Phishing — Serasa notification
Recently I received an e-mail message which says that’s from Serasa Experian. Serasa is a Brazilian credit research firm and the term “receive a notification from Serasa” is commonly vinculated to have finance debts, due to this fact this firm is a good candidate to be used in phishings. In this case the message says that a document must be viewed as soon as possible because the company had already sent an notification to the person but it was not answered (which is not true, to cause panic and to convince the user to open the link). An image with the received e-mail message can be seen below.
If we look to the e-mail account which sent the e-mail, it seems that it’s really the Serasa Experian domain (serasa-experian[.]com), but if we check the e-mail we can see that the IP which sent the e-mail is a little suspicous. Ok, the IP is from a cloud provider, but the location is the USA, so thinking in a company which have a database of the entire brazilian population I don’t think that the company will store these information outside the country (since Brazil have legislation which protects the data from that). The information about the IP which sent the message can be seen below.
Another thing is about the certificate. First of all, if the URL serasa-experian[.]com receives some request, it will be redirected to serasaexperian[.]com[.]br as we can see below.
So, looking the certificate, the only domains associated to the certificate are related to Serasa, but the IP which sent the message is associated to the domain global-elody[.]com, as we can see in the bottom part of the image. In the top part of the image we have the DMARC result of the domain, which says that the check failed.
Now, let’s take a look into the URL in the button. If we open the URL, a ZIP will be downloaded with a MSI file inside of it, as showed below.
After execute the MSI file, it starts a fake Adobe installation, which says that it failed to install the application, but in reallity the MSI executes the following Powershell command:
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File “C:\Users\admin\AppData\Local\Temp\pss5DC5.ps1” -propFile “C:\Users\admin\AppData\Local\Temp\msi5DB2.txt” -scriptFile “C:\Users\admin\AppData\Local\Temp\scr5DB3.ps1” -scriptArgsFile “C:\Users\admin\AppData\Local\Temp\scr5DB4.txt” -propSep “ :<->: “ -testPrefix “_testValue.”
Reading the file scr5DB3.ps1 we can see a script with a lot of obfuscation, but in short, are many arrays with substrings in changed positions and random substrings used in paths which at end are replaced to ‘\’.
After deobfuscate this script we can see something like this:
At the beginning there’s a base64, which if decoded shows a URL of a ZIP file. Openning this file we can see the following files inside it:
There are two CMD files. If we try to execute these files without extract them from the ZIP we have the following result:
If we extract the ZIP file and execute, it executes the following files:
The file glasses.cmd, which is executed two times, and the VBS file have the following content:
And that’s it. I didn’t analyze the files deeper but I’m publishing what I found so far in the case of these IOCs could be used in some investigation. This page can be updated in the case I found some relevant information.
pss5DC5.tmp — 9d4a3ae7392f70bd510b93da5335626e
Pro5DC6.tmp — 168412d79515a6a0be4c49d36d3177ec
glasses.cmd — 516b9002554a299fbdf458a50d734a48
~~.vbs — 8604456bf571621c18320d3f81860cf5