2 mails with different gz attachment contain the same chm file. This downloads and launches the malware. Stolen data is exfiltrated thanks to the FTP of a Bosnian company.
Technical analysis by the Malware Hunter JAMESWT
New phishing campaign exploits the email “storage limit” lure. Fake message from victim’s help desk invites him to open a link. It redirects to a false tailored login page. The objective is to steal the password
New phishing campaign exploits the “storage limit” lure. Cybercrime actors send an email, impersonating the help desk, about a problem on the account space limits.
According the message, the email-box is full and an action is required to restore it, opening a link tailored to the victim. In fact, it leads to a fake login page where the user’s address is already entered.
The target just needs to insert the password. Once done, he’s been redirected to the real homepage (if there is one), linked to the mail address. Meanwhile, he’s credentials have been stolen.