The name of the sender will vary. Attached is a ZIP file with a random hexadecimal number, containing a malicious .js script beginning with office_facilities_ plus another random hexadecimal number.
Subject: old office facilities
From: Kimberly Snow (Snow.741@niqueladosbestreu.com)
Date: Friday, 2 September 2016, 8:55
Hi Corina,
Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
Best wishes,
Kimberly Snow
Analysis is pending, but this Malwr report indicates attempted communications to:
malwinstall.wang
sopranolady7.wang
..both apparently hosted on 66.85.27.250 (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.
UPDATE 1
According to this Malwr report it drops a DLL with a detection rate of 10/58. Also those mysterious .wang domains appear to be multihomed on the following IPs:
23.95.106.195 (New Wave NetConnect, US)
45.59.114.100 [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US)
66.85.27.250 (Crowncloud, US)
104.36.80.104 ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US)
107.161.158.122 (Net3, US)
158.69.147.88 (OVH, Canada)
192.99.111.28 (OVH, Canada)
Recommended blocklist:
23.95.106.195
45.59.114.100
66.85.27.250
104.36.80.104
107.161.158.122
158.69.147.88
192.99.111.28
No comments:
Post a Comment