Fake quotation malspam delivers some sort of malware.

Haythem Elmir

An email with the subject of  Quotation  coming from what appears to be a compromised email account or web server m.syarifullah@geamedical.com   with a zip attachment  which contains an unknown malware. I am guessing it is some sort of password stealer or keylogger. ( I am being told it is Agent Tesla keylogger)

I can’t fully work out what this malware is or does. Running it in the various online sandboxes is not giving much helpful information. It drops a  small file htc.exe which continually crashes in Anyrun. Other sandboxes show the file as a different name, so it obviously randomises the name on each system. It definitely appears to have numerous anti-analysis techniques and protections and looks like it won’t run properly in a  sandbox or VM.

They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

If you look at the email headers, this is coming from geamedical.com and appears to be coming via the webmail service on that domain. It is likely that the credentials used to log in & send these malspam emails have been previously stolen by the criminals.

To read the original article:



Laisser un commentaire

Next Post

Dutch tax authority, banks face coordinated cyberattack

Dutch tax authority, banks face coordinated cyberattack The Dutch taxation authority, as well as several banks, faced a series of distributed denial-of-service attacks on their networks Monday, in what appears to be a coordinated strike on the Netherlands’ financial infrastructure. The tax authority said it experienced DDoS attacks that caused […]