Sponsored by..

Thursday, 4 August 2016

Malware spam: "Business card" / "I have attached the new business card design." leads to Locky

This spam email has a malicious attachment:

From:    Glenna Johnson
Date:    4 August 2016 at 10:18
Subject:    Business card

Hello [redacted],

I have attached the new business card design.
Please let me know if you need a change

King regards,
Glenna Johnson
Sender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card" [example]. The payload appears to be Locky ransomware.

This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:


This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to: (Relink Ltd, Russia) [hostname: ip.cishost.ru] (MWTV, Latvia) (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname:]

All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.

Recommended blocklist:

No comments: