Phishing/Sextortion Email – For your own safety, I highly recommend reading this email

March 29, 2024April 23, 2024 AnuragLeave a comment

Phishing/Sextortion Email:

Subject: For your own safety, I highly recommend reading this email

Hello <name>,
You are in big trouble.
However, don't panic right away. Listen to me first, because there is always a way out.

You are now on the radar of an international group of hackers, and such things never end well for anyone.
I'm sure you've heard of Anonymous. Well, compared to us, they are a bunch of schoolboys.
We are a worldwide network of several thousand professionals, each with their own role.

Someone hacks corporate and government networks, someone cooperates with intelligence agencies on the most delicate tasks,
and someone (including me) deals with people like you to maintain the infrastructure of our group.
"What kind of people like me?" - that is the question you are probably asking yourself now.

The answer is simple: people who like to watch highly controversial and, shall we say,
unconventional pornography on the internet that most normal people would consider perverted.
But not you!

In order to leave you without any doubts, I'll explain how I found it out.
Two months ago, my colleagues and I installed spyware software on your computer and then gained access to all of your devices, including your phone.
It was easy - one of those many pop-ups on porn sites was our work.

I think you already understand that we would not write to an ordinary man who watches "vanilla" and even hardcore porn - there is nothing special about that.
But the things you're watching are beyond good and evil.
So after accessing your phone and computer cameras, we recorded you masturbating to extremely controversial videos.
There is a close-up footage of you and a little square on the right with the videos you're pleasing yourself.
However, as I said earlier, there is always a way out, because even the most degraded sinner deserves leniency.
You are lucky today because I am not a sadist who enjoys other people's suffering.
Only money matters to me.

Here is your salvation: you must transfer $1490 in Bitcoin to this BTC cryptocurrency wallet: 19VQ4UwfrMskCbRLPrzsaL6TUCYomNdvKt

You have exactly 48 hours to make the payment, so think less, and do more.
As soon as I receive confirmation of the transaction, I will delete all compromising content and permanently disable our computer worm.
Believe me, I always abide by gentleman's agreements. Even with people who are hardly gentlemen. Because it's nothing personal, just business.

If I do not receive a payment, I will send all videos of you to every person in your contact list, messengers and email.
Relatives, loved ones, colleagues, friends-everyone you've ever been in contact with will receive them.
You understand perfectly well that you will never be able to wash this stain on your reputation.
Everyone will remember you as sick as fuck.
Your life will be completely ruined, and, most likely, only a tightened noose around your neck will be able to save the day.

If you haven't dealt with crypto before, I suppose it won't be difficult for you to figure it all out.
Simply type in the "crypto exchange" into the search bar and pay with a credit card. Besides, based on your browser history, you are a savvy user.
When you want to, you can dig into the darkest depths of the Internet, so I'm sure you will be able to find out what is what.

Here is what my colleagues and I should warn you against:
...Do not reply to this email. Do you really think we are so stupid to be tracked by an email address? This is a temporary disposable email.
 As soon as I clicked "Send", it was gone for good.
...Forget about law-enforcement authorities. As soon as I see that you are trying to contact them, the compromising material will be published.
 Remember, I have access to all your devices, and I can even track your movements.
...Do not reset your devices to factory settings and do not try to get rid of your devices.
 It won't help in any way. Look above - my All-seeing eye is watching all your actions. It is easy to hunt you down.

I am sorry that we met in such circumstances. Probably, everything could be different if you had been more careful about what you are doing on the Internet.
Watch yourself from now on, because even such things that you previously considered insignificant can destroy your life in the future like a butterfly effect.
I hope this is goodbye forever. However, it depends on you.

P.S. The countdown is on. The choice is yours.

This is a phishing sextortion email scam spreading in last few days. I came across few blog posts and tweets mentioning same email content.

A phishing sextortion email is a specific type of malicious email that combines elements of both phishing and sextortion. In such emails, the sender typically claims to have compromising or explicit material of the recipient, often obtained through a supposed hack or malware installed on the recipient’s device. The email usually includes threats to release this material unless a ransom is paid, typically in cryptocurrency.

These emails often employ psychological manipulation and intimidation tactics to coerce the recipient into complying with the demands. They may include personal information about the recipient, such as their name, username, or password (which may have been obtained from previous data breaches), to make the threats seem more credible.

Email header:

Received-SPF: Fail (protection.outlook.com: domain of hotmail.com does not
 designate 45.233.98.42 as permitted sender) receiver=protection.outlook.com;
 client-ip=45.233.98.42; helo=[45.233.98.42];

Email header shows this email has been sent from IP 45.233.98.22 from Brazil.

When searched on Mxtoolbox, found this IP address is already in blacklist on “s5h.net” and “SORBS SPAM“.

