Sponsored by..

Thursday 28 April 2016

Minimalist spam leads to Locky ransomware

There is currently a very minimalist spam run leading to Locky ransomware, for example:

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    28 April 2016 at 11:21
Subject:    Scan436
The spam appears to come from the victim's own email address. There is no body text, but attached is a ZIP file with a name matching the subject, e.g.:

file238.zip
file164.zip
file84.zip
Document4.zip
Doc457.zip
Scan1.zip
Doc5.zip
file394.zip
Scan436.zip

Inside is a semi-randomly named script that downloads malware. Download locations I have seen so far are:

nailahafeez.goldendream.info/8778h4g
kfourytrading.com/8778h4g
kasliknursery.com/8778h4g
allied.link/8778h4g
xtrategiamx.com/8778h4g


The downloaded executable is Locky ransomware and has a VirusTotal detection rate of 2/56. This Hybrid Analysis shows Locky quite clearly, and this DeepViz report shows it phoning home to:

51.254.240.60 (Relink LLC, Russia / OVH, France)
31.41.44.246 (Relink LLC, Russia)
83.217.26.168 (Firstbyte, Russia)


Recommended blocklist:
31.41.44.246
51.254.240.60
83.217.26.168





1 comment:

DK said...

http://allieddiesel.com/8778h4g
http://allied.link/8778h4g
http://citycollection.com.tr/8778h4g
http://doumafestival.org/8778h4g
http://flatfashion.com/8778h4g
http://grafit.com.tr/8778h4g
http://honafelastin.com/8778h4g
http://managett.com/8778h4g
http://mc2academy.com/8778h4g
http://mountadabaabda.org/8778h4g
http://nailahafeez.goldendream.info/8778h4g
http://safetytravellb.com/8778h4g
http://www.grafit.com.tr/8778h4g
http://www.yedasenerjitakimi.com/8778h4g
http://xtrategiamx.com/8778h4g