Sponsored by..

Tuesday 29 November 2016

Malware spam: "Please find attached a XLS Invoice 378296" / creditcontrol@somecompany.com / Ansell Lighting

This fake financial spam comes with a malicious attachment, purporting to come from Ansell Lighting:

Subject:     Please find attached a XLS Invoice 378296
From:     creditcontrol@potomachealthcare.com (creditcontrol@potomachealthcare.com)
Date:     Tuesday, 29 November 2016, 10:32

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Please find attached your Invoice for Goods/Services recently delivered. If you have any questions, then pleasedo not hesitate in contacting us.Karen Lightfoot -Credit Controller, Ansell Lighting, Unit 6B, Stonecross Industrial Park, Yew Tree Way, WA3 3JD. Tel: +44 (0)5216 154 830 Fax: +44 (0)5216 154 830

The email comes from a random creditcontrol@something email address. Attached is a malicious Excel file with a name such as INVOICE.TAM_378296_20161129_886C9EAB6.xls.

My usual reliable source says that the various versions of Excel spreadsheet download a component form one of the following locations:

ayurvedic.by/087gbdv4
pregnancysquare.com/087gbdv4
qiqi-store.com/087gbdv4
roberttrocina.com/087gbdv4
satherm.pt/087gbdv4
sayvir.com/087gbdv4
secotral.fr/087gbdv4
semeystvo.com.ua/087gbdv4
spookmedia.nl/087gbdv4
sp-tulun.ru/087gbdv4
stocktradex.com/087gbdv4
swkitchens.com.au/087gbdv4
thegarageteam.gr/087gbdv4
tyfastener.com/087gbdv4

The Hybrid Analysis shows that this is Locky ransomware, phoning home to:

185.115.140.210/information.cgi [hostname: nikita.grachev.81.example.com] (Megaserver LLC, Russia)
213.32.90.193/information.cgi [hostname:  sbg.13.vds.abcvg.ovh] (OVH, France)
95.213.195.123/information.cgi (Selectel SPb, Russia)


A DLL is dropped with an MD5 of b46f0fcb0f962f41b5b43725b440dabb and a VirusTotal detection rate of 11/57.

Recommended blocklist:
185.115.140.210
213.32.90.193
95.213.195.123

No comments: