From: Monique Chen [ChenMonique412@magicleafstudio.com]The attachment is named invoice_copy_78350434.zip and it contains a malicious script invoice_copy_BD2E45I62A129S.js which has a VirusTotal detection rate of 2/55. The script is obfuscated (see example) but according to these analyses [1] [2] downloads a malicious executable from:
Date: 2 December 2015 at 19:22
Subject: Invoice from PASSION BEAUTY SUPPLY LTD
Dear Customer ,
Please review the attached copy of your Invoice (number: IN78350434) for an amount of $470.49.
Thank you for your business
74.117.183.84/76.exe?1
This has a detection rate of 3/55. The hosts contacts are the same as for the earlier spam run and I recommend you block them.
1 comment:
Just to let you know, there have been 2 additional phishing campaigns related to this. Please see the following:
https://malwr.com/analysis/YzBiNmFmOTIzMmFmNDA4NzllZmRhOTVlYTk3ODFhM2I/
https://malwr.com/analysis/ZDBiYmNjZjBjNjlmNGUxZTkzOTY3ZGY5ZDU4ZTM5Njc/
The subject lines of the messages delivering the JS dropper are:
Invoice #CS-44368788
Invoice from CimQuest INGEAR NEW INVOICE
Please get in touch with me if you'd like further details on these threats discovered today. Your previous posts on Teslacrypt were extremely helpful to me.
Post a Comment