#Office365 2019 New Scam by Ex-Robotos Malware - cracked by IK Zeus

 Around 1:45PM June 19, 2021 (+8gmt), I was contacted by one of my web development clients. He's in shock that they can't access their MLM Website, and get redirected to 404 Page.

I asked him the CPanel account login, and promptly opened the CPanel, only to find out, the Member's Area directory was gone, and there this new folder named "Journal" was created few hours ago. Journal folder containes some php files named after the missing files I created before, and some text files. When I open the files for editing (to view its content) through File Manager, I was presented with javascript codes (which I didn't examined).

Voicemail Scmpage 2019 by Ex-Robotos




In the top most part of each php files were found commented the phrase "Office365 2019 New Scam by Ex-Robotos - cracked by IK Zeus"

Readme.txt inside the Journal folder

Upon examining the Journal folder, I realized that it is a Office365 2019 Phishing Script. How did that script put in there? I don't have answer as of this writing.

What it does to my client's site is that, it infects all files in the member area directory, and when the server's anti-virus detected it, it deletes the entire directory (which is so sad because my client don't have back up).

It was my principle to give everything and stop doing anything to my client's site after development, unless I was asked to do so, exclusively by the client itself.

So what is this Voicemail Scmpage 2019 by Ex-Robotos?

/*
Voicemail Scmpage 2019 by Ex-Robotos
Email: ex.robotos@gmail.com
Facebook: facebook.com/Ex.Robotos
ICQ: 745771262
*/

Voicemail Scmpage 2019 by Ex-Robotos was a phishing script created in 2019, targeting mostly financial institutions. It will send the target victim a fake audio recording (embedded wav file in the html message) saying hello, which after playing the audio, will redirect the target victim to a generic Microsoft landing page that then prompts you to login to hear the full recording.

Back in 2019, there were three variants of this kit, two of which was actively sold in the deep web, while the other was unnamed.

The one that infects my client's website is another variant than the first three recorded. This one bears the phrase "cracked by IK Zeus".

As of this writing, I am still investigating how did that script ended up in my client's hosting. According to my client, he is the only person who knows the login credentials of the hosting account. The hosting account (which I won't name here) implements many software protections like bitninja, etc.

Searching the Web about this, I found one Tweet from @peterkruse about same infection
PeterKruse Tweet about same infection and a screenshot of his Website showing the directory



If you have insights about Voicemail Scmpage 2019, please comment down below. I will update this post in the comment section whenever I found something that can help us protect, and recover from this infection.


Comments

  1. JackpotCity: The Best Casino for Slots & Live Dealer - DRMCD
    JackpotCity offers a wide selection of Casino games, from 광주 출장안마 video slots, 포천 출장마사지 to Blackjack, 전라북도 출장마사지 Roulette, Keno, Video 군포 출장마사지 Poker 광양 출장마사지 and Vegas Style Casino Roulette. Rating: 3.8 · ‎1,000 votes

    ReplyDelete

Post a Comment

Popular posts from this blog

6000+ Midi KaraOke File Free Download (Links Updated 02-21-21)

Photos taken at Pinahiw Viewpoint, Landingan Viewpoint, and Quirino Experiment Services

Computrace Rootkit: What to do if you are locked