Phishing — Seu produto chegará hoje (Your shipment will be delivered today)

I received an e-mail which says that is from Correios (Brazilian postal service) and saying that I will receive my shipment today, but… I didn’t buy anything. And most strange, why a postal service has an e-mail like veraquarteiracbrn[at]terra[dot]com[dot]br ? And the worse… why the e-mail has a zip attachment?

Phishing message

Looking inside the ZIP file we can see a batch file which, if executed, invokes a powershell as we can see in the imagem below.

Details of the powershell execution in Any.Run

Looking at the command line we can see that the it calls a PNG file from an Amazon S3 address, store it into the target machine as a ZIP file and extract its contents, renaming each item after the extraction. After that it removes the downloaded ZIP file and execute an EXE file that was extracted. We can note that after each step a Sleep function is called, thinking in evade the detection.

But if we look in the right column we can see that none of these files was created in the target machine. Looking directly into the address we can see that all the access to this object was disabled.

Response of the URL called by the batch file

Even with the limitations that was responsible to don’t go deeper in the analysis, I decided to write about it to demonstrate that you don’t have to look only to the file extensions. We saw in the case that a PNG file was called but by the powershell command line it was a ZIP file.

Also, this file was not yet submitted to VirusTotal, so I submitted and only 6 engines detected the file as malicious.

File submitted to VirusTotal

Finishing this posts, that’s the IOCs:

-_-____-89070.zip:

sha1: 9357dc8bc107905d531164cb2050e6bf1596c680

md5: c12bd3b5faa43c27e70ddb29d4428c07

DNS requests:

c4ko093.s3-eu-west-1.amazonaws.com

Connections:

52.218.24.192

Security Researcher