Free Access
Blog

Phishing Attack Targeting Turkish Companies

This image is about a phishing attack targeting Turkish companies.

Phishing Attack Targeting Turkish Companies: Turkish companies have been targeted by a phishing campaign involving emails with malicious attachments disguised as RFQ files.

Phishing Attack

Phishing mail targeting Turkish companies has been detected.  Mail attachment contains an RFQ file. Normally, a request for quotation (RFQ) is a company’s document to request pricing and packaging information from a potential supplier. This RFQ-looking file is actually a RAR file. It contains a malicious EXE file that is simply a Keylogger and Stealer. Threatmon Malware Research Team accessed the hacker’s C2 server and retrieved the stolen data.

Phishing Attack Targeting Turkish Companies

Phishing Attack

FEATURES OF THE STEALER

  • Accesses sensitive information from local browsers
  • Found browser information locations related strings
  • Tries to steal browser-sensitive information -file access-
  • Tries to steal desktop applications information
  • Queries process information
  • Reads the active computer name
  • Reads the windows installation language
  • Tries to identify its external IP address by sending GET request to hxxps://checkip[.]dynds[.]org
  • Malware is from Snake Keylogger Family
  • Using Telegram as C2: hxxps://api[.]telegram[.]org/bot5310184099:AAGxqu0IL8tjOF6Eq6x2u0gfcHhvuxRwfLU
 

COMMUNICATING WITH THE C2 SERVER

The Stealer is using Telegram BOT API to communicate. We accessed the hacker’s C2 server and retrieved the stolen data. Here is an example:

COMMUNICATING WITH THE C2 SERVER

More posts

This image is about monthly vulnerabilities for September 2024.
Peek into Monthly Vulnerabilities: September 2024
October 9, 2024
This image is about the ServiceNow data leak.
ServiceNow Data Leak: Risks of Misconfigured Knowledge Bases
September 18, 2024
This image is about monthly vulnerabilities for July 2024.
Peek into Monthly Vulnerabilities: July 2024
August 12, 2024
This image is about Securing the Games- cyber strategies for the Paris Olympics 2024.
Securing the Games: Cyber Strategies for Paris Olympics 2024
August 9, 2024
Hunter’s Lens: Russian Influence Operations Targeting the Paris Olympics 2024
Hunter’s Lens: Russian Influence Operations Targeting the Paris Olympics 2024
August 2, 2024
View All
advanced divider

Share this article

Found it interesting? Don’t hesitate to share it to wow your friends or colleagues
advanced divider
Subscribe to our blog newsletter to follow the latest posts
Stay informed with the latest updates, expert insights, and in-depth analysis from ThreatMon’s cybersecurity intelligence. Subscribe to receive critical news, threat reports, and industry trends directly in your inbox, helping you stay ahead of emerging cyber threats.
Platform
Subscriptions
Solutions
Resources
Partner
Company

© 2025 ThreatMon. All rights reserved.

X-twitter Linkedin-in Github