20240122_PHISHING_SCAM_1

1. #IPDOTUSCREW
2.  
3. This SPAM crew sends malware SPAM using newly created Microsoft Office 365 accounts. When they initially started their campaign, the target domain extension used was .us and were normally registered and hosted with OVH. Hence, the name, #IPDOTUSCREW. They also send Google based AMP links to obfuscate the malware links. E-mails pretend to be peddling some sort of product from a reputable vendor, but, the links drop Russian based malware.
4.  
5. Recently they stopped investing in domains and use cloud URL's from Amazon and Google
6.  
7. Updates:
8. 20240309 - Crew is not using .io links
9. 20240308 - Crew is back to using AWS links
10. 20240307 - Crew is now using bit.ly links
11. 20240306 - Crew is now using page.link links
12. 20240306 - Crew is back to using AWS links
13. 20240305 - Crew is back to using blob.core.windows.net links
14. 20240303 - Crew is now using Google API Links
15. 20240302 - Crew is now using .cfd domains from NameCheap
16. 20240221 - Crew is now sending blob.core.windows.net links
17. 20220213 - Crew is now using zpr.io links
18. 20240213 - Crew is now using cutt.ly links
19. 20240122 - Crew is now using AWS links
20. 20240122 - Crew is now using Microsoft Azure links
21.  
22. Sample Domains:
23. glvhcizckxreijvedzcuzzof.s3.amazonaws.com
24. blakingkom.com
25. ip-147-135-76.us
26. ip-15-204-76.us
27. ip-147-135-78.us
28. ip-135-148-101.us
29. ip-147-135-77.us
30.  
31. Sample URLs: (likely no longer live as they are reported)
32. https://owmhdmlvrymjoogwpuqximwk.blob.core.windows.net/owmhdmlvrymjoogwpuqximwk/url.html#cl/646_md/14/79/663/6/1814409
33. https://chmasonwalagharabatilawa.blob.core.windows.net/chmasonwalagharabatilawa/1.html?yJ2J7cpjaXToWsWa8j6h9gZW4OrJLGUvLdZKzRbXzXy2kyTCyPMZ5CjhUPgup7sZLqq3Sa1hzWj3ke90cwMea9tI0HpyCJiPDwff#cl/26557_md/7/22280/5179/19053/6483482
34. https://glvhcizckxreijvedzcuzzof.s3.amazonaws.com/glvhcizckxreijvedzcuzzof/1.html?EI4MC4GTdQwccthgVLZaA5lk1YVyjUaqZW4I94DtyA1IsYWx5xgi7sNaQN88gMeNzFW1XOMgba58POEaszFH2aUJJ95iKZ8ikXXE#cl/30183_md/7788/15481/2116/474/1815221
35. https://nckeiqldjzn33cjecje.blob.core.windows.net/nckeiqldjzn33cjecje/url.html
36. https://zpr.io/QrgAGu2Upg52
37. https://ncrladiizmdoe23cnehaae.s3.eu-west-2.amazonaws.com/unsb.html
38. https://bit.ly/3IxWSqF
39. https://d6g5e1s6rhe7r4h65ed4.page.link/P3bNccrwRYAsUFqi8
40. https://cneoajdhz11cejcokajed.s3.us-east-2.amazonaws.com/url.html
41. https://uypabfuo9ji06t4.blob.core.windows.net/uypabfuo9ji06t4/url.html
42. https://aalokshdbdggctdfrefdf21.storage.googleapis.com/aalokshdbdggctdfrefdf21/1.html
43. https://artezzzzzzzzset40.storage.googleapis.com/artezzzzzzzzset40/2.html
44. https://cjnszbcpyoxakycsbunvw.blob.core.windows.net/cjnszbcpyoxakycsbunvw/url.html#cl/22198_md/14/14820/3401/474/1815221
45. https://sssssssterzaret69.blob.core.windows.net/sssssssterzaret69/1.html#cl/21898_md/72/14698/2116/474/1815221
46. https://krenxahdkej12cnrhfd.blob.core.windows.net/krenxahdkej12cnrhfd/url.html#cl/20827_md/1200/14728/3398/474/1815221
47. https://mmokl2.blob.core.windows.net/mmokl2/url.html#cl/9053_md/444/8435/718/7/973394
48. https://zpr.io/Y6EHeb4BXPdC
49. https://cutt.ly/cwVg9f9X
50. https://karinti.blob.core.windows.net/karinti/url.html
51.  
