Sponsored by..

Monday, 24 October 2016

Malware spam: fake "Receipt" leads to the unwelcome return of Locky

Locky ransomware activity has been quite minimal recently, but it seems to be back today. For example spam with a format similar to the following is currently being sent out:

Date: Mon, 24 Oct 2016 16:03:30 +0530
From: christa.hazelgreave@gmail.com
Subject: Receipt 68-508
Sender name is a randomly-generated Gmail address. Attached is a ZIP file starting with the words "Receipt" matching the subject of the email contained within is a malicious HTA file with a name similar to Receipt 90592-310743.hta.

You can see some of the malicious activity in this Hybrid Analysis. My sources (thank you!) give the download locations for this particular spam run as:

103.15.50.73/076wc
117.239.70.228/076wc
absxpintranet.in/076wc
acanac.wysework.com/076wc
asadraza.ca/076wc
bagnet.ir/076wc
checkimage.comuf.com/076wc
cignitech.com/076wc
cynosurejobs.net/076wc
dolphinom.com/076wc
grupoecointerpreis.com/076wc
ledenergythai.com/076wc
naacllc.com/076wc
thaitooling.net/076wc
tifa-awards.net/076wc
wkreation.com/076wc
www.pspgemencheh.edu.my/076wc
www.pspmrsmag.com/076wc

The malware is Locky ransomware phoning home to:

109.234.35.215/linuxsucks.php (McHost.ru, Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks.php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
bwcfinnt.work/linuxsucks.php   [208.100.26.234] (Steadfast, US)

The following don't seem to resolve:
fqtdrnqmeofknd.biz/linuxsucks.php
fyrtopd.info/linuxsucks.php
wsrcyjnmrfyej.ru/linuxsucks.php
dvrudoqhwxbxrob.info/linuxsucks.php
ooyjnteswckystd.info/linuxsucks.php
vrruwpuccbud.info/linuxsucks.php
jdjnhiwgnxks.info/linuxsucks.php
pcjbfqivrejipumc.pw/linuxsucks.php
gktccomjjk.pl/linuxsucks.php
aolqgoweq.biz/linuxsucks.php
vholevsjx.pl/linuxsucks.php

Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
208.100.26.234





No comments: