Sponsored by..

Monday, 31 October 2016

Malware spam: "SureVoIP" / "Voicemail from.." leads to Locky

This fake voicemail message leads to Locky ransomware:

Subject:     Voicemail from Catalina rigby 02355270166 <02355270166> 00:01:22
From:     SureVoIP (voicemailandfax@[redacted])
Date:     Monday, 31 October 2016, 11:17


Message From "Catalina rigby 02355270166" 02355270166
Created: 2016.10.31 14:46:53 PM
Duration: 00:01:22
Account: voicemailandfax@[redacted]
Details will vary from message to message. Attached is a ZIP file with a name similar to msg_252f-477a-6bd9-371f-330671579edb.zip which contains a malicious WSF script. My source tells me that the various scripts the download a component from one of the following locations.

1y9y.com/g7cberv
3922group.net/g7cberv
abraszczecin.pl/g7cberv
afh-indy.org/g7cberv
ajaraheritage.ge/g7cberv
alifaruk.com/g7cberv
andrewclark.com.au/g7cberv
arabian-link.com/g7cberv
artanatrade.com/g7cberv
artemon.gr/g7cberv
ashbury.bg/g7cberv
atelier13.ro/g7cberv
bandenland.be/g7cberv
beasee.com/g7cberv
bemassive.nl/g7cberv
bertedu.com/g7cberv
bestroyalart.com/g7cberv
blogmepro.com/g7cberv
bobyfrancisandpradeep.com/g7cberv
bolat-zhol.kz/g7cberv
buynolvadexonlineshop.com/g7cberv
bwdianji.com/g7cberv
carama.info/g7cberv
caseycarrental.com/g7cberv
ceil.hk/g7cberv
cetinakademi.com/g7cberv
charistia.info/g7cberv
crossroadsmgmt.com/g7cberv
ctrlalt.de/g7cberv
dapos.ru/g7cberv
dbtsites.com/g7cberv
decoracionbebes.com/g7cberv
detectodecolombia.com/g7cberv
devinkellerart.com/g7cberv
ditjenp2p.info/g7cberv
dobromoda.ru/g7cberv
doolotto.com/g7cberv
dor29.ru/g7cberv
drevenefasady.eu/g7cberv
drpneu.ro/g7cberv
ekotracks.com/g7cberv
emg.su/g7cberv
en.fitgrp.com/g7cberv
enliveshow.com/g7cberv
fortuneprixgroup.com/g7cberv
freehosted.netai.net/g7cberv
gopa1.ru/g7cberv
grupotalents.com/g7cberv
halimbamdad.ir/g7cberv
haydistributing.com/g7cberv
hundeschulegoerg.de/g7cberv
inventionsteel.com/g7cberv
ipmart.co.in/g7cberv
jianshu100.com/g7cberv
jnzbookkeeping.com/g7cberv
kavehconsultancy.co/g7cberv
liftaccessory.com/g7cberv
lux-luster.com/g7cberv
lzeshine.com/g7cberv
monoadage.net/g7cberv
nbjzpx.com/g7cberv
net2008.com/g7cberv
newdawnexperience.com/g7cberv
nixvector.com/g7cberv
oakridge-realty.com/g7cberv
oualili.org/g7cberv
pandoracharm.ru/g7cberv
panel.steelpars.com/g7cberv
paulasalamanca.com/g7cberv
peskara.com/g7cberv
pidaco.com/g7cberv
reviewprimer.com/g7cberv
ri-vyoo.com/g7cberv
rkanswers.com/g7cberv
rktest.net/g7cberv
rndled.com/g7cberv
trustcarts.com/g7cberv
unoldontal.com/g7cberv
webframez.com/g7cberv
www.a2zportals.com/g7cberv
www.shavash.ir/g7cberv
www.webframez.com/g7cberv
xn--72c6awi9b2bj7ixcg4c.com/g7cberv
zist-konkur.ir/g7cberv

The C2 servers overlap with the ones found here.

91.107.107.241/linuxsucks.php [hostname: cfaer12.example.com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks.php [hostname: shifu05.ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks.php (Ukrainian Internet Names Center aka ukrnames.com, Ukraine)


Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152



No comments: