Sponsored by..

Wednesday, 2 December 2015

Malware spam: "Invoice from PASSION BEAUTY SUPPLY LTD" leads to Teslacrypt

Following on from this earlier spam run, this email has a malicious attachment that loads Teslacrypt ransomware.

From:    Monique Chen [ChenMonique412@magicleafstudio.com]
Date:    2 December 2015 at 19:22
Subject:    Invoice from PASSION BEAUTY SUPPLY LTD

Dear Customer ,

Please review the attached copy of your Invoice (number: IN78350434) for an amount of $470.49.


Thank you for your business
The attachment is named invoice_copy_78350434.zip and it contains a malicious script invoice_copy_BD2E45I62A129S.js which has a VirusTotal detection rate of 2/55. The script is obfuscated (see example) but according to these analyses [1] [2] downloads a malicious executable from:

74.117.183.84/76.exe?1

This has a detection rate of 3/55. The hosts contacts are the same as for the earlier spam run and I recommend you block them.

1 comment:

C. W. said...

Just to let you know, there have been 2 additional phishing campaigns related to this. Please see the following:

https://malwr.com/analysis/YzBiNmFmOTIzMmFmNDA4NzllZmRhOTVlYTk3ODFhM2I/
https://malwr.com/analysis/ZDBiYmNjZjBjNjlmNGUxZTkzOTY3ZGY5ZDU4ZTM5Njc/

The subject lines of the messages delivering the JS dropper are:

Invoice #CS-44368788
Invoice from CimQuest INGEAR NEW INVOICE

Please get in touch with me if you'd like further details on these threats discovered today. Your previous posts on Teslacrypt were extremely helpful to me.