Scammers have demanded $1490 bitcoin to transfer to Crypto wallet 19VQ4UwfrMskCbRLPrzsaL6TUCYomNdvKt and when I have received this email I checked for this wallet, there were no transactions but unfortunately now I see 2 transactions that means 2 victims fell for it.

link to check transaction for this wallet: Blockchair

If you receive a phishing sextortion email, it’s essential to:

Stay calm: Remember that the sender’s threats may not be legitimate.
Avoid responding or engaging: Do not reply to the email or attempt to contact the sender.
Do not pay the ransom: Paying the ransom encourages further criminal activity and does not guarantee that the threats will stop.
Report the email: Report the email to your email provider as spam or phishing. You can also report it to law enforcement agencies or relevant authorities.

Malicious email .ics attachments

March 25, 2024March 25, 2024 Anurag2 Comments

Recently I have received few random emails attached with calendar invites from random email and unknow email ids in CC. These arrived in my inbox insteas of spam. Though, later I moved them to spam box.

Email Attachment:

File type: Calendar invite

File Extesion: .ICS

I have uploaded the ics attachment to Virus Total but no AV vedor detected it as malicious yet.

I have opened ics file in notepad and can see clearly there is URL direction to domain http: // ngsl7. bemobtrcks. com

When I opened the URL “http: // ngsl7. bemobtrcks. com” in browser, it redirects to “http :// receivepayment[.]fun” website and again redirect to “https: // bitcoinwallet. xyz” to “https: // paysitecash. paywest . net” website. Redirection of websites always changed and may land on different website each time I accessed the main URL.

Below screenshot one of the website it redirects.

When it opens up bitcoinwallet [.] receivepayment [.] xyz. It shows bad potential traffic.

There is bad malicious traffic mentioned by any.run because its using Lets encrypt encryption for for suspicious domain.

These are confirmed phishing emails. Calendar invites may bypass traditional email filters, making it easier for phishing emails using this method to reach users’ inboxes and this is what happening.

Below are the network connections getting established opening .ics file to domains.

ngsl7[.]bemobtrcks [.]com
receivepayment [.] fun
ctldl [.] windowsupdate [.] com
bitcoinwallet [.] receivepayment [.] xyz

IOC:

MD5: 264D98086A88D5A57E917EFBCFC36F87

MD5: 4187D230F6D850024E8B678B783F4464

MD5: F1C401645FAD5274AB7B86857E4CAF84

Summary:

These are cyrpto related phishing emails.
If such emails (.ics attached) from unknow sender, better to ignore.

Reference:

MS Excel Malware Analysis

August 13, 2021August 13, 2021 AnuragLeave a comment

MD5: bcdadfdc16bcf022384c4631849e1396

File Type: Microsoft Excel

File Extension: .xlsm

File Name: BillINV-01364_CLIENT_Schedule.xlsm

File Preview:

I am analyzing excel file using OleTools to detect suspicious code and IOCs.

> oleid <FileName>

Oleid will help to know whether file has any embedded OLE/Flash objects,VBA macros

Its clear from the above output of oelid, it has suspicious VBA macro. Now, I am going to get the suspecious keywords using MacroRaptor.

> mraptor <FileName>

MacroRaptor gives information based on keywords, such as read, write, execute.

Command flagged the keywords used in file are AutoExec, Write and Execute which could be, on opening document, it will write files to the system and execute them.

Next, OleVBA which will detects obfuscated strings used, extract IP address, executable file name,

> OleVBA -a <FileName>

I was trying to open the excel file to check the VBA code execution in VBA developer tool by dubugging the code, but opening the excel file, it was getting closed immediately due the Application.Quite call. So, first I have disabled the macro and opened Developer tools and commented out the code and save the file and again enabled macro back. This way opening excel file, it wasn’t closing immediately.

During debugging of macro, I found that it loads the VBscript GetObject to download the exe from the remote server (https:// ntro[.] fr /officeclick.png).

procmon captured the mSHta.exe Process starts via shell which executes the command shown in below image.

The URL which is getting accessed, no more responding. To dig in more, I extracted the excel file and look for the text file which reference I got from OLEVBA

The text file dvdsvhufhuierhiu.txt I looked for .exe refence and I found it too. This file has base64 string which is PowerShell script and downloads executable jieifhzo11.exe file and copy it to location

C:\Users\<profile>\AppData\Local\

_{Base64 string from dvdsvhufhuierhiu.txt file}

After deobfuscation of above string, I can see the below PowerShell command.

_{Obfuscated PowerShell script of above base64 string}

Summery:

Macro execute on document open
mSHta.exe executes command via shell.
It reads obfuscated string from dvdsvhufhuierhiu.txt which is PowerShell script which downloads jieifhzo11.exe
It downloads it from URL https:// ntro[.] fr /officeclick.png.
The URL is no more accessible so unable to download the malicious executable file.

Sample Download:

Any.run

Word Document Malware Analysis

September 7, 2020 AnuragLeave a comment

MD5: CA15F9F45971EA442943084547761994

File: Microsoft word document

Word Document Screenshot:

File Properties:

I used OLEVBA.py to extract the VBA code but it was giving error. I used oledump.py tools to analyze the file.

Using oledum.py. I ran the below command to get the complete document streams.

>>oledump.py <filename>

You can see M at Number 18 and 19 which is the VBA macro as explained by the author of this python script Didier Stevens M denotes VBA macros.

