From credit control [firstname.lastname@example.org]Attached is a file with a semirandomly name, e.g. RG026052317614-SIG.zip which contains a malicious script. This script then downloads an executable from the same locations as found here, dropping a malicious executable with a detection rate of 10/55 (changed from earlier today).
Date Fri, 19 Feb 2016 17:52:49 +0200
Subject Unpaid Invoice #350
Please see attached letter and a copy of the original invoice.
Third party analysis (thank you) indicates that this then phones home to the following locations:
126.96.36.199/main.php (OVH, France)
188.8.131.52/main.php (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
184.108.40.206/main.php (Virty.io, Russia)
The payload is the Locky ransomware.