2CMV-00040-001 CSIRT warns of malware in mail that supplants the SII

Summary

The Computer Security Incident Response Team (CSIRT) has identified a phishing campaign with associated malware, through an email that supposedly comes from the Internal Revenue Service.

Cybercriminals seek to deceive users by informing that this email was generated by an electronic invoice issuance process detected in 2018. The potential victim is offered the possibility of downloading the electronic invoice from a hyperlink in the same email. When downloading the file and being executed, malware infection is triggered.

Commitment Indicators
Url’s:

http[:]//3[.]84[.]242[.]96/trs/contacto[.]php

http[:]//54[.]198[.]30[.]41

http[:]//3[.]84[.]242[.]96/TRS/OsistemaX[.]php

Smtp Host

[79 [.] 143 [.] 187 [.] 144]

[192 [.] 119 [.] 111 [.] 19]

[192 [.] 236 [.] 146 [.] 134]

[192 [.] 236 [.] 147 [.] 28]

Sender

root @ vmi326290 [.] contaboserver [.] net

root @ hwsrv-652688 [.] hostwindsdns [.] com

root @ hwsrv-652153 [.] hostwindsdns [.] com

root @ hwsrv-652169 [.] hostwindsdns [.] com

Subject:

The system detected and generated an alert about a debit

The system detected and generated an alert about a debit of 2018

Attached files.

File: FacturaElectronica-00365698-2019-10_2.zip

MD5: da77ab29f2e5304c8c71412ebc55f56c

SHA256: 88CAE6413D9F51B5BCC151E8826F8B3A7EA9F3FEBF5B37FCF563E01ECF9BA7DD

File: FacturaElectronica-00365698-2019-10_2.vbs

MD5: 5a1f935c30e95b65d8e475b3fb963067

SHA256: 781db34730e6b87b19b581ad4e538551b2697a31a3e2a6a983d2a8164106f522

File: Privacy Policy-2

MD5: 76dfd561e5305c1d3ad2ca63f1eb80f6

SHA256: f711d08800cb104c79ca3bf9738181c27f9522862ca42a20723c2313d4d6bbed

Other associated IOCs.

F7C427E0A0F059DB601FB38B028BD8B2

E089DB1AB7F228CE40425ED22AD0B32A

BF07173B7F0244C07DB9AAD7A73D8F4D

recommendations
Keep your platforms updated (Office, Windows, Adobe Acrobat, Oracle Java and others)

Evaluate the preventive blocking of commitment indicators

Keep all technology and threat detection platforms updated

Review the security controls of the AntiSpam and SandBoxing

Perform permanent awareness for users about these types of threats