So the next command I am running

>>oledump.py -s 18 <filename>

In below screenshot, it can be seen, the module Lev1daeyfvl calling S_gil0c35zh248.Mei497ecvshp on Document_Open()

After looking into more, I found S_gil0c35zh248.Mei497ecvshp which is being called on opening document is an user form. (refer below screenshot)

_{S_gil0c35zh248.Mei497ecvshp is user form}

I opened word document, and navigate to VBA developer tool (Alt + F11). I saw the VBA code will execute on form execution.

Next I debug the code and analyse the behavior.

The PowerShell script is executed by the WMI process by executing VBA code on document open.

I have extracted the PowerShell script which is encoded in base64. by adding a code to copy PowerShell script in text file. Below is the code to extract the PowerShell script.

I have decoded the PowerShell script and got the code below.

To decode PowerShell script, I used below PowerShell script.

$path_to_b64_string_file= Get-Content -Path "C:\output\output.txt"
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($path_to_b64_string_file))
New-Item "C:\output\decoded_b64.txt"
Set-Content -Path "C:\output\decoded_b64.txt" $decoded_b64_string
Write-Host "Decoded Base64 successfully"

I debugged the decoded PowerShell script, during the debugging, I found, it creates a folder at location and file it is going to write will be Ws1uczsw.exe

C:\Users\IEUser\AppData\Local\Temp\Word\2019\Ws1uczsw.exe

and there are multiple remote URL’s it tried to download the malicious file.

All URLs are active.

URL	VT Score
http://rickthewelder%5B.%5Dcom/dtbkup20110205/i/	8/79
http://stiecgps%5B.%5Dcom%5B.%5D br/cgi-bin/7/	0/79
http://tfbauru%5B.%5D com[.] br/cgi-bin/Lhe/	14/79
https://paulburkphotography%5B.%5D com/_new_images/F/	9/79
http://theeldestgeek%5B.%5D com/error/F5	5/79
http://uniquewv%5B.%5D com/cgi-bin/OVJ9qY/	12/79
http://tuls%5B.%5D pl/cgi-bin/7a9	9/79

When I executed the PowerShell script, it downloaded Ww1uczsw.exe

Downloaded file details:

MD5: A4513379DAD5233AFA402CC56A8B9222

File Type: Win32 Exe

PEid Packer: Microsoft Visual C++ v7.0

Family: Emotet Trojan

Summary:

Word document has VBA macros which executes on document open.
PowerShell is encoded in base64 and executes to download Emotet Trojan executable.
Multiple sources/URLs have been used in code to download the malware on the system.

Download Sample Link

References:

Didier Stevens Tools and blogs
oledump.py

Crimson RAT Malware Analysis

July 24, 2020July 24, 2020 Anurag1 Comment

Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.

MD5: f940e886a40783deb4e97fe6d842da7a

File Type: MS Excel Spreadsheet

VT Score: 35/62

I am using OLETools to get the property of excel file.

Next OLETool command I am running is to get the OLE details.

Suspicious Indicators:

VBA code will auto execute on opening excel workbook.
Create directory on the system.
Write a file on the system.
Execute shell command.
hex string used for obfuscation.

Now, I am extracting VBA from excel file and dumping it to txt file. For that command I am running is

cmd> olevba.py --deofb <filename> > Path\output.exe

From the VBA code, I can see the subroutine creates a folder and drop executable file at location C:\ProgramData\Rlmdias\Rlmdias.exe

I opened excel and navigate to VBAProject by clicking Alt+F11. Porject was password protect. I removed password using GitHub code and check out my previous blog how it can be done. Post password removal, I can see there is a userForm1 which has two text box and has a hex values which are PE files will dropped depends on the OS version of the victim 32bit or 64bit

I debugged the VBA code and it dropped a zip file at location “C:\ProgramData\Rlmdias\drngervia.zip” and unzip it using function unSadozip

Dropped zip file has drngervia.exe file. and Shell command execute the executable file

when Shell executed, it opens Windows features and ask to download and Install .Net Framework 3.5

Due to dependency on .net framework, I have installed above Windows feature.

Dropped File:

MD5: 10F955EF9F398E91CA9AE4F34CECD873

File Type: Win32 EXE

File Name: drngervia.exe

Signature: Microsoft Visual C# v7.0 / Basic .NET

Family: Crimson also knows as SEEDOOR and Scarimson

Type: Trojan

VT Score: 47/72

I have used dnSpy to debug the PE file. Looking at the code, it creates persistence creating a registry entry.

It gets the list of running process on the system

It looks for antivirus software running on the system.

It searches for the antivirus software from the below list.

Bit Defender
Quick Heal
Microsoft Essentials
F-Secure
Kaspersky
Avira
Symantec
MacAfee
AVG
Avast

Capabilities of this RAT observed from code:

Get the running process on the system.
Get the drives, directories and files on the system.
Get the host name, User id.
Capture screenshots.
Get the data from C2 server.
Using custom ports to connect to C2 server.

On execution, drngervia.exe try to establish connection with C2 server which IP and ports are hard coded in the code. IP address is in the form decimal values. C2 server didnt respond.