From: Caitlin VelezSo far I have seen just one sample of this, so it is possible that other companies are being spoofed as well. Attached is a file INV09BEE9.zip which in turn contains a malicious script statistics_60165140386.js. This has a detection rate of precisely zero.
Date: 1 March 2016 at 11:50
Subject: March Invoice
Attached is the November invoice.
Balkan Dream Properties
This Malwr report shows that it is the Locky ransomware, download a binary from:
This is hosted on a bad webserver at..
18.104.22.168 (Mediasoft ekspert, Russia)
..and it then phones home to..
22.214.171.124 (ITL / UA Servers, Ukraine)
There are probably other download locations. My contacts tell me that these are C2 servers for an earlier German-language campaign, it is possible they are being used here. Block 'em anyway..
126.96.36.199 (Petersburg Internet Network ltd., Russia)
188.8.131.52 (Dmitrii Podelko, Russia / OVH, France)
184.108.40.206 (FLP Kochenov Aleksej Vladislavovich, Ukraine)