Sponsored by..

Wednesday, 3 August 2016

Malware spam: "I attached the project status report in order to update you about the last meeting"

This spam leads to Locky ransomware:

From:    Keri Jarvis [Jarvis.64030@bac.globalnet.co.uk]
Date:    2 August 2016 at 22:13
Subject:    report

Hi,

I attached the project status report in order to update you about the last meeting

Best regards,
Keri Jarvis
Attached is a randomly named ZIP file containing a malicious .js script beginning with the word "report". This downloads an evil binary from one of the following locations:

ary.ken-shin.net/jc6f3r
bizconsulting.ro/mgld4
czerwinski.ciesielstwo.cba.pl/6qxwpzt0
equalityindonesia.com/mdxrgr
essenciadoequilibrio.net/jl6aq
essenciadoequilibrio.net/szbcfto
go4leiner.de/vm3u88
hitoribotch.web.fc2.com/73bm9p96
ikkyohawks.web.fc2.com/e61h18
lifeserv.myarena.ru/mp9133x
locogallery.com/dz0lw6
mephisto.nd.e-wro.pl/05fvl56n
miyadu.web.fc2.com/hrdl2sh8
namarinoko.hariko.com/376wx19
nedayepak.ir/eu9om
rsxxx.com/jsc6uao
russiansnow.web.fc2.com/yfu287q
slava.nsknet.ru/hi65u4w
sugetipula12.hi2.ro/rwnmj
sugetipula12.hi2.ro/v2gbzo0s
sumrmo360.web.fc2.com/hv07h
sven-jaenecke.homepage.t-online.de/1siww
tip.ub.ac.id/m7blnpxy
trans-free.ru/lve7y
watafuku.web.fc2.com/ao0dw
woblk17jc.homepage.t-online.de/xckpw14
wt7dzbn78.homepage.t-online.de/qxyc94p
www.am-i-evil.de/hkak1si
www.arstaelteknik.com/7o6uw8w
www.arstaelteknik.com/se0hgcy
www.bagana.net/oucgn5
www.breuninger-web.de/c1gjikd8
www.cafealaska.es/znsih5
www.carrelliusati.it/7zf90
www.closecombat.mynetcologne.de/cddpnu
www.cosentinoarredamenti.com/o77fzv
www.e-bev.com/7dl4wjqt
www.jansen-consultancy-machines.be/cnipq7ja
www.puntoit-informatica.com/6jnx8ms
www.sashraf.plus.com/d9g6d
www.serial-production.com/vqprmy
www.stucchifedele.com/wg4spe
www.vincenzofranchino.it/aymbt6k7


(Thank you to my usual source for this data)

The malware phones home to:

37.139.30.95/php/upload.php (Digital Ocean, Netherlands) [hostname: belyi.myeasy.ru]
93.170.128.249/php/upload.php (Krek Ltd, Russia)
93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]

Recommended blocklist:
37.139.30.95
93.170.128.249
93.170.104.20




No comments: