Microsoft SharePoint - Šifrovani dokumenti spam

[milos_rs]

Ovo nije ništa novo samo sam ga upecao dok je sve još uvek online pa da podelim...

Mejl izgleda ovako:

   


Headeri, kontam da je hakovan nalog mada ovaj txreipartners.com nema ni sajt a i hostovan je u hrvatskoj, malo sus

Code:

txreipartners.com has address 88.209.205.83
txreipartners.com mail is handled by 1 txreipartners.com.

Code:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from cp11.ulimitserver.com
    by cp11.ulimitserver.com with LMTP
    id L0S0HvsnLWWCWQAAEIIGUw
    (envelope-from <[email protected]>)
    for <[email protected]>; Mon, 16 Oct 2023 14:09:31 +0200
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Mon, 16 Oct 2023 14:09:31 +0200
Received: from chord.txreipartners.com ([88.209.205.83]:33034)
    by cp11.ulimitserver.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.96.1)
    (envelope-from <[email protected]>)
    id 1qsMPK-0005sI-1U
    for [email protected];
    Mon, 16 Oct 2023 14:09:23 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=txreipartners.com;
    h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding; [email protected];
    bh=6cKYkC+xJKS/zcHJg1C88Uwpwf0=;
    b=FsSol1XJbaXiMd/fTETBxlRjC5DOOXnyjEDhwtb8RCquDCQLV8Cl1/4gWklFK+rKoTeBT+3XiTC+
    MKgaiEvK0VCsZWQCTox0dCxkG/4sMWCbL/rwBGW963KrxHdJVyxUFhBx8lQ1r5TF3SfanN0kRMbl
    yDG9XVTnfwI11nPjpjNRUzjLjGIH+Zh9c0DGyjlQ+hoFBpIIs6H8qoRdzfbryjYCNqI6Hvv5nixG
    /d/juj1Ed1RR4qLIaLjn2ItLdKTjdgtPuUUkAfMk/suqdyZAmcwMUyc3YOpr8x8THPOOzl8jDD2N
    KHFf86SNTxpjpgSM2/dlsIxeyPdmmoXqir9WyQ==
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=txreipartners.com;
    b=MXVGItK5Y63h1UUChGsvI72Ak0kDQVpqiC1QSjgoYr2uPmaOA9Ll6Q3HXsntZGqbHY02hmYQ5CnJ
    qDvTHjtCMW1CTwpCRLclUu7b90jzBQl/ioPXLGeurw8KSQudoK8ea5x/4JtwSuwt2Hui7G0fvMJL
    1vNHYztic1plgDcewWHfduUKGcjZDN7q/gTsaX7NcHs4pK2THwI1JoP44L7LAX3v7HygSswiEpKF
    /9I33D8WwOyakfMoED52LSOLXliTkdZGRDZMiJz1MVyVM6rVxsUiwhG4tPyIUAf/oTJSi0uYIkwN
    zMVWAeHTBuxNeBLFZyFiPoIjehpJOGxRx4wqcg==;
From: Microsoft SharePoint - BLAH.rs <[email protected]>
To: [email protected]
Subject: {Spam?} [email protected]
Date: 16 Oct 2023 05:09:13 -0700
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/html;
    charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Spam-Subject: ***SPAM*** [email protected]
X-Spam-Status: Yes, score=9.2
X-Spam-Score: 92
X-Spam-Bar: +++++++++
X-Spam-Report: Spam detection software, running on the system "cp11.ulimitserver.com",
    has identified this incoming email as possible spam. The original
    message has been attached to this so you can view it or label
    similar future email. If you have any questions, see
    root\@localhost for details.
    Content preview: Microsoft SharePoint Šifrovani dokumenti Imate šifrovane
    dokumente iz Microsoft SharePoint-a Dokument 1: Ugovor Dokument 2: SWIFT
    Dokument 3: Proforma faktura Iz sigurnosnih razloga, ovi dokumenti su šifrirani.
    Pregledati Dokumente Hvala, Tim za Microsoft nalog
    Content analysis details: (9.2 points, 5.0 required)
    pts rule name description
    ---- ---------------------- --------------------------------------------------
    2.5 URIBL_DBL_MALWARE Contains a malware URL listed in the Spamhaus
    DBL blocklist
    [URIs: txreipartners.com]
    0.1 URIBL_CSS_A Contains URL's A record listed in the Spamhaus CSS
    blocklist
    [URIs: txreipartners.com]
    -0.0 SPF_PASS SPF: sender matches SPF record
    0.1 URI_HEX URI: URI hostname has long hexadecimal sequence
    0.0 HTML_MESSAGE BODY: HTML included in message
    0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
    0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    valid
    -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
    author's domain
    -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
    1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
    2.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
    [cf: 100]
    0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
    tag
    0.5 FSL_BULK_SIG Bulk signature with no Unsubscribe
    0.1 TO_IN_SUBJ To address is in Subject
X-Spam-Flag: YES
X-PlusHosting-MailScanner-Information: Please contact the ISP for more information
X-PlusHosting-MailScanner-ID: 1qsMPK-0005sI-1U
X-PlusHosting-MailScanner: Found to be clean
X-PlusHosting-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
    score=8.965, required 5, DCC_CHECK 1.10, DKIM_SIGNED 0.10,
    DKIM_VALID -0.10, DKIM_VALID_AU -0.10, DKIM_VALID_EF -0.10,
    FSL_BULK_SIG 0.47, HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 0.64,
    MIME_HTML_ONLY 0.10, RAZOR2_CF_RANGE_51_100 2.43, RAZOR2_CHECK 1.73,
    SPF_PASS -0.00, URIBL_CSS_A 0.10, URIBL_DBL_MALWARE 2.50,
    URI_HEX 0.10)
X-PlusHosting-MailScanner-SpamScore: ssssssss
X-PlusHosting-MailScanner-From: [email protected]

