during last months I tried to help a lot of friends to fight several ramsonware infections, but I never saw a real fake email and how the attack is done.
Today, one of my mail addresses has received an email from someone who is presenting as SDA.
Here how the email looks like
At the first look, the email seems safe (obviously only if you really wait for some gift :) ), but after just reading few words, you can easily understand that the email has been translated with an automatic tool.
Ok, this is fake, but I want to go deep into the matter.
The sender: the sender is not SDA, of course, but it is a real address coming from italian institute. Someone has been comprimesed there.
Email content: all the active content of the email come from a compromised russian server
where are hosted the images of the fake email and the redictor to the fake SDA courrier page. Example (BE CAREFUL):
hxxp://podboika.ru/vNq1MzUKiYwQ/yZXbPmC1s9p5FN6.php?id=xxxxx
That link will redirect to a fake SDA page where theorically you should download your tracking number (BE CAREFUL):
hxxp://c4zj.sdaexpress-italia24.org/tduw.php?id=ZnVja3lvdUBmdWNrLnJ1 (the address changes)
Of course, I have not the time to deobfuscate the whole code, but using some tricks I'm able to decrypt the string of some routines and I found the links where the real malware is hosted (BE CAREFUL):
function xHkt() {At the time when I'm writing this post, the file 1.exe is still not recognized as a virus and Kaspersky says that it is safe!!
var yIlLgr = "hxxp://ofnar.is/1.exe";
return yIlLgr;
}
function tGJ() {
var OSLQYzU = "hxxp://probst-elektro.ch/media/1.exe";
return OSLQYzU;
}
So, let's have a safe look on the file 1.exe. To do that I've used the free service for the automatic malware analysis provided by hybrid-analysis.com and here is the full report.
Conclusion: be careful and don't trust the internet!
