Sponsored by..

Friday 29 April 2016

Malware spam: "Second Reminder - Unpaid Invoice"

This fake financial spam leads to malware:

From:    Janis Faulkner [FaulknerJanis8359@ono.com]
Date:    29 April 2016 at 11:13
Subject:    Second Reminder - Unpaid Invoice

 We wrote to you recently reminding you of the outstanding amount of $8212.88 for Invoice number #304667, but it appears to remain unpaid.
For details please check invoice attached to this mail

Regards,

Janis Faulkner
Chief Executive Officer - Food Packaging Company 

Attached is a ZIP file with a name similar to unpaid_invoice551.zip which contains a randomly-named script. Oddly, most of the script appears to be text copy-and-pasted from the Avira website.


The scripts I have seen download slightly different binaries from the following locations:

cafeaparis.eu/f7yhsad
amatic.in/hdy3ss
zona-sezona.com.ua/hj1lsp
avcilarinpazari.com/u7udssd


VirusTotal detection rates are in the range of 8/56 to 10/56 [1] [2] [3] [4]. In addition to those reports, various automated analyses [5] [6] [7] [8] [9] show that this is Locky ransomware phoning home to:

91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
83.217.8.155 (Park-web Ltd, Russia)
31.41.44.246 (Relink Ltd, Russia)
89.108.84.155 (Agava Ltd, Russia)
51.254.240.60 (Relink, Russia / OVH, France)


I strongly recommend that you block traffic to:

91.234.32.19
83.217.8.155
31.41.44.246
89.108.84.155
51.254.240.60




1 comment:

DK said...

http://0039.in/b6dgs
http://argoshop-spb.ru/n7dhsj
http://avcilarinpazari.com/u7udssd
http://gspace.com.ua/y7ydha
http://listelo.com.br/b7vjdf
http://memetti.com/eo0woq
http://monpaniercadeau.com/o3ujsa
http://naninterfresh.com/t6etsa
http://sanabizzcollection.com/c7ujds
http://sugarhouse928.com.my/b5sdd
http://theplantgrower.com/oie7wu
http://wicharygifts.pl/p0woq
http://zona-sezona.com.ua/hj1lsp