Sponsored by..

Monday 29 February 2016

Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."

This fake document scan has a malicious attachment:
From:    admin [ands21@victimdomain.tld]
Date:    29 February 2016 at 19:05
Subject:    Scanned image

Image data in PDF format has been attached to this email.
The email appears to originate from within the victim's own domain. Attached is a randomly-named file with a format similar to 2016022936833473.zip containing a malicious script with a name somewhat like SCAN000469497.js  I have seen three different versions of the attached scripts with detection rates of around 1/55 [1] [2] [3]. The Malwr reports for those [4] [5] [6] show download locations at:

www.notebooktable.ru/system/logs/7ygvtyvb7niim.exe
svetluchok.com.ua/admin/images/7ygvtyvb7niim.exe [404]
mansolution.in.th/system/logs/7ygvtyvb7niim.exe

This appears to be Locky ransomware with a detection rate of just 3/55. Those Malwr reports also indicate C&C servers at:

51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
185.14.29.188 (ITL aka UA Servers, Ukraine)


Note that one of the download locations is 404ing. There may be other download locations that I am not aware of, howerver I recommend that you block all traffic to:

51.254.19.227
185.14.29.188




1 comment:

Danik said...

Nice catch!
Have you seen the preventive method to stop Locky provided by Minerva Labs?
http://goo.gl/Y4QHa6