Sponsored by..

Wednesday 26 October 2016

Malware spam: "Your order has been proceeded." leads to Locky

This curiously worded spam email leads to Locky ransomware:

Subject:     Your order has been proceeded
From:     Elijah Farrell
Date:     Wednesday, 26 October 2016, 12:41


Your order has been proceeded.

Attached is the invoice for your order 2026326638.

Kindly keep the slip in case you would like to return or state your product's warranty.
The name of the sender is randomly generated, as is the reference number. Attached is a ZIP file beginning with "order_details_" plus a random sequence, containing a malicious .VBS script with a similar name.

The various scripts download a component from one of the following locations (thank you to my usual source for this):

198zc.com/vnrymi
3d-schilling.de/ytm08hf
abaffbedip.net/0ec4sb62
abaffbedip.net/1roef5v
abaffbedip.net/5k4oh5
abaffbedip.net/8b0lk2p
actiononsports.com/yduc1
aiccard.co.th/sy7hb7
alefunny.pl/vjjw0
alvida.de/zhw8nw6
antiguarelojeria.com/zg28jio
ayso722.org/ny8s6fn
banana2.jp/zsf0952
begbuilders.com/xjtb9k
bibliocultura.org/hdhwx7sf
bluecuracao.nl/xt8w2p3
bonetti.nl/bqc565q
brkos.borec.cz/skxkk33b
callideo.fr/zwg1d
caulgreet.com/0gxgwa
caulgreet.com/2sqh38d1
caulgreet.com/6o04pdt
caulgreet.com/9gl7t
chuvafeatherstone.com/rve6j
ciscscout.net/rvkbiv3t
cloudafis.com/kpw6h4uh
cngmalaysia.org/f4cda
cpugame.com/r3octl
cryochoice.com/n4801d
dadaniu.cn/cyk9hpr
danor.ro/xnnhp5
dmtya.ru/zqzii
dominoassociates.com/keg4g
dongyigg.com/onirn0r
dont.pl/stuf3
dovgan.bclas.ru/wk7tah
dzyncreative.com/v1djrmn
ecentz.com/sbvv8md
edepolama.com/xlyrh
edu02.ru/nk6z1
entersukses.com/cudm8
ergobois.com/j87ns
esteticapro.com/tje1ya
esysports.com/ybn7qw
exquisiteescape.com/fa8f7fk9
fazendacristal.com/djgyn
fbstone.com/xjlq6
fengxiaohui.com/yulge
filenetp8.info/esg742j9
flw123.com/kygiq6t
gerardfetter.com/fudjm1m
gongzuoshu.com/lojhvcj7
grandfm.com/my98xg7a
guymorgandaily.com/ilgx8tki
hankookm.com/lun77kyf
hfhhk.com/edfwyi1
hotsigns.net/ayxpi
jean-ealogy.com/dauwq7a
khstarter.com/w8811bg
landondavid.com/d5t56y4b
lanmaicao.com/bxyi91
lcmaya.com/d79p8w
mannersfromtheheart.com/cn450b
milianjie.com/dg1ie
morenaart.com/qbwnl
nakedglobal.com/d6s6f
roweliced.net/12fi9dc
roweliced.net/35lz355g
roweliced.net/6vgrs4
roweliced.net/a1f8yb
sheatcatan.com/1cb7jn
sheatcatan.com/3oze6ie
sheatcatan.com/74mqu
sheatcatan.com/awcdu3
titmaius.net/0f7ygeg
titmaius.net/1zsxe
titmaius.net/6g32j
titmaius.net/8u0ie

The downloaded binary then phones home to:

78.46.170.94/linuxsucks.php [hostname: k-42.ru] (Corem, Russia / Hetzner, Germany)
95.46.98.25/linuxsucks.php [hostname: 97623-vds-artem.kotyuzhanskiy.gmhost.hosting] (Mulgin Alexander Sergeevich aka GMHost, Ukraine)
91.226.92.225/linuxsucks.php [hostname: weblinks-3424.ru] (Sobis, Russia)


It also tries to phone home to these URLs which are currently not resolving:

umjjvccteg.biz/linuxsucks.php
hbnatserncelosskp.biz/linuxsucks.php
rqnegynlpkohoohp.pw/linuxsucks.php
ymrorgauixirigj.biz/linuxsucks.php
ayyxamwyvfyqidija.pw/linuxsucks.php
yfjxvok.ru/linuxsucks.php
lbbauqqpynjem.xyz/linuxsucks.php
tnvnmjdyokgyj.pl/linuxsucks.php
hoiedes.pl/linuxsucks.php
toaqabrl.xyz/linuxsucks.php
leacfrc.info/linuxsucks.php
jkjxnrnirmqt.pw/linuxsucks.php

Recommended blocklist:
78.46.170.64/27
95.46.98.0/23
91.226.92.225




No comments: