Sponsored by..

Monday 5 December 2016

Malware spam: "Please Consider This" leads to Locky

This fake financial spam leads to malware:

From:    Aimee Guy
Date:    5 December 2016 at 13:32
Subject:    Please Consider This

Dear [redacted],

Our accountants have noticed a mistake in the payment bill #DEC-5956047.
The full information regarding the mistake, and further recommendations are in the attached document.

Please confirm the amount and let us know if you have any questions.

Attached is a ZIP file with a name somewhat matching the reference in the email, containing a malicious VBS script with a filename made up in part of the date.

The scripts download another component from one of the following locations, according to my usual reliable source:

admin3.rtaf.mi.th/8765r
buhoutserts.ru/8765r
chanet.jp/8765r
guardian-angels-diva.de/8765r
haibeiwuliu.com/8765r
hzxihe.com/8765r
linghangcj.com/8765r
markettv.ro/8765r
maycongtrinhduylong.com/8765r
natashacollis.com/8765r
ruifengweb.com/8765r
rulebraker.ru/8765r
szwanrong.com/8765r
temai1.com/8765r
travelinsider.com.au/8765r
tx318.com/8765r
ucbus.net/8765r
u-niwon.com/8765r
valuationssa.com.au/8765r
vipseal.de/8765r
viscarci.com/8765r
wdcd999.com/8765r
wiky.net/8765r
windshieldrepairvancouver.ca/8765r
wiselysoft.com/8765r
wishingwellhosting.com.au/8765r
wszystkodokuchni.pl/8765r
wudiai.com/8765r
xlr8services.com/8765r
xn--pasaer-spb.pl/8765r
youspeak.pt/8765r
zhiyuw.com/8765r
zwljfc.com/8765r

It drops a payload with an MD5 of 529789f27eb971ff822989a5247474ce and a current detection rate of just 1/54. The malware then phones home to the following locations:

91.142.90.61/information.cgi [hostname: smtp-server1.ru] (Miran, Russia)
195.19.192.99/information.cgi (EkaComp, Russia)


These IPs were also used in this earlier attack.

Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99


No comments: