From: Andrew Boyd [BoydAndrew46@infraredequipamentos.com.br]
Date: 27 April 2016 at 12:23
Subject: Price list
Thank you. Our latest price list is attached. For additional information, please contact your local ITT office.
The sender's name varies, the subject and body text appear to be the same. Attached is a RAR archive that combines some elements of the recipient's email address in it, e.g. CAA30_info_D241AE.rar.
Thanks to analysis from a trusted source (thank you!) it appears that there are several scripts, downloading a binary from one of the following locations:
aaacollectionsjewelry.com/ur8fgs
adamauto.nl/gdh46ss
directenergy.tv/l2isd
games-k.ru/n8eis
jurang.tk/n2ysk
lbbc.pt/n8wisd
l-dsk.com/k3isfa
mavrinscorporation.ru/hd7fs
myehelpers.com/j3ykf
onlinecrockpotrecipes.com/k2tspa
pediatriayvacunas.com/q0wps
soccerinsider.net/mys3ks
warcraft-lich-king.ru/i4ospd
haraccountants.co.uk/k9sjf
This downloads Locky ransomware. The executable then phones home to the following servers:
176.114.3.173 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
139.59.166.196 (Digital Ocean, Singapore)
107.170.20.33 (Digital Ocean, US)
146.185.155.126 (Digital Ocean, Netherlands)
Recommended blocklist:
176.114.3.173
139.59.166.196
107.170.20.33
146.185.155.126
No comments:
Post a Comment