The message gz attachment contains an exe file: the malware itself. Stolen data is exfiltrated via FTP.
Technical analysis by the Malware Hunter JAMESWT
Last cybercrime phishing campaign passes from Boa web server. The lure is a fake email on an email closure. It contains a link to update the account via a login page. Also this one is false. The only aim is to steal credentials
New phishing campaign target international users. The lure is a message from a supposed Boa web server address ([email protected]) on a fake email closure. Inside, there is a request to update the account via a link. It directs the victim to an anonymous login page, in which he has to digit the mail address and the password. Once submitted, he’s redirected to Microsoft Office homepage. The cybercrime actors goal is to steal credentials.