Sponsored by..

Tuesday, 1 March 2016

Malware spam: "March Invoice" / "Balkan Dream Properties"

This fake financial spam can't make up its mind which month it is for.

From:    Caitlin Velez
Date:    1 March 2016 at 11:50
Subject:    March Invoice


Attached is the November invoice.


Caitlin Velez
Customer Service
Balkan Dream Properties
So far I have seen just one sample of this, so it is possible that other companies are being spoofed as well. Attached is a file INV09BEE9.zip which in turn contains a malicious script statistics_60165140386.js. This has a detection rate of precisely zero.

This Malwr report shows that it is the Locky ransomware, download a binary from:


This is hosted on a bad webserver at.. (Mediasoft ekspert, Russia)

..and it then phones home to.. (ITL / UA Servers, Ukraine)

There are probably other download locations. My contacts tell me that these are C2 servers for an earlier German-language campaign, it is possible they are being used here. Block 'em anyway.. (Petersburg Internet Network ltd., Russia) (Dmitrii Podelko, Russia / OVH, France) (FLP Kochenov Aleksej Vladislavovich, Ukraine)

Recommeded blocklist:

No comments: