Sponsored by..

Tuesday, 24 November 2015

Malware spam: Serafini_Billing_Statement 2003 / Statement.zip leads to Cryptowall

This fake financial spam leads to ransomware:
From:    Scrimpsher [mumao82462308wd@163.com]
Date:    24 November 2015 at 16:57
Subject:    Serafini_Billing_Statement 2003
Signed by:    163.com

Hi Please see attached a copy of your statement for the month of Nov 2015
Sincerely
Lynda Ang
As with many recent ransomware attacks, this appears to have been sent through webmail (it really is from 163.com, it is not being spoofed). Attached is a file Statement.zip which contains a malicious javascript statement.js [pastebin] [VT 7/53]  which then downloads a component from:

46.30.45.73/mert.exe

That IP belongs to Eurobyte LLC in Russia. I recommend that you block it.

This is saved as %TEMP%\122487254.exe and it has a VirusTotal detection rate of 5/55 and an MD5 of 68940329224ab93ce4b688df33a9274f. The application's icon and metadata is designed to make it look like a copy of VNC, but instead the VirusTotal detection indicates that it is Cryptowall. This Hybrid Analysis report demonstrates the ransomware in action most clearly.




One unusual characteristic is that it POSTs to a lot of webservers (also listed in these reports [1] [2] [3]) although I don't know how significant it is. Almost all the domain names being with "A":

81moxing.com
acid909.co.uk
alaska-ushuaia-ecotrip.cashew.fr
alettewinckler.com
allaboutt.co.nz
allegrostudio.ca
allergitejp.se
allsystemsrepair.com
allwinmusic.com
a-louise.com
alper.ro
alsaauto.com
alterweb.com.ua
amirhosseinnouri.com
anellovaffa.it
apinside.it
applemuseum.us
appmedia.se
arcgraphics.co.uk
armekonomi.se
armenia.e5p.eu
aroapulsa.com
aromasupply.nl
arot.altervista.org
asc-architect.com
a-s-g.fr
asiatiquegay.fr
atlanticinsulationservices.co.uk
audicarti.com
autohes.cz
autooutfitters.biz
autoservice-piehler.de
aviatorek.pl
b-52mebli.com.ua


2 comments:

Matthew Ulm said...

a bunch of listings to TurboVNC when i run strings against that binary.

TurboVNC Viewer v1.2.2 (20141030)
Copyright
1999-2014 The VirtualGL Project and many others (see README.txt)
Visit http://www.TurboVNC.org for more information on TurboVNC

Lorenzo Amos said...

You can also remove cryptowall from your computer using .dll library file.
I had such problem in this way.Just download file from http://removalbits.com/how-to-remove-cryptowall-ransomware-virus-from-your-computer/ and follow the instruction. Don't worry it's proven website. I use it by my own very often. Good luck.