I don't have a sample of the German-language spam spreading this attack, but it is similar to
this one and it entices the victim to download a ZIP file from
[donotclick]officialdund.co.uk/wp-content/themes/officialdund/mobilfunktelekom/2014_06rechnung_0724300002_sign.zip
Inside the ZIP file is a malicious executable
2014_06rechnung_0724300002_pdf_sign_telekomag_deutschland_gmbh.exe which has a very low VirusTotal detection rate of just
1/54. The
Malwr report shows that it downloads a further executable
rqvupdate.exe [
Malwr report] which phones home to
204.93.183.196 (Server Central, US) and has a VT detection rate of just
2/52.
The
Anubis report also shows connections to
50.31.146.109 (Server Central, US),
5.135.208.53 (OVH, France / QHoster Ltd, Bulgaria) and
103.25.59.120 (Ransom IT Hosting, New Zealand)
Recommend blocklist:
5.135.208.53
50.31.146.109
103.25.59.120
204.93.183.196
No comments:
Post a Comment