Sponsored by..

Wednesday, 22 June 2016

Malware spam: "Corresponding Invoice" leads to Locky

This spam has a malicious attachment, probably leading to Locky ransomware:

From:    Althea Duke
Date:    22 June 2016 at 16:00
Subject:    Corresponding Invoice

Dear lisa:

Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am
writing to confirm receipt of your order, and to inform you that the item you requested will be delivered
by 25 June at the latest. If you require more information regarding this order, please do not hesitate to
contact me.

Also, our records show that we have not yet received payment for the previous order of 11 June,
so I would be grateful if you could send payment as soon as possible. Please find attached the
corresponding invoice.

If there is anything else you require, our company would be pleased to help. Looking forward to
hearing from you soon.

Yours sincerely

Althea Duke
Managing Director
Who the message is "from" varies from message to message, but the body text is the same. Analysis of the payload is pending, but it is probably similar to yesterday's Locky run.


A little bit of analysis, via these automated reports [1] [2] [3] [4] [5] show some download locations as:


Various files are dropped, including these samples [6] [7] the latter of which is a three week old version of Locky. Go figure. The comments in this report show C2 servers at: (Andrey Orlov aka Relink LLC, Russia / OVH, France) (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) (ITL, Bulgaria) (PE Dunaeivskyi Denys Leonidovich, Ukraine)

Three out of those four servers are the same as yesterday.

Recommended blocklist:

1 comment:

Dan Carmon said...

Thanks for the info! Received this well-written message yesterday to my spam folder, and was curious about the content (but reluctant to actually open the e-mail, naturally). Found your blog post as the top result for the google search "corresponding invoice spam".