Fake New Order on Hold serving Formbook Stealer

Our research team has identified a campaign in wild serving Formbook stealer. Based on the email content and sender it seems targeted towards UK. Below is the screenshot of the email body.

Screen Shot 2020-04-21 at 8.16.03 pm

  • Email Attachment – Scan 1722020 pdf.zip
  • Hash – e5eb58f54fa93643b576611712afcf27
  • Zipped Exe – Scan 1722020 pdf.exe – Any.Run
  • Hash – 2c30459f114032b16470666e7010e770

Infection Flow

Screen Shot 2020-04-22 at 2.11.52 pm

GET/POST Requests:

  • hxxp://www.pabloms.com/wtm/-
  • hxxp://www.briartekinternal.com/wtm –
  • hxxp://www.nwrefacing.com/wtm/ –
  • hxxp://www.nacemo.com/wtm/-
  • hxxp://www.dinezonekuwait.com/wtm/ –




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s