Phishing website of the portal

A user notified UNAM-CERT about an email that contained an allegedly malicious attachment and an IP address on the body of the message that redirected to a malicious portal that pretended to be the popular e-card website This kind of sites is known as phishing and its function is to take advantage of users, making them believe that they are navigating a legitimate website.



The malicious file propagated with the name “ver_postal_amistad.exe” on“.zip” format.

When clicked, the link redirected the user to a malicious site that pretended to be the known e-card service As soon as the portal is displayed on the browser, it tried to download a malware hosted on the site automatically.



The phishing site to where the user gets redirected only has the main page active, so when we tried to consult any other option by selecting a tab from its menu, it returned an error 404 of page not found.


When executing the sample on our laboratory, it started a process with the same name as the “.exe” file.


It also started another process called "76393F7D8F9.exe".After some seconds, both processes terminated their execution and the malicious file automatically deleted itself from the location where it was executed, to hide its trace. In our case, it was executed on the path:

C:\Documents and Settings\User\Desktop\ver_postal_amistad.exe.



The malicious activity carried out by the sample on the Windows registry focuses mainly on changing the security settings of the Internet Explorer browser, deactivating its Anti-Phishing filter used to detect fake sites when the user visits them. It also deactivates the option that allows the user to delete the navigation history when the browser closes, keeping the passwords and the data introduced in forms.

The option PhishingFilters on the Internet Explorer browser makes use of three methods to protect the users from being scammed. First, it compares the addresses of the visited websites against the list that Microsoft has of legitimate websites. Secondly, it analyzes the visited websites to verify whether or not they contain characteristics common of the phishing websites. Thirdly, with the user’s approval, it sends some addresses of the visited websites to Microsoft, to detect new phishing sites and keep its list updated. Finally, if a website visited by the user is on the list of phishing websites reported, the browser displays a red alert; if it doesn’t appear on the list but contains suspicious characteristics, it will notify on the address bar of the browser that the site is possibly malicious.


Immediately after the malware terminates its process, the window “Work offline” shows, if the window is closed from the [x] icon on the top left corner or if the button “Work offline” is clicked, the windows shows up again. If the button “Try again” is clicked, it can be observed on the captured network traffic that it tries to resolve some domains.



The list of some of the domains that the malware tries to resolve is as follows:


We made a proof of concept (PoC), on which the hosts file of the infected computer was modified in such way that when the malware tried to resolve a domain, it was redirected to another computer located on the same local network with the web service active, since the connection attempts were towards the port 80.


The infected machine establishes connections to the remote host. The network activity consisted on sending a synchronization request to the target domain, waiting for the confirmation that the synchronization was done successfully, establishing a connection, terminating the connection and proceeding with the next site on the list.


When the sample was allowed to interact with the internet, its behavior remained the same: establish a connection to a website, disconnect and if a site was not active, the connection was not established and a different site was consulted. This generated load on the victim’s network, causing the network connection to slow down due to the malicious process using the bandwidth.


When consulting information about the malware on the VirusTotal website, only 10 out of 42 antivirus engines detected it as malicious. The report is shown below.


The recommendation to all users is to check periodically the configuration of all their browsers to discard changes that could leave them unprotected or that could redirect them to phishing sites using a proxy configuration.


It is also advisable to configure the options of the browsers to delete the history, form data and passwords once the browser is closed. To distrust attachments on emails, even if they seem to come from a trusted source, could help us to avoid malware infections and/or to stop propagating threats on the network. It is important to ask the sender about the content of the file because we could be spreading malware without even knowing it.


Finally, it’s convenient to keep the antivirus updated and to pay attention when surfing the Internet to avoid being a victim of phishing frauds.