The Dark Water Journal: Fortune Phisher

Published in

The Dark Water Journal

4 min readDec 7, 2019

The following article presents a spam email investigation which uncovered a campaign designed to lure users in risky financial schemes involving cryptocurrencies websites. The campaign is active since at least August 2019 and is still ongoing with the number of websites and URLs changing from week to week.

In this process the threat actor behind the websites are well positioned to collect personal identifiable information of scammed users together with other sensitive information.

The campaign was named “Fortune Phisher” because of the string “fortune” identified in the spam email body.

Incident Analysis

The incident was detected in Nov 29, 2019. It started with an email which contained the string “fortune”, a short URL link and no other information.

The analysis of the raw email message revealed a different reply-to address pointing to “anyovi2003v@yahoo.co.uk” which combined with the message contents made me curious to analyze it in more details. Usually I don’t spend time analyzing spam or phishing emails unless they trigger my curiosity.

The next step was to analyze the short URL. There are several way to do this ranging from detonation in a VM to using the Linux wget command and storing the file contents for analysis. In this case I used the Powershell Invoke-WebRequest -URI command and store the contents in a text file. On Windows I like to use Microsoft Visual Code with different extensions for web-based malware analysis and other DFIR activities.

The analysis of the short URL link revealed an attempt to load a php file named “library.php” from the /wp-admin/ folder of the “mediakaand.com” domain. The “mediakaand” URL was obfuscated by splitting the address into multiple JavaScript variables inside the “bit.do/fiWAz” short address.

The reconstructed link is displayed below: hxxp://mediakaand[.]com/wp-admin/library[.]php/hnwck/eqw/?9y9n9vp9e0

The URL link was obfuscated by splitting the URL into multiple string variables using JavaScript.

A scam website using a tabloid template designed to make users click on links

The short URL redirecting users to the Crypto Nation Pro platform

The contents of the webpage included several Base64 encoded images and another short URL which appeared throughout the page source code.

The short URL “smarttracker[.]pro/FmYTbGts” redirects the user to the:
“hxxps://cryptonation[.]thesecuretrack[.]pro/de/crypto-nation/?destinationid=a69c269e-cffc-4e95-b129-
b223f9fb8142&clickid=56222f7e-ebc8–4bec-a472–3aee60009062&sourceid=c056d7e1–3c2e-4532-aec7-
5355e922ba60”

The website hosts a cryptocurrency investment platform called “Crypto Nation Pro” asking potential investors for an initial seed to participate on the platform.

The adversary used several techniques to obfuscate the code and to make the JavaScript analysis more difficult.

Why would someone go through so much trouble to mask the path to a cryptocurrency trading/investment platform?

In order to answer this question and to satisfy my curiosity I started to pivot from the initial incident and discover other IOCs to fill in the gaps. For this activity I used the diamond model, a threat intelligence method used to identify: victims, capabilities, infrastructure and adversaries.

Pivoting and Threat Intelligence

Starting with the IOCs collected from the incident analysis my step was to search through threat intelligence feeds for similar IOCs. The only significant information was found in a blog post published by Trend Micro in September 2019. In the analysis, Trend Micro described a threat actor that exploited PHP vulnerabilities in websites to send spam emails to UK users. The spam emails contained links which redirected the users to extra income websites.

PHP scam campaign anatomy. (Trend Micro, 2019)

The Trend Micro post provided several insights to further the analysis. The next step was to identify similar URLs and hosts serving this types of services.

For this I mainly used threat intelligence feeds and BlackShark.

During the pivoting phase 20 hosts and more than 150 spam URLs redirecting users to crypto scams were identified. Since the initial analysis performed by Trend Micro in autumn 2019 the threat actor increased his operation and now he is targeting users in Germany, Spain, Belgium, Netherlands and UK.