From: Media Trade info@mediatrade.com
Reply-To: ourmediatrade@yahoo.com
Date: 6 April 2014 16:26
Subject: Produce & Information
Good Day
How are you today?
This is Media Trade Company, we have interest in your product. And our company is planing on placing an order with your company, Please open and click on the pdf icon to see the attached document of our produce information and company details.
Thank you and have a nice day
Best regards
THKS/B.RGDS
Attached is a file Our Produce Info.html which in turn contains a link to [donotclick]surevilla.h19.ru/Our%20Produce%20Info.exe hosted on 89.108.91.183 (Agava Ltd, Russia). This IP address is suspected of badness and blocking it would be an prudent idea, alternatively you could block the dynamic DNS domain of h19.ru which is being abused in this case.
The malicious file has a detection rate of 25/51 at VirusTotal with some indication that this is either a variant of Zbot or some sort of ransomware. The Malwr analysis shows some sort of download taking place from [donotclick]ourdailyshopping.com/images/win/check/file.php hosted on 91.223.82.188. Also, the Anubis analysis gives an idea as to the files created.
Of interest, this IP of 91.223.82.188 belongs to a company I have never heard of called International Widespread Services Limited aka IWS Networks Ltd of the UAE. They also provide the mail relay used in the spam which is 185.7.35.90.
Recommended blocklist:
89.108.91.183
91.223.82.188
surevilla.h19.ru
ourdailyshopping.com
I would also recommend that you consider blocking the domain h19.ru which may block some legitimate sites but should offer additional protection.
No comments:
Post a Comment