Sponsored by..

Tuesday, 26 July 2016

Malware spam: "Attached Image" leads to Locky

This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    26 July 2016 at 10:27
Subject:    Attached Image

The information in this email is confidential and may be privileged.
If you are not the intended recipient, please destroy this message
and notify the sender immediately.
Attached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number, such as this one. In this example the script downloads a malicious binary from:


There will be many other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54. The Hybrid Analysis for the dropped file shows it phoning home to: (Relink Ltd, Russia) (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

Recommended blocklist:

No comments: