Severity
Medium
Analysis Summary
Following malspam campaigns have been reported:
- A FormBook Malware Phishing using the subject “Revised document”
- A O365 Themed Phishing Email using the subject “A file has been shared with you”
- A Spear Phishing Email containing a suspicious phishing URL, using the subject “Fed Reporter”
- An Emotet Phishing malspam with PDF attachments containing embedded malicious URLs. It uses the subject “Firstname> Online Payment Summary March 2019”
- An AMEX-themed phishing email with the subject, “Your Account Has Been Flagged !” that contains a malicious PDF.
- An Apple-themed Phishing e-mail with the subject line “[ New Update ] [ Receipt Invoice ] [ #ID8461164 ] Thanks for your order in App store at March 14, 2019”.
- A vacation tours website (niagaratours[.]ca) has been compromised and all the payment and personal information entered into the site is sent to the attacker-controlled domain at handelaar[.]org.
- A Trickbot Malspam campaign using the subject “Deposit 91369724 paid 02/26/2019”
Impact
Phishing
Malware infection
Emotet
Trickbot
Indicators of Compromise
| IP(s) / Hostname(s) | 109.74.194[.]49 |
| URLs | niagaratours[.]ca handelaar[.]org hxxp://niagaratours[.]ca/niagara/ hxxp://handelaar[.]org/validation[.]php?image_id= |
| Email Subject | A file has been shared with you Revised document Fed Reporter Online Payment Summary March 2019 Your Account Has Been Flagged ! [ New Update ] [ Receipt Invoice ] [ #ID8461164 ] Thanks for your order in App store at March 14, 2019 Deposit 91369724 paid 02/26/2019 |
Remediation
- Block the threat indicators at their respective controls.
- Scan for the email subjects and if found, block the related email addresses, URLs, etc.
- Do not download email attachments coming from unknown sources.
- Always scan files downloaded from internet prior to execution.