Malicious email .ics attachments

Recently I have received few random emails attached with calendar invites from random email and unknow email ids in CC. These arrived in my inbox insteas of spam. Though, later I moved them to spam.

Email Attachment:

File type: Calendar invite

File Extesion: .ICS

I have uploaded the ics attachment to Virus Total but no AV vedor detected it as malicious yet.

I have opened ics file in notepad and can see clearly there is URL direction to domain http: // ngsl7. bemobtrcks. com

When I opened the URL “http: // ngsl7. bemobtrcks. com” in browser, it redirects to “http :// receivepayment[.]fun” website and again redirect to “https: // bitcoinwallet. xyz” to “https: // paysitecash. paywest . net” website. Redirection of websites always changed and may land on different website each time I accessed the main URL.

Connections established to many domains including crypto sites and windows updates URL which looks fake.

Windows update http:// ctldl. windowsupdate. com URL drops cab file executed by run32dll.exe and run32dll.exe establish connection to three different IP address.

• 93[.]184[.]221[.]240
• 2[.]18[.]97[.]123
• 2[.]16[.]164[.]49

Below screenshot one of the website it redirects.

When it opens up bitcoinwallet [.] receivepayment [.] xyz. It shows bad potential traffic.

There is bad malicious traffic mentioned by any.run because its using Lets encrypt encryption for for suspicious domain.

These are confirmed phishing emails. Calendar invites may bypass traditional email filters, making it easier for phishing emails using this method to reach users’ inboxes and this is what happening.

Below are the network connections getting established opening .ics file to domains.

• ngsl7[.]bemobtrcks [.]com
• receivepayment [.] fun
• ctldl [.] windowsupdate [.] com
• bitcoinwallet [.] receivepayment [.] xyz

IOC:

MD5: 264D98086A88D5A57E917EFBCFC36F87

MD5: 4187D230F6D850024E8B678B783F4464

MD5: F1C401645FAD5274AB7B86857E4CAF84

Summary:

• These are cyrpto related phishing emails.
• If such emails (.ics attached) from unknow sender, better to ignore.

Reference:

• Any.run analysis for ICS file
• Any.run analysis for ngsl7[.]bemobtrcks[.]com
• Any.run analysis report for bitcoinwallet[.]receivepayment[.]xyz
• Any.run analysis report for ctldl[.]windowsupdate[.]com
• Any.run analysis report for paysitecash.paywest.net

Article Link: Malicious email .ics attachments – Malware Analysis