Sponsored by..

Tuesday 3 May 2016

Malware spam: "Third Reminder - Outstanding Account" leads to Locky

This fake financial spam has a malicious attachment. It comes from random senders. Last week a fake "Second Reminder" spam was sent out.

From:    Ernestine Perkins
Date:    3 May 2016 at 08:54
Subject:    Third Reminder - Outstanding Account

 Dear Client,

We have recently sent you a number of letters to remind you that the balance of $9308.48 was overdue.
For details please check document attached to this mail


We ask again that if you have any queries or are not able to make full payment immediately, please contact us.


Regards,

Ernestine Perkins
Franchise - Sales Manager / Director - Business Co 

Attached is a ZIP file which in the samples I have seen begins with Scan_ or Document_ each one of which contains four identical copies of the same script, e.g.:

48524088_48524088 - copy (2).js
48524088_48524088 - copy (3).js
48524088_48524088 - copy (4).js
48524088_48524088 - copy.js
48524088_48524088.js


Typical detection rates for the scripts seem to be about 3/56.  The samples I have seen download a malicious binary from one of the following locations (there are probably more):

digigoweb.in/k3lxe
rfacine.com.br/z0odld
boontur.com/b2hskde


These binaries are all slightly different, with detection rates of 4 to 6 out of 56 [1] [2] [3]. Various automated analyses [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] show that this is Locky ransomware, and it phones home to:

31.184.197.126 (Petersburg Internet Network, Russia)
78.47.110.82 (Hetzner, Germany)
91.226.93.113 (Sobis, Russia)
91.219.29.64 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)


Recommended blocklist:
31.184.197.126
78.47.110.82
91.226.93.113
91.219.29.64

2 comments:

DK said...

And here comes the bad URL list :-)

http://arbsenterprise.com/oe3nsd
http://arcollection.xyz/w04klsa
http://atlasmedical.ir/hywiejs7jf
http://badu.sk/a8uske
http://balajimobile.pt/qs8idk
http://bimglobalstore.com/x9ike
http://bottleskart.com/j4kls
http://brandsoutlet.ir/u7ejds
http://caston.com.sg/b7rtye
http://deeming.in/k8eusjw
http://digigoweb.in/k3lxe
http://happymarket.in/g4klsa
http://jnatal.com.br/h7dja
http://meilab.co/n4ujq
http://notregrossiste.be/b2isa
http://prestigieuse.fr/f8iekw
http://rematedemaquinaria.com.mx/j7uds
http://starkowloon.com/m1kdls
http://theartcabal.com/q9low
http://transarts.com.br/i9ekq
http://westtec.us/e7urj

DK said...

And more:

http://boontur.com/b2hskde
http://bridalsarees.co.in/p6dhq
http://dreamsmarketing.in/v67jsw
http://dumoen.pl/e9iskd
http://rfacine.com.br/z0odld
http://sweetrevolution.es/dk0lsw