From: "Lizzie Carpenter"
Subject: sales report
Date: Fri, 22 Jul 2016 21:38:25 +0800
I am truly sorry that I was not available at the time you called me yesterday.
I attached the report with details on sales figures.
----- Best of luck, Lizzie Carpenter
SCHRODER GLOBAL REAL ESTATE SEC LTD Phone: +1 (773) 812-15-66 Fax: +1 (773) 812-15-86
The sender is randomly generated. Attached is a ZIP file combining elements of the recipients email address and a random number, which in turn contains a malicious .wsf script beginning with "sales report".
In a change from recent malware runs, the script does not directly download a binary from a remote location but instead has the entire binary executable Base64 encoded in the script.
This executable has a detection rate of 4/54 and trusted analysis says that it is Locky ransomware, phoning home to:
18.104.22.168/upload/_dispatch.php (SpaceWeb CJSC, Russia)
22.214.171.124/upload/_dispatch.php (Internet Hosting Ltd, Russia)
126.96.36.199/upload/_dispatch.php (Marosnet, Russia)
188.8.131.52/upload/_dispatch.php (United Networks of Ukraine Ltd, Ukraine)