Ricardo M Pereira

Ricardo M Pereira

Threat Intelligence and Malware rookie

Email Phishing Analysis - “CTT package”

1 minute read

First posted in February 2025.

Summary

The email sender appears to be impersonating the Portuguese postal service. However, upon further investigation, the purpose does not fully align with typical phishing motives, such as credential or credit card theft or malware distribution. That said, these possibilities cannot be ruled out due to the presence of cloaking mechanisms.

Basic Email Analysis

The email was sent to a portuguese citizen, trying to impersonate the Portuguese postal service → CTT.

Figure(1): Phishing Email


Highly suspicious signals:

  • The sender email address (info@apbmjlykyoawx[.]hdqilbzc[.]com)
  • The design is totally off
  • Highly suspicious URLs (Google Cloud Storage)

Figure(2): Email-URLs


These 3 URLs have a “tarcking_param”, represented by the value after the “#”. This value will be appended to https[:]//malagaopensoffer[.]live/t/

Figure(3): First script redirect


Which, again, redirects the user to a page under the laundershirts[.]com domain, currently unavailable.

Figure(4): Second script redirect


This domain has been created in June 28th, 2024 and scanned on URLScan for the first time in July 26th 2024.

The MO is always the same:

HTML file hosted on Google storage redirects to a intermediary website → spomouth[.]fyi/t/, https[:]//malagaopensoffer[.]live/t/ or other → redirects to another intermediary website → laundershirts[.]com or ponelaz[.]com (with appended IDs) → redirects to different Spammy/Affiliate marketing websites (the most prevalent being online surveys, but VPN promos were also observed)

Some of the online survey websites have different domains but are very similar to each other. By using the hash of the css file, we are able to catch thousands of submitions on URLScan: hash:920b8d8972275d746fd1bee5b5f1b3c20a87728ace3dbc2e90b2ae699c495f14

Figure(5): Online Survey page


Indicators of Attack (IOA)

URLs/domains:

  • https://storage.googleapis.com/abdilahmokhtar/abdilahmokhtar.html#4zlywU79=037uDrw554tqqlmagawr87ALZAATSKAKPHZEH58480FJMA839h16
  • https://storage.googleapis.com/abdilahmokhtar/abdilahmokhtar.html#4cXfuE79=037yhto554ikajavlvix87YHUDXCFMXUDZXPC58480JZEI839A16
  • https://storage.googleapis.com/abdilahmokhtar/abdilahmokhtar.html#4sskKP79=037BsaU554mnjgtlpijm87UPSHUQQEUKRZQGZ58480MXPB839S16
  • spomouth[.]fyi
  • malagaopensoffer[.]live
  • laundershirts[.]com
  • ponelaz[.]com

Simple URLScan rule

hash:920b8d8972275d746fd1bee5b5f1b3c20a87728ace3dbc2e90b2ae699c495f14