#Office365 2019 New Scam by Ex-Robotos Malware - cracked by IK Zeus

-

 Around 1:45PM June 19, 2021 (+8gmt), I was contacted by one of my web development clients. He's in shock that they can't access their MLM Website, and get redirected to 404 Page.

I asked him the CPanel account login, and promptly opened the CPanel, only to find out, the Member's Area directory was gone, and there this new folder named "Journal" was created few hours ago. Journal folder containes some php files named after the missing files I created before, and some text files. When I open the files for editing (to view its content) through File Manager, I was presented with javascript codes (which I didn't examined).

Voicemail Scmpage 2019 by Ex-Robotos




In the top most part of each php files were found commented the phrase "Office365 2019 New Scam by Ex-Robotos - cracked by IK Zeus"

Readme.txt inside the Journal folder

Upon examining the Journal folder, I realized that it is a Office365 2019 Phishing Script. How did that script put in there? I don't have answer as of this writing.

What it does to my client's site is that, it infects all files in the member area directory, and when the server's anti-virus detected it, it deletes the entire directory (which is so sad because my client don't have back up).

It was my principle to give everything and stop doing anything to my client's site after development, unless I was asked to do so, exclusively by the client itself.

So what is this Voicemail Scmpage 2019 by Ex-Robotos?

/*
Voicemail Scmpage 2019 by Ex-Robotos
Email: ex.robotos@gmail.com
Facebook: facebook.com/Ex.Robotos
ICQ: 745771262
*/

Voicemail Scmpage 2019 by Ex-Robotos was a phishing script created in 2019, targeting mostly financial institutions. It will send the target victim a fake audio recording (embedded wav file in the html message) saying hello, which after playing the audio, will redirect the target victim to a generic Microsoft landing page that then prompts you to login to hear the full recording.

Back in 2019, there were three variants of this kit, two of which was actively sold in the deep web, while the other was unnamed.

The one that infects my client's website is another variant than the first three recorded. This one bears the phrase "cracked by IK Zeus".

As of this writing, I am still investigating how did that script ended up in my client's hosting. According to my client, he is the only person who knows the login credentials of the hosting account. The hosting account (which I won't name here) implements many software protections like bitninja, etc.

Searching the Web about this, I found one Tweet from @peterkruse about same infection
PeterKruse Tweet about same infection and a screenshot of his Website showing the directory



If you have insights about Voicemail Scmpage 2019, please comment down below. I will update this post in the comment section whenever I found something that can help us protect, and recover from this infection.


Comments

  1. hadariahvalenciaMarch 5, 2022 at 12:47 AM

    JackpotCity: The Best Casino for Slots & Live Dealer - DRMCD
    JackpotCity offers a wide selection of Casino games, from 광주 출장안마 video slots, 포천 출장마사지 to Blackjack, 전라북도 출장마사지 Roulette, Keno, Video 군포 출장마사지 Poker 광양 출장마사지 and Vegas Style Casino Roulette. Rating: 3.8 · ‎1,000 votes

    ReplyDelete

Post a Comment

Popular posts from this blog

6000+ Midi KaraOke File Free Download (Links Updated 02-21-21)

-
6000+ Midi KaraOke File Free Download (LINK UPDATED 02-21-2001) Midi KaraOke files are synthesized music (midi) with Lyrics applied to so that one can sing his/her favorite songs using his/her Laptop. Midi KaraOke files has the file extension .kar, and is playable on various Midi KaraOke Players freely available, VanBasco Karaoke player to be the most popular. There are various sites who offers free downloads of these MIDI Karaoke Files but their collections are very limited (they offer only several hundreds of KaraOke Files). This compilation of Midi KaraOke files has more than 6000 KaraOke Songs, offered for free download. You can download all these KaraOke songs for free, however, to minimize our hosting cost, we decided to upload these to a free file hosting, and to monetize some downloads to help us cover our hosting expenses, please click on the download link, wait for five (5) seconds then click on SKIP ADS on the top right of the screen. Because of the file size lim...
Read more

Computrace Rootkit: What to do if you are locked

-
 Ok, so there this client of mine who brought me a laptop to fix it. According to him, he was a call center agent and his company issued a laptop to him, and he got fired, he refused to give the laptop back to the company, thinking it is his to keep because he was fired and he maybe thinking it is unfair to him. So the IT of their company locked the Laptop, and whatever they do, the lock keeps bugging him. He reformatted the drive and installed a new operating system but to no avail. Computrace What is computrace? Computrace is a security software, an Anti-theft software developed by absolute software as part of the MCLA's Laptop Initiative. It is a software built into laptop's BIOS that were purchased  and in the event of lost, the organization's IT can track the stolen laptop, lock it up, delete sensitive information, or, it can be ordered to brick itself (totally unusable). It is a very persistent rootkit that reformatting the drive, flashing the BIOS won't get the l...
Read more