Sponsored by..

Wednesday 25 May 2016

Malware spam: "Weekly report" / "Please find attached the Weekly report."

This fake financial spam comes from random senders and companies and has a malicious attachment:

From:    Alicia Ramirez
Date:    25 May 2016 at 14:22
Subject:    Weekly report

Hi [redacted],


Please find attached the Weekly report.


King regards,

Alicia Ramirez
Castle (A.M.) & Co.
There are a large number of these, with a ZIP file attached containing a malicious scripts with a typical detection rate of 3/56. In this sample Malwr analysis, it downloads a file from:

test.glafuri.net/yxk6s

There will certainly be a LOT of other download locations. The dropped file GSKQtcnNu8MS.exe has a detection rate of 4/55 and that same VirusTotal report indicates C2 traffic to:

138.201.93.46 (Hetzner, Germany)
91.200.14.139 (PP SKS-LUGAN, Ukraine)
104.131.182.103 (Digital Ocean, US)
164.132.40.47 (OVH, France)


Even though other automated analysis failed [1] [2] this time we have previously identified two of those IPs as being Locky ransomware, so there is little doubt that this will be more of the same.

Recommended blocklist:
138.201.93.46
91.200.14.139
104.131.182.103
164.132.40.47

No comments: