Sponsored by..

Tuesday, 10 May 2016

Malware spam: "As promised, the document you requested is attached" leads to Locky

This fairly brief spam has a malicious attachment:

From:    Alexandra Nunez
Date:    10 May 2016 at 21:10
Subject:    Re:

hi [redacted],

As promised, the document you requested is attached


Alexandra Nunez
The name of the sender varies. Attached is a ZIP file with a name export_xls_nnn.zip or wire_xls_nnn.zip (where nnn are random letters and numbers) which contains multiple copies of the same malicious .js file (all apparently beginning urgent). These scripts download slightly different binaries from several locations including:


There are probably many more download locations.

The typical detection rate for these binariesis about 12/56 [1] [2] [3] [4] [5] and automated analysis [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] shows network traffic to: (ITL, Ukraine) (Host Sailor, United Arab Emirates / Romania) (ITL, Netherlands) (OVH, France) (Overoptic Systems, UK / Russia)

The payload is Locky ransomware

Recommended blocklist:

No comments: