Skip to main content
Blog

Phishing Hiding Under Google’s .app TLD Targets Northwest Radiology

By October 31, 2023No Comments

Varist recently observed a phishing attack targeting a user at Northwest Radiology. Northwest Radiology is quoted as being “…one of the largest physician-owned radiology groups in central Indiana providing specialized imaging services in all areas of radiology. For more than 50 years, the Northwest Radiology team has been providing high-quality, compassionate care to patients.” Healthcare organizations continue to be subjected to phishing, which often results in the loss of sensitive information or ransomware attacks.

As is common these days, the attack specifically targets the user’s Microsoft 365 account. Below is a screenshot of the fraudulent Microsoft Office Account login page which is hosted under the web.app domain, which tries to lure the user to input his/her password.

Fake Microsoft Office Account login page 

Fake Microsoft Office Account login page

This phishing page loads a JavaScript at hxxps://haeform.web.app/hae.js, which turn loads another malicious JavaScript at hxxps://haemosu.web.app/mosu/docs.js. This handles sending the user’s credentials using the Telegram app and also Deta Space as shown in the snapshot below.

App used:

hxxps://api.telegram.org/bot5841891222:AAHoK0QLA8EbC9YbtlKPbeyTupz4UMW3G78/sendMessage
hxxps://api.telegram.org/bot6018146641:AAEsrmnQB9GTRfKyRzF9HFpesGMZUaahRM/sendMessage

Information sent:

{“un”: “@northwestradiology.com”, “pw1”: “”, “correct”: “Maybe”, “IP”: “”, “whr”: “Hae Mosu”}

App used:

hxxps://idangangan-1-s6393796.deta.app/idan

Information sent:

{“u”: “@northwestradiology.com”, “p”: “”}

Loading of Malicious Javascript Hiding in the Web.App


Sending of Information to Telegram App


Sending of Information to Deta Space

Indicators of Compromise

File name/URL SHA256/Description Varist Detection
df96cbe8d8ae1fd072c2f18bf237ff91600284df919c12a493d31f73d0230db9 JS/Phish.AOA
hxxps://haeform.web.app/hae.js 253e764537327be06a6cdae31fe467f37786630cb88f05db40f06b014e0fa81b JS/Phish.AOC
hxxps://haemosu.web.app/mosu/docs.js 80994cd11d36ff815dabb69f281b7aeae47fdb276d1184db08b8b08e719d86b5 JS/Phish.AOD
December 1, 2023 in Blog

A Duck’s Trail

The Footprint We came across what seems to be a builder as the filename LnkBotBuilder_v4.zip implies. We also assume that it is already on version 4 via the string "v4".…
Read More
November 29, 2023 in Blog

The Duck Who Sneaked Through Feeds

Malicious Facebook Ads Malvertisements are one of many infection vectors that threat actors use. It gives them an advantage to pique the interest of unsuspecting users to fall victim to…
Read More
November 22, 2023 in Blog

Capcut’s Copycat Installs Trojan Stealer

While digging through a malicious document which I was working on earlier this week (SHA256: 1024f399ddef...8151c566), I took interest in a URL flagged as malicious by Varist Hybrid Analyzer as…
Read More

Tags: