September 27, 2024
This email disguises itself as a notice from the recipient's email service provider, falsely presenting a "Review pending messages" alert. It claims that certain incoming emails are being held, suggesting that immediate action is required to access them. The message is strategically designed to create urgency, enticing the recipient to click a link or button under the false pretense of resolving the issue and retrieving the pending emails.
The email falsely claims to be from the recipient's email service provider, urging them to click a link to prevent their mailbox from being shut down by a certain deadline.
However, that link actually takes them to a phishing site intended to harvest their personal information.
The email seems like a straightforward request to refresh payment details for an Amazon Prime account, but its true purpose is far more sinister. It's crafted to trick the recipient into clicking a link that directs them to a page designed for stealing credentials.
This email masquerades as a payment order, but its intentions are far from innocent. The real purpose is to mislead the recipient into opening the attached file, which contains a harmful executable. If the recipient activates the file, it will silently install Guloader on their system, all while they are under the impression that they are dealing with a valid business request.
The attacker’s primary objective is to manipulate the victim into executing the malicious payload, thereby infecting their system with malware. This allows the attacker to covertly collect sensitive information and credentials, compromising the victim’s security.
| TYPE | IOC |
|---|---|
| FILE | 783b5b92ea44666e1521eed1d7688f1bdf9044e83ac39258f9905397f52677dd |
| FILE | 376ba06feee16467464fb8a765830c17b65e49f38d07369db1a0eb586fa6ae20 |
| FILE | 187adbae17615b37ae386ebadb4347a41f2a3e994939e832e96f342d91f9d916 |
| FILE | 548928eebb67d6419e329d323637f30d1b1c570a52acc008d339fdab40336c08 |
| FILE | 5fb4c0b14e27e026650eac4da2101b83d70c3a39f8cc008ab5e5c4fcd7837b00 |
| FILE | e4e9cb0519f421b4e7c3ce98cc3593e0f7132d03e77bbf4c9c7ac79f6a0c91ff |
| FILE | 5e945b710d3f774552a57edce050f57a7258d8b1ef5f1114723079b89d10234b |
| FILE | b59c15f1cdcb828e81a8177d96187d90c229369ed512b9aa89cb523e29a0fdcf |
| URL | hxxps[://]mukulbros[.]com/Webmail/webmail[.]php |
| URL | hxxps[://]verification-portall[.]tiiny[.]site |
| URL | hxxps[://]authenticate-domain[.]latosbono[.]workers[.]dev |
| URL | hxxps[://]scureservic-amzisndmsodstetemers[.]line[.]pm/ |
Threat Insights is a weekly series where we present you with analysis from samples we collect. Follow us on social media for the latest feed and cybersecurity content. Stay informed and stay safe!
