Malicious email .ics attachments

Recently I have received few random emails attached with calendar invites from random email and unknow email ids in CC. These arrived in my inbox insteas of spam. Though, later I moved them to spam box.

Email Attachment:

File type: Calendar invite

File Extesion: .ICS

I have uploaded the ics attachment to Virus Total but no AV vedor detected it as malicious yet.

I have opened ics file in notepad and can see clearly there is URL direction to domain http: // ngsl7. bemobtrcks. com

When I opened the URL “http: // ngsl7. bemobtrcks. com” in browser, it redirects to “http :// receivepayment[.]fun” website and again redirect to “https: // bitcoinwallet. xyz” to “https: // paysitecash. paywest . net” website. Redirection of websites always changed and may land on different website each time I accessed the main URL.

Below screenshot one of the website it redirects.

When it opens up bitcoinwallet [.] receivepayment [.] xyz. It shows bad potential traffic.

There is bad malicious traffic mentioned by any.run because its using Lets encrypt encryption for for suspicious domain.

These are confirmed phishing emails. Calendar invites may bypass traditional email filters, making it easier for phishing emails using this method to reach users’ inboxes and this is what happening.

Below are the network connections getting established opening .ics file to domains.

  • ngsl7[.]bemobtrcks [.]com
  • receivepayment [.] fun
  • ctldl [.] windowsupdate [.] com
  • bitcoinwallet [.] receivepayment [.] xyz

IOC:

  • MD5: 264D98086A88D5A57E917EFBCFC36F87
  • MD5: 4187D230F6D850024E8B678B783F4464
  • MD5: F1C401645FAD5274AB7B86857E4CAF84

Summary:

  • These are cyrpto related phishing emails.
  • If such emails (.ics attached) from unknow sender, better to ignore.

MITRE TTP :

  1. Phishing (T1566): The use of calendar invites as a phishing vector to bypass traditional email filters and deliver malicious URLs to the victim’s inbox is indicative of this technique.
  2. Spearphishing Attachment (T1566.001): Although not explicitly mentioned as targeted, the use of .ICS file attachments to deliver the phishing content is a form of spearphishing.
  3. Command and Control: Web Service (T1071.001): The redirection of the victim to various malicious domains through the clicked URL in the .ICS file suggests the use of web services for command and control communication.
  4. Drive-by Compromise (T1189): The automatic redirection to multiple suspicious and potentially malicious websites upon accessing the initial URL can be considered a form of drive-by compromise.
  5. Unsecured Credentials: Credential Phishing (T1552.001): The final redirection to a fake cryptocurrency wallet site could be an attempt to phish for credentials, exploiting the user’s interest in cryptocurrency.
  6. Network Traffic Duplication (T1551): Not explicitly mentioned, but the potential use of malicious traffic duplicating or rerouting techniques could be inferred from the use of multiple redirects and suspicious network connections established.