What lies here?

Found a little gem in the rough today so to speak. Received an email 10:42am local time (AST) from “UPS”. I knew it was a sham, but I was curious (and it needed to be reported anyways).

I pulled the website from the embedded link contained in the “Tracking #” for UPS.

Original Link >> events(dot)whoiskim(dot)com/pronto/x.html

Pulled the Header Details (which contain my academic/professional email address.) and sent those off to IT.

Sucuri failed to scan it: https://sitecheck.sucuri.net/results/events.whoiskim.com

Downloaded File actually comes from gssport(dot)ca

Site is actively changing the files. The first one I grabbed was a compressed ZIP file with an application in it. The second one was a VB Script file. (I read the Latin-laced code… They were nice enough to INDENT IT!!)

Zulu: https://zulu.zscaler.com/submission/9f331d3f-d2b5-45b3-81bf-12db8adf46dd
VirusTotal: https://www.virustotal.com/#/url/3ef4a319b3c3814d7c88e1cbd4604c3e4c2d92322689ff496314b375905a1a7f/detection

And URLQuery has been “processing” it for an 20 minutes now.

Windows Defender was late to the party… It let the VBS file download the EXE. Even after launching it, Windows Defender took a little while before it said “no”.

I wonder what Polonus has to add for the website portion?

Windows Defender blocks unknown files and uploads them, default timeout is 10 seconds before it lets the file run.

May be something you want to increase.

The address won’t resolve at the moment, the IP is from Wowrack dot com in India, highly anonymous proxy service -
2/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: DSA RSA (Wowrack is a hybryd cloud infrastructure from Seattle).

Consider 10 out of 10 red here: https://toolbar.netcraft.com/site_report?url=103.241.169.204
Opens up to -https://www.ups.com/us/en/global.page , but that is for another IP:
re: https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fwww.ups.com%2Fus%2Fen%2Fglobal.page

Probably GoDaddy and akamai abuse on a subdomain, that is no longer theirs,
or being abused in a Microsoft Support scam for instance, some sort of UPS abuse is evident,
most likely shell login of SSH: → https://www.exploit-db.com/exploits/349/

PHISHING alerted 10 times during the last 30 days, see: https://checkphish.ai/ip/103.241.169.204
where whoiskim was seen 3 times: https://checkphish.ai/domain/whoiskim.com
Security Checks for -whoiskim.com
Susceptible to man-in-the-middle attacks
Vulnerabilities can be uncovered more easily
Vulnerable to cross-site attacks
Emails can be fraudulently sent

polonus (volunteer website security analyst and website error-hunter)