#1263301: AgentTesla Keylogger and Binary Options scam
We are still not seeing massive amounts of malware currently hitting the UK. We are still seeing the commodity malware like AgentTesla keylogger / info stealer, Nanocore RAT and Hawkeye Keylogger on a very regular basis.
Today’s example of an AgentTesla campaign is somewhat more interesting than usual.
The email is nothing special and pretends to be the typical fake invoice we frequently see as the lure with these campaigns. What is different today is firstly the email is actually coming from the sender it says it is and passes all authentication. ( see email headers below) The home page of this website simply says this is a mail-in-a-box take control of your email at https://mailinabox.email/ The link leads to the instruction page telling you how to set up your own mailserver with a simple few clicks.
Then we get to the actual AgentTesla payload.
INV-GF76370-7478-465.cab ( VirusTotal) : Extracts to: INV-GF76370-7478-465.exe Current Virus total detections: Anyrun|
This was quite well detected on VirusTotal and there is nothing really special about the payload until you come to the email address and smtp server being used to exfiltrate the stolen information.
Anyrun has a setting to act as MITM between samples being run & the servers etc it contacts. This particular one has the email address, mail server log in& password in base64 encoded format as well as the sending & receiving email address in plain txt firstname.lastname@example.org : newpassword216! The password is unbelievable. and anyone using passwords like that deserves to be hacked.
I can’t say with any certainty whether the Binary Scam website has been hacked or whether the stolen data from the AgentTesla keylogger is being used by the criminals that are also behind the Binary Options scam.
But when we look up the domain in the email address tendertradeforex.co.uk you soon find out that it is unlikely that it has been hacked or compromised, but if has been the criminals running the website deserve it. There is no honour amongst thieves. The website itself is a total scam, is a copy of another known scam website ( now closed) with false contact information. This site is pushing a binary options scam. I have absolutely no sympathy when one gang of criminals hacks another gang of criminals.
Warning: these scams are illegal and in the UK, you need to be registered to provide financial advice. I am 100% sure that the names alleged to be the traders here are fake. The street address does not exist. The phone number doesn’t track to any known company and is within a range of numbers known to be used by VOIP scammers that cold call random numbers for fraudulent purposes. The only people who ever make any money from these scams are the criminals behind them.
One of the emails looks like:
From: Weifang Huaxing <email@example.com>
Date: Wed 12/06/2019 07:51
Subject: Re: Revised INV/ GF76370-7478-465
For Item 1 – P/N correct call out should be GF76370-7478-465, please find our quotation in attachment. Thanks.
Topcast Aviation Supplies Co LTD
Direct line: 852-3987-6342
Tel : 852-2305-4111
E-mail : firstname.lastname@example.org
These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. A very high proportion are Ransomware versions that encrypt your files and demand money ( about £350/$400) to recover the files.
Main object- “INV-GF76370-7478-465.cab”
Dropped executable file
sha256 C:\Users\admin\Desktop\INV-GF76370-7478-465.exe b6dcffb6187476b0bfcc3bea59b56155ff0d0e02fd8aca6ae1d2d9baa02b1031
canonical name tendertradeforex.co.uk.
|Date added||June 12, 2019, 5:53 p.m.|