Community Group Web Training

Computer Equipment recycling in Sussex

Joomla!® Specialists and trainers

previous arrow
next arrow
Slider

More AgentTesla keylogger campaigns

WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. Today is no exception with quite a few so far. I don’t always post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies & most times tweet the details to other security researchers.

Today’s other versions are tweeted Here & Here

This  version today  is more noticeable and worth mentioning for several reasons.

  1. The alleged sender pricolcargo.com has appeared in the lists of spoofed companies for literally ages, since at least the beginning of 2019. They appear to have misconfigured their SPF records & authentication so it allows anybody to send on their behalf.Pricolcargo appears to be a large Indian based transport / logistics company that deals with worldwide shipments.
  2. The hacked or compromised site receiving the stolen information is a web design company grindd.com  who obviously prefer style over substance. I have never seen a more difficult or confusing website to navigate. Too many webdesign companies ignore or are not aware of the security implications of some of their tweaks & tricks to make a site look kooooool and flashy. I really feel sorry for any of their clients who have also suffered, either due to misconfiguration of the website or other introduced security holes. It is entirely possible that somebody within this web design company has fallen foul of a phishing attack  and unwittingly given up their cpanel log in details, so allowing a complete takeover of their web space. However there has been a recent Exim exploit that can allow an attacker to take over the account, and indeed the complete server if not updated. Cpanel used exim as the email client.

The email is the usual junk email that should be blocked by most spam filters.  None of the companies mentioned in the email body is involved in this malware delivery campaign. The criminals behind it just choose random companies or make them up.  The attachment is an excel spreadsheet using one of the multiple, fixed for a long time, windows equation editor exploits. It looks like a variant of  CVE-2017-11882.

00008873MNZ.xlsx         Current Virus total detectionsanyrun|

Downloads the AgentTesla binary from  http://149.202.110.2/00008873MNZ.exe  VirusTotal  [web] [file]   The C2 / Exfil site is via smtp using cpanel.grindd.com  which I have mentioned above.  The criminals are using encrypted email with starttls that encrypts the email addressees as well.

Somewhere along the line the downloaded .exe is changed & moved to C:\Users\admin\AppData\DpiScaling\RtkAudioService64.bat which has a different file hash ( virusTotal) just to confuse the issue.

You can now submit suspicious sites, emails and files via our Submissions system

As far as I can tell pricolcargo.com has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just “innocent” victims in exactly the same way as every recipient of these emails. Unfortunately they will continue to suffer until they fix their broken / misconfigured SPF and other email authentication. These emails are coming from 107.172.93.38 today

One of the  emails looks like:

From: Elda Domi <This email address is being protected from spambots. You need JavaScript enabled to view it.>

Date:Thu 12/09/2019 07:54

Subject: RE : B/L No LCLSWKAJM1900039 & TNSSWKJEA19051 MT101 SWIFT

Attachment: 00008873MNZ.xlsx

Body content:

Dear All

I hope you are doing well.

Please find attached our bank swift of the balance payment.

Looking forward for the B/L No LCLSWKAJM1900039 & TNSSWKJEA19051

Me respekt  Kind regards,

Elda Domi

Accounting Manager

Putian Hengwei outdoor Co.,Ltd.Registered in China no.3503967145Add:RM1501,15/F.,Zhengding Dong Jie Kou Building No.C,Putian City,Fujian,ChinaTel:0086-594-2768788,2768766Wechat ID:13706067389Email:This email address is being protected from spambots. You need JavaScript enabled to view it.