Link u mejlu vodi ka pub-0691f791e27445e186a96f6163534e0a.r2 .dev/index.html#[email protected]

Stranica izgleda ovako:

   

Kad se unese šifra pošalje je na mnemonicparsingbackup .xyz/ugovor/billions.php

Ovo ime foldera "ugovor" malo sus takođe, da nisu neki domaći ili regionalni akteri? Ili je samo hakovan hosting i taj folder se našao otvorenim, ne znam.

shared hostovan i registrovan na namecheap, možda od strane samih likova, mada je Creation Date: 2022-05-17T13:32:14.0Z

Pošto radi directory listing vidi se ovo:

   

dobijam access denied za pristup error_log, u ovom fajlu su verovatno pokradene šifre i po veličini bih rekao da se dosta ljudi upeca na ovo

[milos_rs]

Evo još jedan phish koji je deo iste kampanje:

   

Link je pub-0e3ea9ee1ab440899b11595aa49093fe.r2 .dev/index.html#mejl@ovde a sajt izgleda ovako:

   

Code:

pub-0e3ea9ee1ab440899b11595aa49093fe.r2.dev has address 104.18.3.35
pub-0e3ea9ee1ab440899b11595aa49093fe.r2.dev has address 104.18.2.35

Ovaj r2.dev je od cloudflare-a i koristi se sve više u phishingu: https://www.trustwave.com/en-us/resource...c-buckets/

   

Kada se unese šifra šalje je na mnemonicparsingbackup .xyz/billions.php što je isti domen kao i prethodni phish. Registracija domena i hosting ovoga je na Namecheap-u.

Code:

mnemonicparsingbackup.xyz has address 68.65.122.110
mnemonicparsingbackup.xyz mail is handled by 20 mx3-hosting.jellyfish.systems.
mnemonicparsingbackup.xyz mail is handled by 10 mx2-hosting.jellyfish.systems.
mnemonicparsingbackup.xyz mail is handled by 5 mx1-hosting.jellyfish.systems.