Keypoints
- Threat delivered via calendar invite attachments (.ICS) that arrived in the inbox rather than spam, allowing them to bypass some email filters.
- Opening the .ICS in a text editor revealed an embedded URL pointing to ngsl7.bemobtrcks.com.
- The initial domain redirects to various sites (receivepayment.fun → bitcoinwallet.xyz → paysitecash.paywest.net), with redirect chains changing on repeated access.
- VirusTotal showed no detections for the .ICS sample at time of upload; any.run flagged suspicious traffic and TLS usage via Let’s Encrypt for redirected domains.
- Observed network connections include ngsl7.bemobtrcks.com, receivepayment.fun, ctldl.windowsupdate.com, and bitcoinwallet.receivepayment.xyz.
- Three MD5 hashes were reported for the samples; analysts recommend ignoring or deleting unexpected .ICS attachments from unknown senders.
MITRE Techniques
- [T1566] Phishing – Use of calendar invites as a vector to deliver malicious URLs to victims’ inboxes (‘These are confirmed phishing emails. Calendar invites may bypass traditional email filters’)
- [T1566.001] Spearphishing Attachment – Delivery of the phishing content via a .ICS attachment (‘File type: Calendar invite. File Extesion: .ICS’)
- [T1071.001] Application Layer Protocol: Web Protocols – Use of web redirects and remote web services to serve malicious pages (‘it redirects to “http://receivepayment[.]fun” website and again redirect to “https://bitcoinwallet.xyz”’)
- [T1189] Drive-by Compromise – Automatic redirection to multiple suspicious sites upon accessing the initial URL, potentially exposing users to drive-by payloads (‘Redirection of websites always changed and may land on different website each time I accessed the main URL.’)
- [T1552.001] Unsecured Credentials: Credential Phishing – Final redirection to fake cryptocurrency wallet pages aiming to capture credentials or funds (‘the final redirection to a fake cryptocurrency wallet site could be an attempt to phish for credentials’)
- [T1551] Network Traffic Duplication – Inferred use of multiple redirects and suspicious network connections suggesting traffic rerouting or duplication (‘Below are the network connections getting established opening .ics file to domains.’)
Indicators of Compromise
- [Domains] Redirect and C2 candidates – ngsl7[.]bemobtrcks[.]com, receivepayment[.]fun, and 2 more domains (bitcoinwallet[.]receivepayment[.]xyz, paysitecash[.]paywest[.]net)
- [File Type] Malicious attachment – .ICS calendar invite used to carry the malicious URL
- [File Hashes] Sample identifiers – MD5: 264D98086A88D5A57E917EFBCFC36F87, MD5: 4187D230F6D850024E8B678B783F4464, and 1 more hash
I extracted and inspected the .ICS file in a text editor and found an embedded URL pointing to ngsl7.bemobtrcks[.]com. Uploading the sample to VirusTotal returned no AV detections at the time, so I proceeded to follow the link in a controlled environment; the initial domain consistently performed HTTP redirects that led to several different sites, including receivepayment[.]fun, bitcoinwallet[.]receivepayment[.]xyz and paysitecash[.]paywest[.]net.
Repeated accesses produced varying redirect chains, and dynamic analysis (any.run) flagged the traffic as suspicious—noting the use of Let’s Encrypt TLS on the redirected domains. Network connections observed when the .ICS was opened included ngsl7[.]bemobtrcks[.]com, receivepayment[.]fun, ctldl[.]windowsupdate[.]com and bitcoinwallet[.]receivepayment[.]xyz. Three MD5 hashes were recorded for the samples. Given the delivery method and redirect behavior, treat unsolicited .ICS attachments from unknown senders as phishing and avoid interacting with embedded links.
Read more: https://malwr-analysis.com/2024/03/25/malicious-email-ics-attachments/