Phishingemail – Malware Analysis, Phishing, and Email Scams

I have been recently receiving phishing emails impersonating as Indian Cyber Crime Coordination Centre (I4C). Upon investigating, multiple users had reported these scams on twitter/X and reddit.

1st phishing email received on April 8, 2024:

Its also been tweeted by @Cyberdost which is an X account for Cyber-safety and Cybersecurity awareness handle maintained by Ministry of Home Affairs, Government of India

Beware !! A fake letter in the name of CEO, Indian Cyber Crime Coordination Centre (I4C) and CBI is under circulation. Please verify authenticity of source before believing on such letters/ emails/ messages. They may be part of phishing attacks.#I4C #MHA #Cyberdost #Cybercrime pic.twitter.com/pX1jera09x
— Cyber Dost (@Cyberdost) February 16, 2024

I tried to dig in and checked email header. This email has been received from id: adegoodchild950@gmail.com

2nd phishing email received on: May 18, 2024

Received another email impersonating as “Mr. Prashant Gautam policecybercrimeindia@gmail.com“

Certainly this is phishing email and I checked email header of this email and this was sent by mrstheresarolland7@gmail.com

To check whether both emails have been sent by same person or group:

I put login email as mrstheresarolland7@gmail.com on Gmail and clicked on forgot password. It gave me Account recovery option sending verification code on alternative email id.

The recovery email id is matching to earlier email sender ids first three letters adegoodchild950@gmail.com. Though this could be a coincidence.

Recently I have received few random emails attached with calendar invites from random email and unknow email ids in CC. These arrived in my inbox insteas of spam. Though, later I moved them to spam box.

Email Attachment:

File type: Calendar invite

File Extesion: .ICS

I have uploaded the ics attachment to Virus Total but no AV vedor detected it as malicious yet.

I have opened ics file in notepad and can see clearly there is URL direction to domain http: // ngsl7. bemobtrcks. com

When I opened the URL “http: // ngsl7. bemobtrcks. com” in browser, it redirects to “http :// receivepayment[.]fun” website and again redirect to “https: // bitcoinwallet. xyz” to “https: // paysitecash. paywest . net” website. Redirection of websites always changed and may land on different website each time I accessed the main URL.

Below screenshot one of the website it redirects.

When it opens up bitcoinwallet [.] receivepayment [.] xyz. It shows bad potential traffic.

There is bad malicious traffic mentioned by any.run because its using Lets encrypt encryption for for suspicious domain.

These are confirmed phishing emails. Calendar invites may bypass traditional email filters, making it easier for phishing emails using this method to reach users’ inboxes and this is what happening.

Below are the network connections getting established opening .ics file to domains.

ngsl7[.]bemobtrcks [.]com
receivepayment [.] fun
ctldl [.] windowsupdate [.] com
bitcoinwallet [.] receivepayment [.] xyz

IOC:

MD5: 264D98086A88D5A57E917EFBCFC36F87

MD5: 4187D230F6D850024E8B678B783F4464

MD5: F1C401645FAD5274AB7B86857E4CAF84

Summary:

These are cyrpto related phishing emails.
If such emails (.ics attached) from unknow sender, better to ignore.

Reference:

Malware Analysis, Phishing, and Email Scams

Cybersecurity Blog

Tag: Phishingemail

Phishing email impersonating as CEO of Indian Cyber Crime Coordination Centre (I4C)

Malicious email .ics attachments