Please see the original information in the link below related to that fake Email.

http://group-mail.com/news-and-insights/alert-phishing-scam-sent-by-infacta-billing-masking-order-emails-for-groupmail/

 

Paul from SendGrid (http://www.sendgrid.com) had kindly send us on the following information related to a scam Email sent via their network which used our company details in it to try and fool people to clicking on a link that will install a virus if run.

*******************

Dear GroupMail team,

 

Thanks for posting a blog about this phishing event. Please update it to clearly warn folks to not click on any link within the email, or even visit the “cousin domain” because the risks are so high. We believe the phishing message’s payload was a variant of the BlackShades trojan, which harvests and transmits a lot of sensitive data from the victims PC, including stored passwords from browsers, cookies, different cached/stored FTP passwords, Protected Storage Passwords List, CD keys, ComputerName, Username etc. The sensitive data is harvested from locations like these:

“C:\Documents and Settings\[%administrator%]\Application Data\mess.dat”
“C:\Documents and Settings\[%administrator%]\Application Data\mail.dat”
“C:\Documents and Settings\[%administrator%]\Application Data\dial.dat”
“C:\Documents and Settings\[%administrator%]\Application Data\chro.dat”
“C:\Documents and Settings\[%administrator%]\Application Data\iexp.dat”
“C:\Documents and Settings\[%administrator%]\Application Data\ptsg.dat
“C:\Documents and Settings\[%administrator%]\Application Data\ffox.dat
[..]
0040CE80 -> /ExtractEdition
0040CE90 -> /WindowsKeys
0040CEA0 -> /OfficeKeys
0040CEAC -> /IEKeys
0040CEB4 -> /SQLKeys
0040CEC0 -> /ExchangeKeys
0040CED0 -> /remote
0040CED8 -> /iprange
0040CEE4 -> /remotefile
0040CEF0 -> /regfile
0040CEFC -> /windir
0040CF04 -> /external
0040CF10 -> /remoteall
0040CF1C -> /remotealldomain
0040CF30 -> /savelangfile

00411314 -> Extract Windows E&dition
0041132F -> Show &Windows Keys
00411344 -> Show &Office Keys
00411358 -> Show &Internet Explorer Keys
00411377 -> Show &SQL Server Keys
0041138F -> Show &Exchange Server Keys
004113AF -> Add Header Line To CSV/Tab-Delimited File
004113DA -> &Help
004113E2 -> &About
004113EB -> &Go To ProduKey Web Page
00411407 -> Popup1
00411410 -> &Save Selected Items
00411425 -> Ctrl+S
0041142E -> &Copy Selected Items
00411443 -> Ctrl+C
0041144F -> Copy Product ID
0041145F -> Ctrl+I
00411468 -> Copy Product Key
00411479 -> Ctrl+K
00411485 -> HTML Report – All Items
0041149F -> HTML Report – Selecte

==================================================
Product Name      : Microsoft Office Professional Edition 2003
Product ID        : [removed]
Product Key       : [removed]
Installation Folder : C:\Program Files\Microsoft Office\OFFICE11\
Service Pack      :
Computer Name     : Laptop
Modified Time     : 11/11/2011 12:42:19 PM
==================================================
==================================================
Product Name      : Microsoft Visual Studio Web Authoring Component
Product ID        : [removed]
Product Key       : [removed]
Installation Folder :
Service Pack      :
Computer Name     : Laptop
Modified Time     : 3/11/2010 3:56:10 PM
============================
==================================================
Product Name      : Windows XP Professional
Product ID        : [removed]
Product Key       : [removed]
Installation Folder : C:\WINDOWS
Service Pack      : Service Pack 3
Computer Name     : Laptop
Modified Time     : 1/24/2012 10:17:46 AM
==================================================

When executed, the malware kills the taskmgr.exe and injects itself into it.

Comments are closed.