September 6, 2024
The email is disguised as an invoice but has a far more malicious intent. Its true purpose is to deceive the recipient into opening the attached file, which contains a harmful executable. If the recipient runs the file, it installs AdwinRAT on their system, all while they believe they are managing a legitimate business request:
The attacker’s primary objective is to manipulate the victim into executing the malicious payload, thereby infecting their system with malware. This allows the attacker to covertly collect sensitive information and credentials, compromising the victim’s security.
In this phishing email, the attacker tries to trigger a sense of panic in the recipient by impersonating the local tax authority, pressuring the recipient to click a link to see their tax recalculation request. However, this link is deceptive and leads to a malicious website designed to harvest personal information.
The email appears to be a payment refund notification, but its actual intent is much more malicious. It is designed to deceive the recipient into downloading and executing a file that contains harmful malware:
Once the file is executed, it installs the malware on the recipient's system, all under the guise of handling a legitimate business transaction.
| TYPE | IOC |
|---|---|
| FILE | 53913469bad501d21ec745362fb23e9c8ba32d9eac0b99adcc561d96da563591 |
| HOST | 80[.]190[.]85[.]84 |
| URL | hxxps[://]www[.]mediafire[.]com/file_premium/z3bi56brp8muojj/Fatura[.]pdf_-_[.]jar/file |
| URL | hxxps[://]app-kontor[.]online/ |
| URL | hxxps[://]inboxsender[.]gxsearch[.]club/PT2/serial[.]php |
| URL | hxxps[://]roncluv[.]com/pt2/arquivos/bbnc[.]html |
| URL | hxxps[://]roncluv[.]com/pt2/arquivos/download[.]php |
Threat Insights is a weekly series where we present you with analysis from samples we collect. Follow us on social media for the latest feed and cybersecurity content. Stay informed and stay safe!
