980f4, www.route4.org/65ev |
|
xloader, 85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820, www.productanalytics.pro/dgxo |
|
xloader, 86f8d817d26e2a9566ac4500033855f9b17e50ad4276b9d488acbc53894edd91, ftersaleb.top/c89p |
|
xloader, 874c6faee7e17445012c0f573c29dde997a71cc86e15fc3152a22365cf83bdf1, enjamin-paaac.buzz/b31a |
|
xloader, 8d83a9a3bbd6e63e37b6d66c4febdbcf17a48fe77fabdd52c5bfa01a661a33da, ftersaleb.top/c89p |
|
xloader, 94c55903ef74aca098146433a27fd5c90f3cf3f92c661591f33eb422b77f6b73, www.serverplay.live/bm51 |
|
xloader, 9edae2a8ff98921959db5b0838fbb3aecf892f701061ad93c489d78ca1ef71ba, www.elsupertodo.net/7xi5 |
|
xloader, a6e7bc88ba8f280ff9de60e1454d5c086bb352dc6d151ea2a23b48b077e756f8, www.route4.org/65ev |
|
xloader, af4f28ed9e5d8205220c60f42668e6576233f54885c63fcaf43c2315328f45f1, enjamin-paaac.buzz/b31a |
|
xloader, b120727ce78f5de370b91e1f0016740d3e9d57a105b54c4e265e94db40c045ef, www.coffee-and-blends.info/v35v |
|
xloader, b481fd78d0f715aaf7d7446c33e2bdf500e52e1c0d58ce5f81efae25ff9a8fd2, ealthbridgeccs.online/c24t |
|
xloader, cad71f61562fdc34dafc567081d21ff6044322ff75b67c3b5172fba7f4ee1e5d, www.technectar.top/ghvt |
|
xloader, dd81acfcf7274df705c2e1a99e0484f710b7349a36c9156230fe505153fd2039, www.freepicture.online/xcfw |
|
xloader, ecde745484cbfc4aa7ff0de292907acd4bab3b772641f09815030a2d0887073f, www.freepicture.online/xcfw |
|
xloader, ede8ae39d91066365f959fc9c98f0b47add88604ce95829a9618a15274faef3f, ftersaleb.top/c89p |
|
xloader, f2a1f35386c3cb3ef8b58888980c57747019a6474739778e76989cdfc9ad0816, www.93187.xyz/jd6t |
|
xloader, fd98700a7e9ace0a863b0392d688b7ad07f47bb5c40685916f3ac4bb34e51448, www.smilechat.shop/ih4n |
|
xworm, 657b68666c2b79d65d51a403dd7fa0e35b1109156290efd69a681777eb6e4107, various-wages.gl.at.ply.gg:55202 |
|
|
|
account@chemsareus.com |
|
accounts@naveentour.com |
|
almir.kardas@pakcentar.ba |
|
chuks@lifechangerscare.com |
|
info@mahesh-ent.com |
|
info@techniqueqatar.com |
|
john.maina@alphagasea.com |
|
logbox@cash4cars.nz |
|
newboxoffice@inhanoi.net.vn |
|
sarthiever@fosna.net |
|
sendqpostal@bisttro.shop |
|
sendxofficejoe@jertcot.shop |
|
wethem@aklaneah-sa.com |
Source: https://gist.github.com/silence-is-best/2efe46038a58d20e173fb5ca0a3f7f43
