#1263301: AgentTesla Keylogger and Binary Options scam

Description: We are still not seeing massive amounts of malware currently hitting the UK. We are still seeing the commodity malware like AgentTesla keylogger / info stealer, Nanocore RAT and Hawkeye Keylogger on a very regular basis.

Today’s example of an AgentTesla campaign is somewhat more interesting than usual.

The email is nothing special and pretends to be the typical fake invoice we frequently see as the lure with these campaigns. What is different today is firstly the email is actually coming from the sender it says it is and passes all authentication. ( see email headers below) The home page of this website simply says this is a mail-in-a-box take control of your email at https://mailinabox.email/ The link leads to the instruction page telling you how to set up your own mailserver with a simple few clicks.

Then we get to the actual AgentTesla payload.

INV-GF76370-7478-465.cab ( VirusTotal) : Extracts to: INV-GF76370-7478-465.exe Current Virus total detections: Anyrun|

This was quite well detected on VirusTotal and there is nothing really special about the payload until you come to the email address and smtp server being used to exfiltrate the stolen information.

Anyrun has a setting to act as MITM between samples being run & the servers etc it contacts. This particular one has the email address, mail server log in& password in base64 encoded format as well as the sending & receiving email address in plain txt ranger@tendertradeforex.co.uk : newpassword216! The password is unbelievable. and anyone using passwords like that deserves to be hacked.

I can’t say with any certainty whether the Binary Scam website has been hacked or whether the stolen data from the AgentTesla keylogger is being used by the criminals that are also behind the Binary Options scam.

But when we look up the domain in the email address tendertradeforex.co.uk you soon find out that it is unlikely that it has been hacked or compromised, but if has been the criminals running the website deserve it. There is no honour amongst thieves. The website itself is a total scam, is a copy of another known scam website ( now closed) with false contact information. This site is pushing a binary options scam. I have absolutely no sympathy when one gang of criminals hacks another gang of criminals.

Warning: these scams are illegal and in the UK, you need to be registered to provide financial advice. I am 100% sure that the names alleged to be the traders here are fake. The street address does not exist. The phone number doesn’t track to any known company and is within a range of numbers known to be used by VOIP scammers that cold call random numbers for fraudulent purposes. The only people who ever make any money from these scams are the criminals behind them.

One of the emails looks like:

From: Weifang Huaxing <admin@infozcn.com>

Date: Wed 12/06/2019 07:51

Subject: Re: Revised INV/ GF76370-7478-465

Attachment: INV-GF76370-7478-465.cab

Body content:

Dear Sir

For Item 1 – P/N correct call out should be GF76370-7478-465, please find our quotation in attachment. Thanks.

Best Regards,

Jacky Chan

Topcast Aviation Supplies Co LTD

Hong Kong

Direct line: 852-3987-6342

Tel : 852-2305-4111

Fax: 852-2305-4388

E-mail : jacky.chan@topcast.com

These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. A very high proportion are Ransomware versions that encrypt your files and demand money ( about £350/$400) to recover the files.
First Aid: IOC:

Main object- “INV-GF76370-7478-465.cab”
sha256 8e69c2cc66803246bc16bba746b17afa08aacc37d751857fa8ad0653b08f0771
sha1 88187071e1f8b6f17b093888a03ed574a39bb84f
md5 80217c27c16ed71c1d9f29b4d456f9f2
Dropped executable file
sha256 C:\Users\admin\Desktop\INV-GF76370-7478-465.exe b6dcffb6187476b0bfcc3bea59b56155ff0d0e02fd8aca6ae1d2d9baa02b1031
DNS requests
domain mail.tendertradeforex.co.uk
domain checkip.amazonaws.com
Connections
ip 198.54.115.194
ip 52.202.139.131
HTTP/HTTPS requests
url http://checkip.amazonaws.com/

Address lookup
canonical name tendertradeforex.co.uk.
aliases
addresses 198.54.115.194
More info: https://myonlinesecurity.co.uk/agenttesla-keylogger-and-binary-options-scam/

Date added June 12, 2019, 5:53 p.m.
Source myonlinesecurity
Subjects
  • Agent Tesla / AgentTesla data stealer RAT malware
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • Scam/Fraud/Hoax Alerts