Xploit + Trojan?

RoboMan

RoboMan

Level 35
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,400
Got some nice e-mail today.

From: Dropbox. <mark.opdyke@pepsico.com>
Date: Wednesday, July 19, 2017
Subject: Pdf_file333 _invoice(2) Received
To: xxxx <xxxx>



Hi

You have Receieved An invoice uploaded via dropbox

Due to large size. Access Your Invoice Here

Thanks,

Dropbox!
Click to expand...

Definitely scam. On an isolated browser i clicked the link, which drove me here:

Code: 
hxxps://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/index.html
u6lgI2y.jpg


Definitely scam. Looks like xploit method to get your credentials. I used fake ID and password and of course, it redirected me to the "download" as if my login authentication succeeded. The following download link was created.

Code: 
hxxps://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/google/phonever.html

Anybody has an active isolated enviroment as to test what kind of malware this is? I'm setting my VM soon when i have a decent internet connection u.u
 
Last edited:
  • Like
Reactions: SHvFl, Der.Reisende and ispx
RoboMan

RoboMan

Level 35
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,400
  • Like
Reactions: SHvFl and ispx
5

509322

RoboMan said:
Got some nice e-mail today.



Definitely scam. On an isolated browser i clicked the link, which drove me here:

Code: 
hxxps://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/index.html
u6lgI2y.jpg


Definitely scam. Looks like xploit method to get your credentials. I used fake ID and password and of course, it redirected me to the "download" as if my login authentication succeeded. The following download link was created.

Code: 
hxxps://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/google/phonever.html

Anybody has an active isolated enviroment as to test what kind of malware this is? I'm setting my VM soon when i have a decent internet connection u.u
Click to expand...

Web content virus scan
Address: hxxp://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/google/phonever.html
Virus: Script.Packed.Agent.F@susp (Engine B)
Status: Access denied.
Engines: Engine A: AVA 25.13458, Engine B: GD 25.10036
 
  • Like
Reactions: frogboy, SHvFl and RoboMan
RoboMan

RoboMan

Level 35
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,400
Lockdown said:
Web content virus scan
Address: hxxp://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/google/phonever.html
Virus: Script.Packed.Agent.F@susp (Engine B)
Status: Access denied.
Engines: Engine A: AVA 25.13458, Engine B: GD 25.10036
Click to expand...

Seems like ransomware to me
 
  • Like
Reactions: SHvFl
RoboMan

RoboMan

Level 35
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,400
Lockdown said:
Blacklisting a webpage (URL) is not the same as scanning and blacklisting the webpage content.
Click to expand...
Yeah true that. I used VT in order to see if the antivirus scanners detected the download link as a malicious link. Not the actual payload.
 
  • Like
Reactions: SHvFl
5

509322

RoboMan said:
Seems like ransomware to me
Click to expand...

Probably not. Just suspicious webpage script.

Look here at signatures assigned to support webpage hjacks or "ransom" pages:

  • Exploit.SWF_c.CAL
  • SWF/Trojan.YWCL-5
  • Exploit:SWF/Netis
  • JS.Redirector.F
  • Trojan.HTML.k
  • Script.Packed.Agent.F@susp
  • Ransom:JS/FakeBsod.A
  • Uds.Dangerousobject.Multi!c
ransom does not mean ransomeware.
 
  • Like
Reactions: SHvFl and RoboMan
RoboMan

RoboMan

Level 35
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,400
Lockdown said:
Probably not. Just suspicious webpage script.

Look here at signatures assigned to support webpage hjacks or "ransom" pages:

  • Exploit.SWF_c.CAL
  • SWF/Trojan.YWCL-5
  • Exploit:SWF/Netis
  • JS.Redirector.F
  • Trojan.HTML.k
  • Script.Packed.Agent.F@susp
  • Ransom:JS/FakeBsod.A
  • Uds.Dangerousobject.Multi!c
ransom does not mean ransomeware.
Click to expand...
Thanks for the share. I wish i had my VM set up...
 
Last edited by a moderator:
  • Like
Reactions: SHvFl
5

509322

RoboMan said:
Yeah true that. I used VT in order to see if the antivirus scanners detected the download link as a malicious link. Not the actual payload.
Click to expand...

Not the payload, the actual webpage content loaded into the browser. I guess you can call that a payload of a sort. Using the terminology payload is not always the technically most accurate. Lots of people have different definition of what constitutes a payload.
 
  • Like
Reactions: SHvFl
SHvFl

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,344
I have so many of these in my spam folder. If i was actually getting so many amazon, fedex and google messages i would be both rich and popular.
 
  • Like
Reactions: RoboMan and frogboy
You must log in or register to reply here.

Similar threads

DDE_Server
    • Like
    • Thanks
    • Applause
How to Harden Your Browser Against Malware and Privacy Concerns
Replies
4
Views
2,539
Other Browsers
notabot
N
In2an3_PpG
    • Like
Dridex Banking Trojan Phishing Campaign Ties to Necurs
Replies
0
Views
1,371
News Archive
In2an3_PpG
In2an3_PpG
omidomi
    • Like
Banking Trojan infected dozens of Android apps worldwide
Replies
0
Views
1,254
News Archive
omidomi
omidomi

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top