Sponsored by..

Wednesday, 24 February 2016

Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."

This fake document scan has a malicious attachment. It appears to come from within the victim's own domain, but this is a malicious forgery.
From:    admin [southlands71@victimdomain.tld]
Date:    24 February 2016 at 15:25
Subject:    Scanned image

Image data in PDF format has been attached to this email.
I have only seen a single sample with an attachment 24-02-2016-00190459.zip containing a malicious script [pastebin] which in this case downloads a binary from:

kartonstandambalaj.com.tr/system/logs/87h754

My sources say that other versions download from:

demo2.master-pro.biz/plugins/ratings/87h754
baromedical.hu/media/87h754
bitmeyenkartusistanbul.com/system/logs/87h754/
zaza-kyjov.cz/system/cache/87h754


As this Hybrid Analysis shows, the payload is the Locky ransomware. The dropped binary has a detection rate of just 3/55.

Those reports show the malware phoning home to:

5.34.183.136 (ITL, Ukraine)

I strongly recommend that you block traffic to that IP.

3 comments:

KOX said...

Me too.
Received at 0.11 GMT, location Denmark.
Sender: southlands471.@
Opened on a MAC.
Content: JavaScript + more?
Not executed - no harm found.
Sincerely
KOX

Dmitry Deineka said...

VDS 5.34.183.136 is disabled 2016-02-25 by ITL' support.

Jake Wade said...

Just got this myself IN florida, from a lands60@earthlink.net. Opened on a PC. No damage apparent.