From credit control [email@example.com]Attached is a file with a semirandomly name, e.g. RG026052317614-SIG.zip which contains a malicious script. This script then downloads an executable from the same locations as found here, dropping a malicious executable with a detection rate of 10/55 (changed from earlier today).
Date Fri, 19 Feb 2016 17:52:49 +0200
Subject Unpaid Invoice #350
Please see attached letter and a copy of the original invoice.
Third party analysis (thank you) indicates that this then phones home to the following locations:
18.104.22.168/main.php (OVH, France)
22.214.171.124/main.php (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
126.96.36.199/main.php (Virty.io, Russia)
The payload is the Locky ransomware.