52. Sample E-Mail Subject | Sample Sender Name:
53. You have won an Makita 6-pc Combo Kit | Lowe's_Confirmation
54. YOUR_NAME_HERE,..You have won an Le Creuset.. 1010 | CostcoWinner
55. Get 'Closer' to what moves you : 3 MONTHS for 1$ ! | SiriusXM Membership
56. You have won an Makita 6_pc Combo Kit.. | Lowe'sWinner
57. Congrats! -You've_been_Selected!!! bill -For SiriusXM Reward | SiriusXM
58. Re: 𝐄𝐦𝐩𝐨𝐰𝐞𝐫 𝐘𝐨𝐮𝐫 𝐖𝐨𝐫𝐤: 𝐆𝐞𝐭 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐎𝐟𝐟𝐢𝐜𝐞 𝐍𝐨𝐰! | Microsoft Office 365
59. Your Order's Journey: Latest Shipment Update . | Fedex_Unlocked
60. **Evergreen SLs** | RbA
61. The Ultimate Fruit & Veggie Cleaner | Pesticide Purifier
62. 36 Piece Tupperware Modular Set Giveaway: Share Your Opinion | Costco_Winner
63. Share Your Feedback, Get a 36 Piece Tupperware Modular Set Reward | _Congrats_
64. You have won an Makita 6-pc Combo Kit | Lowe's Department
65. You have won an Stanley Tumbler | Stanley Tumbler Winner
66. Re: congrats, you've been selected | COSTCO Confirmation !
67. Your SiriusXM Membership has Expired | SiriusXM Membership
68. 36 Piece Tupperware Modular Set Giveaway: Share Your Opinion | Costco_Rewards
69. congrats, you've been selected | Costco Department_!!
70. FW: Unlock Your Weight Loss Potential with KetoBites Gummies!" | KETO NEWS
71. Re: Upgrade Your Toolkit with Our Comfort Grip Screwdriver Set! |
72. Nooro Foot Massager | Nooro Foot Massager
73. Sam's CIub | You've been chosen!
74. You have won an DEWALT 200 Piece Mechanics Tool Set | -Ace Hardware Department+
75. The genius pet ball that will keep your pet busy for hours. Details inside... | PeppyPetBall
76. Congrats! You've received an iCloud Storage Bonus | iCloud Storage
77. Handheld Spin Scrubber Makes Cleaning Effort-Free | Spin Free
78. You have won an Stanley Tumbler | Stanley Tumbler Department
79. Ace Hardware | Final Notice Coming for a Dewalt-LED Work Light Reward
80. Warm Up Your Home for Less with Elon's Invention! | Heating Revolution by Elon
81. Is your Antivirus Updated? | -Security Notice
82. Emergency Fire Blanket | Emergency Fire Blanket
83. Take Control of Your Energy Usage with StopWatt-- | Elon Power bank
84.  
85. VirusTotal Analysis:
86. https://www.virustotal.com/gui/url/6b807f939a0fb53ab59f179b84a23106ce460d29c3010b2b0bb075d29cba1b56
87. https://www.virustotal.com/gui/url/e8aedb2dd548787238a1844491c23ae92765e51cf2a42e7cd3261bc203ff14c0
88. https://www.virustotal.com/gui/url/804cc8c810d048531bd54bb73688d15ebd30224c0e9e8d374ab6ef8e3174fad3
89. https://www.virustotal.com/gui/url/d951d1a363ea6a7624a443a1fb2ca04f71631c688127cb1be76ebd2d4ae84cbd
90. https://www.virustotal.com/gui/url/fbbbc9f4a78ddee6b1e92f789508120d573b856d00839448ee1412d96341ece4
91. https://www.virustotal.com/gui/url/1f178e5da1ca9f4906266e64f1d5224b008249dd624b2a8e660b45110fe84627
92. https://www.virustotal.com/gui/url/3723f557d8e9737ea8ebc21e14b2c4ac280e708c57a2e82228f9c156fed5ceb1
93. https://www.virustotal.com/gui/url/bc1d83f5029c601f4f62c5dbe46c973255efafefc8dfa95eeb998c5cb742e063
94. https://www.virustotal.com/gui/url/258fc976a94d9f0eefd21783723d910e2ceb5c524955d5377d1ca907b2130fad
95. https://www.virustotal.com/gui/url/cb44959c4333d77e601b792a9711ee0a4fe37d4ab528091700262c1435f48bc0
96. https://www.virustotal.com/gui/url/59d0d738fcae73b0afcc72b40866a4e23ae67bd759bdaffbe0ab89d595bd5a16
97. https://www.virustotal.com/gui/url/52c506e39729ad8e79a639aa368f2baa284e09565f6909ee4e9981abaaf77a41
98. https://www.virustotal.com/gui/url/b8c1fb52f64f0e9a4b63c9b726eb308994b97bca480782827d5632f4f1e68d3c
99. https://www.virustotal.com/gui/url/88b48be6d571303b50095db700953885be31ade0feaf7205fb0e30aac8c11221
100. https://www.virustotal.com/gui/url/9c976a52fa7fe44f7e188d971c5775d9d5008de2b0fed07f178b855035104bf5
101. https://www.virustotal.com/gui/url/ed1cfbd75ce7c14f42f264e384b79c9c1ad988128482934c9b0165d504ec1912
102. https://www.virustotal.com/gui/url/3847540e05e6931373251157607531b141c4599fcbed620f5760f05bf2f04ea1
103. https://www.virustotal.com/gui/url/1c704db88a1d5959da5d9629fb1442626ac5293361a0c96f21a59e0d90c8672b
104. https://www.virustotal.com/gui/url/f5fccf78485b53adfe3aa8c701ba796112384c0cdb1bfe5dea7dd7cf4c642850
105. https://www.virustotal.com/gui/url/19c82091bfe1730ccf129bb56dc5e85cf6966ae533ebd415370d4e0cfb48ab81
106. https://www.virustotal.com/gui/url/4873feaabb6540d02c13ddae1a5944887057a3c47e9655b1a843aa93f9774497
107. https://www.virustotal.com/gui/url/f15d202c99698a8807c34538a733f1486e722f06073d9284ca0fd30e7084a5ee