Sponsored by..

Thursday, 6 August 2015

Malware spam: "Voice message from 07773403290" / ""tel: 07773403290" [non-mail-user@voiplicity.co.uk]"

This fake voicemail spam comes with a malicious attachment:

From     "tel: 07773403290" [non-mail-user@voiplicity.co.uk]
Date     Thu, 06 Aug 2015 11:54:43 +0300
Subject     RE: Voice message from 07773403290
I was not able to determine if there was any body text from my sample collector, however each sample had an identical attachment message_01983527496.wav.zip which contains a malicious executable message_01983527496.exe. This has a VirusTotal detection rate of 5/55 and automated analysis tools [1] [2] show it POSTing to:

wedspa.su/go/gate.php

This is hosted on a RU-Center IP address of 185.26.113.229 in Russia. Furthmore, a malicious executable is downloaded from the following locations:

globalconspiracy.hj.cx/1.exe
mastiksoul.org/1.exe


In turn, this has a detection rate of 2/55 and automated analysis of this [1] [2] show that it phones home to 212.47.196.149 (Web Hosting Solutions, Estonia).

The payload is unclear at this point, but you can guarantee that it will be nothing good.

Recommended blocklist:
185.26.113.229
212.47.196.149

MD5s:
da575b916f419b9e8bfea12168fa9902
f3ede4ebcd4b6debf15646a3d1a8bbd1






1 comment:

George Smith said...

Literally got this email today