Once again the scumbags sending these are using ISO attachments, which generally speaking are very badly detected by antiviruses, mailscanners or perimeter defences. Many AV and “next gen” anti-malware services do not routinely scan an ISO file but rely on detecting the extracted file. This is one of the few file types that you are actually slightly safer using Windows 7. You need a 3rd party extraction (unzipping) program to extract the executable content from the container. Winzip & Winrar along with several other 3rd party unzipping tools does do this, but are not set to open iso files by default, so need a few clicks from you to do it. Windows 7 will natively try to open the ISO in Windows ISO burner and copy it to a cd/dvd for you. Whereas the more modern & “safer” OS W8.1 and W10 will normally offer to mount the ISO. This means open it as a virtual cd drive so the .exe file is shown in file explorer ready for you to click on & run. While the exe file is inside the ISO container it is safe and will not harm you. It should not automatically run when mounted. Many ISO do have an auto-run command embedded ( for example Microsoft Windows 10 or Office downloads) , but I can’t see one in these.
You can now submit suspicious sites, emails and files via our Submissions system
Jabil.com has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails. I first saw the sending IP / Server being used yesterday in a fake DHL campaign delivering a very similar JS downloader contacting many of the same sites.
From: “Amanda Guimarães” <AMANDA_GUIMARAES@Jabil.com>
Date: Mon 24/06/2019 22:05
Subject: FYI New Order #PO1205356266, Brazil
We are really interested in your products could you please kindly check attached?
our new trial order please quote and confirm to us estimated delivery time to brazil.
Belo Horizonte Site
Desk: +55(31) 2103 – 9312
Rod. Fernão Dias, Km 490, br381, Jardim das Alteroras
32670-790, Betim, MG, Brasil
NEW_PO_1205356266,pdf.iso ( VirusTotal) extracts to NEW_PO_1205356266,pdf.exe VirusTotal | Anyrun | Which is the nanocore binary. The C2 for this nanocore is microsoft.btc-crypto-rewards.cash 126.96.36.199
The C2 / SMTP exfiltration for this AgentTesla is smtp.vivaldi.net 188.8.131.52 but I can’t easily determine the email address of the miscreant.
Now when we looked at the download site for AgentTesla mechanicaltools.club we found an Open Directory listing with lots of files
This domain was only registered yesterday 24 June 2019 using privacy protection via Namecheap as registrar and hosted by Namecheap. The home page has a default hosted by Namecheap holding page. This was obviously registered by these criminals to be used in malware campaigns.
This set of files tries to download the same nanocore that was inside the ISO container. I assume there must have been an email with links, that would trigger the download chain. The bad actors have made a bit of an error by starting the chain with a MHT file http://mechanicaltools.club/download/mhtexp.mht ( VirusTotal ) which only work in Internet Explorer and display as plain text in other browsers and will not offer the downloaded next step in the chain.
http://mechanicaltools.club/download/mhtexp.php which simply downloads http://mechanicaltools.club/download/mhtexp.hta (VirusTotal) which in turn downloads & runs http://mechanicaltools.club/download/mhtexp.js VirusTotal | Anyrun | which is a heavily encoded scripting file that downloads and runs these 3 files which are actually renamed .exe files not zip files at all. But all are very well detected on VirusTotal
All the alleged senders, companies, names of employees, phone numbers, amounts, reference numbers etc. mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found . The bad guys choose companies, Government departments and other organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.
|184.108.40.206||Fallings Park||Wolverhampton||GB||AS60945 VeloxServ Communications Ltd|
Received: from [220.127.116.11] (port=61347) by my email server with esmtp (Exim 4.92) (envelope-from <AMANDA_GUIMARAES@Jabil.com>) id 1hfW8k-00065U-9j for firstname.lastname@example.org; Mon, 24 Jun 2019 22:04:38 +0100 From: =?UTF-8?B?IkFtYW5kYSBHdWltYXLDo2VzIg==?= <AMANDA_GUIMARAES@Jabil.com> To: email@example.com Subject: FYI New Order #PO1205356266, Brazil Date: 24 Jun 2019 14:04:34 -0700 Message-ID: <20190624140433.033401D494FDCED4@Jabil.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_62826778.96920426"
Main object- “NEW_PO_1205356266,pdf.iso”
Dropped executable file
sha256 C:\Users\admin\Desktop\NEW_PO_1205356266,pdf.exe a96a80d3565e9b2f55c4a9770a4a911fbbdfccf470809c59eda9b1c3b3fbc072
sha256 C:\Users\admin\AppData\Local\Temp\windowsdefender.exe 9a53593239f4f04ca6f28e3eab6c4b51cc869c2b366e322df2d900e75b6c3da0
Main object- “bpvpl.tar.gz”
Dropped executable file
sha256 C:\Users\admin\Desktop\bpvpl.tar.exe 27bd6db946dd85de546f6fb9b80658e46ecd327136773c949cd212ddfd52aa4e
Main object- “klplu.tar.gz”
Main object- “mapv.tar.gz”
Main object- “2oxEJ50zPS4Wsdb.exe”
Main object- “mhtexp.js”
Dropped executable file
sha256 C:\Users\admin\AppData\Roaming\kl-plugin.exe 272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a
sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZSVOB39W\bpvpl.tar.gz 27bd6db946dd85de546f6fb9b80658e46ecd327136773c949cd212ddfd52aa4e
sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLQBH2R9\mapv.tar.gz bfcde7f66c042845af095b5600d1e7a383926e2836624f7eb1690b078e9cfe28