Sponsored by..

Thursday 28 July 2016

Malware spam: "Self Billing Statement" / Kathryn Smith [kathryn@powersolutions.com] leads to Locky

This fake financial spam comes with a malicious attachment:

From     Kathryn Smith [kathryn@powersolutions.com]
Date     Thu, 28 Jul 2016 16:21:41 +0530
Subject     Self Billing Statement
I do not know if there is any body text at present. Attached is a file with a name similar to Self Billing Statement_431.zip which contains a similarly named malicious script (e.g. Self Billing Statement_4424.js)

Analysis by a trusted party shows that these scripts download a component from one of the following locations:

apachost.com/j988765
avon-beraterin-mank.de/j988765
cukiernia_izabela.republika.pl/j988765
dawstaw.cba.pl/j988765
gnetgnethouse.web.fc2.com/j988765
gumka.strefa.pl/j988765
kreacjonizm.cba.pl/j988765
levivanesch.nl/j988765
maka.ken-shin.net/j988765
okhtinka.ru.hoster-ok.com/j988765
robertstefan.home.ro/j988765
sardain.fr/j988765
sonomama.kan-be.com/j988765
taityou0615.web.fc2.com/j988765
tolearn.tora.ru/j988765
www.andyschwietzer.homepage.t-online.de/j988765
www.aspadeljaen.com/j988765
www.camelu.com/j988765
www.flagships.de/j988765
www.schwarzer-baer-kastl.de/j988765
www.uasm.de/j988765


This originally dropped this payload since updated to this payload, both of which are Locky ransomware. The C2 servers to block are exactly the same as found in this earlier spam run.

1 comment:

Stematpye said...

Please find attached your Self Billing Statement for commission earned
this month, payment will be made on or before the 15th of next month.

If you have any queries with the statement or any amendments to your
bank details please e-mail ap@powersolutions.com as soon as possible
to prevent any payment delays.

Regards
Body text