From: Julianne PittmanThe names in each version of the email vary. Attached is a ZIP file with a filename containing some version of the recipients email address and the word "report" which contains in turn a malicious ZIP .js script beginning with the words "unpaid".
Date: 23 June 2016 at 09:48
Subject: Final version of the report
Dear info,
Patrica Ramirez asked me to send you the attached Word document, which contains the final version of the report.
Please let me know if you have any trouble with the file, and please let Patrica know if you have any questions about the contents of the report.
Kind regards
Julianne Pittman
Operations Director (CEO Designate)
The payload is not known at this time and analysis is pending, but is likely to be Locky ransomware similar to this.
UPDATE 1
Hybrid Analysis of three sample scripts [1] [2] [3] show three download locations (you can bet there will be many more):
bptec.ir/kvk9leho
promoresults.com.au/gx4al
boranwebshop.nl/ggc7ld
Each one drops a slightly different binary (VirusTotal results [4] [5] [6]) but at the moment automated analysis is inconclusive [7] [8] [9] [10] [11] [12]. I will try to post the C2 servers here if I get them.
UPDATE 2
A trusted third party analysis shows the following download locations (thank you!) :
3141592.ru/wyesvj
4k18.com/u69f97
aberfoyledental.ca/6dil05
abligl.com/8v62l4i4
adbm.co.uk/1o2wejz
angeelle.nichost.ru/y6s1y9h
arogyaforhealth.com/jujg6ru
atlantaelectronics.co.id/quv7rcc1
babycotsonline.com/ph42q6ue
barum.de/c2blg
beautifulhosting.com.au/rxn80
bilgoray.com/vi5sfu
bobbysinghwpg.com/pdqcqlnr
boranwebshop.nl/ggc7ld
bptec.ir/kvk9leho
cameramartusa.info/xrfpm
capitalwomanmagazine.ca/6k1oig
century21keim.com/c7xb2xy
certifiedbanker.org/obmv6590
cg.wandashops.com/evqbfwkx
clients.seospell.co.in/fkn67zy
climairuk.com/h32k491o
climatizareonline.ro/azkqs
cond.gribochechki.ru/zibni
dentalshop4you.nl/m22brjfz
disneyexperience.com/psyyhe
elviraminkina.com/ojyq1
euro-support.be/rdl3n7u
focolareostuni.it/0k2ren
freesource.su/ijugasq1
grantica.ru/6hjli
honeystays.co.za/siu2k
ideograph.com/k7qfsxx
imetinyang.za.pl/74hd4by5
immoclic.o2switch.net/styvuwti
jd-products.nl/xjld131
karl-lee.se/x23ft
margohack.za.pl/wkiokl
matvil8.freehostia.com/64tmb1
mycreativeprint.com/mqib9te
oakashandthorn.charybdis.seedboxes.cc/f7ge4y3k
pipt.wallst.ru/qojqp2
promoresults.com.au/gx4al
redpower.com.au/xlkdld
tip.ub.ac.id/k2e32vh
www.centroinfantilelmolino.com/60wfh
www.darkhollowcoffee.com/oqlyd9m
www.ellicottcitypediatrics.com/7d6sdl
www.keven.site.aplus.net/fmlonxl
C2 servers are at:
51.254.240.48 (Rackspace, US)
91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
217.12.223.88 (ITL, Ukraine)
195.123.209.227 (ITL, Latvia)
93.170.169.188 (PE Dunaeivskyi Denys Leonidovich, Ukraine)
The malware uses the path /upload/_dispatch.php on the C2 servers.
Recommended blocklist:
51.254.240.48
91.219.29.41
217.12.223.88
195.123.209.227
93.170.169.188
/upload/_dispatch.php
1 comment:
We have been receiving the "Final version of the report" spam since yesterday, with the corresponding zip file, about 30 to 40 emails to different email addresses.
this is an example, just like the one you posted:
Dear info,
Cecil Vance asked me to send you the attached Word document, which contains the final version of the report.
Please let me know if you have any trouble with the file, and please let Cecil know if you have any questions about the contents of the report.
Kind regards
Lucius Cabrera
Director, Digital Communications
the zip file is info_report_609435.zip
I wonder how they harvested the email addresses
Post a Comment