Screenshot:

Fake Email

Fake email

Email headers & delivery records:

IP Hostname City Region Country Organisation
107.172.93.38  107-172-93-38-host.colocrossing.com Buffalo New York US AS36352 ColoCrossing
Received: from [107.172.93.38] (port=54250 helo=pricolcargo.com)
	by knight.knighthosting.co.uk with esmtp (Exim 4.92)
	(envelope-from <This email address is being protected from spambots. You need JavaScript enabled to view it.>)
	id 1i8IzH-0006W9-Mw
	for This email address is being protected from spambots. You need JavaScript enabled to view it.; Thu, 12 Sep 2019 07:53:52 +0100
From: "Elda Domi" <This email address is being protected from spambots. You need JavaScript enabled to view it.>
To: This email address is being protected from spambots. You need JavaScript enabled to view it.
Subject: RE : B/L No LCLSWKAJM1900039 & TNSSWKJEA19051 MT101 SWIFT
Date: 11 Sep 2019 23:53:51 -0700
Message-ID: <This email address is being protected from spambots. You need JavaScript enabled to view it.>
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0012_98D08031.43A96312"
email delivery records

email delivery records

These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. A very high proportion are Ransomware versions that encrypt your files and demand money ( about £350/$400) to recover the files.

  All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won’t.  Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.  

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for  a genuine  DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected.

 Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.

The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family  love to send us pictures of them doing silly things, or even cute pictures of the children or pets.

Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Many malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in word document format that work has supposedly sent you to finish working on at the weekend, or an invoice or order confirmation from some company,  you can easily see if it is a picture or document & not a malicious program.

If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse  .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.

While the malicious program is inside the zip file, it cannot harm you or automatically run. When it is just sitting unzipped in your downloads folder it won’t infect you, provided you don’t click it to run it. Just delete the zip and any extracted file and everything will be OK. You can always run a scan with your antivirus to be sure. There are some zip files that can be configured by the bad guys to automatically run the malware file when you double click the zip to extract the file. If you right click any suspicious zip file received, and select extract here or extract to folder ( after saving the zip to a folder on the computer) that risk is virtually eliminated. Never attempt to open a zip directly from your email, that is a guaranteed way to get infected. The best way is to just delete the unexpected zip and not risk any infection.

:

IOC:

Main object- “REB L No LCLSWKAJM1900039 & TNSSWKJEA19051 MT101 SWIFT.msg”sha256 81821d8478052921a0be8d53d2535f5a9b8d78aa5d0f8de74006030ab308612csha1 7a55db353024915d6173f48a243d76b95050b306md5 511edb4e5c78ca16e7adff2fafa4a69fDropped executable filesha256 C:\Users\Public\vbc.exe eaef7222978b961944c70a738e35856ee4d701e4c2df9e1a9c6ee2e9b988eed1sha256 C:\Users\admin\AppData\DpiScaling\RtkAudioService64.bat 6f0008426d488bcf6f9ad987ca1680747dbda98e83fe1b63b261d91a96c44937MD5 04e3a1da10896acfd946109ae407577bSHA-1 b0be0a0e0471b8ad3cf97f57641e83b2b3ee3425SHA-256 6f0008426d488bcf6f9ad987ca1680747dbda98e83fe1b63b261d91a96c4493700008873MNZ.xlsxMD5 7d3f1490c4778dd69daf9d18fa1ebcb2SHA-1 3d15593b35e8feccf3698548ffbe46510d61c6b1SHA-256 4f1e3f2b31a439267a7fb21380d8de59c30c9b35abee01cfb3ae1309bc6b0d5100008873MNZ.exeMD5 2760319740d9d4d72cc8c1692988dc2dSHA-1 dc0956d5d4fb98f5c6f7fb809be698dc3fd03cc9SHA-256 eaef7222978b961944c70a738e35856ee4d701e4c2df9e1a9c6ee2e9b988eed1DNS requestsdomain checkip.amazonaws.comdomain cpanel.grindd.comConnectionsip 3.224.145.145ip 149.202.110.2ip 209.188.18.186HTTP/HTTPS requestsurl http://149.202.110.2/00008873MNZ.exeurl http://checkip.amazonaws.com/

Read more https://myonlinesecurity.co.uk/more-agenttesla-keylogger-campaigns/

Add comment

By entering a comment, if it is of a commercial nature, you will be auto enrolled in our customer care course as detailed in our rate card.
By entering a comment you legally agree to the course and to pay. Thanks


Security code
Refresh