Last Updated: 2020-06-15 16:14:38 UTC
by Rick Wanner (Version: 1)
An intresting phishing run started over the weekend. At first glance it looks pretty typical...a clumsy email with an attachment with some vital and useful information. Although I have already seen several different message bodies, this is one sample:
From:Jane Edwards <email@example.com> Sent:Friday, June 12, 2020 10:16 AM To:firstname.lastname@example.org Subject:PROCEDURES Please find attached a copy of current procedures in place for: Bank Concur PO & Expenses processing Raising Sales Invoices Raising Purchase Invoices Recording Consolidated AR & AP at Month End. I am also working on a Customer spreadsheet (expanding on records held previously ) recording : Revenue Type Invoice Frequency Unit Price Is a PO required ? if so what type. I thought that this would be useful if coding and dimensions were included. Jane Edwards | LedgerController
The attachment in this case was an html file called PROCEDURES.html containing the following:
With assistance from reader Carsten I was also able to get a number of the other URLs used in these messages.
hxxp://bosmafamily.nl/~jet/bzkh.html hxxp://flbox.net/87nbtp.html hxxp://werinussa.net/~eege/1kf2zw.html hxxp://www.chartercare.plus.com/zlw7.html hxxp://www.wessexgrange.plus.com/7cdmba.html - Down
There are some detections on the attachments, but Virustotal has almost no detections for the websites. Interestingly Sophos antivirus is listed as "Unrated" on VirusTotal, but my Sophos test machine is catching the attachments as Troj/HTMLDwn-UA.
Running a few of these domains through urlscan.io, it appears very similar and most likely related web pages have been around for at least a week.
So far this is looking like a very clumsy campaign. But if past history tells us anything these clumsy campaigns will sometimes get better and cause some chaos. So it is worth keeping an eye on.
If anybody has any more details, they would be greatly appreciated. I would be especially interested in getting my hands on a couple more samples of the attachments. If you have access to some, I would appreciated it if you could zip up a few (password 'infected') and send them to me via the contact form.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)