Sponsored by..

Friday 20 June 2014

"2014_06rechnung_0724300002_sign.zip" spam

I don't have a sample of the German-language spam spreading this attack, but it is similar to this one and it entices the victim to download a ZIP file  from [donotclick]officialdund.co.uk/wp-content/themes/officialdund/mobilfunktelekom/2014_06rechnung_0724300002_sign.zip

Inside the ZIP file is a malicious executable 2014_06rechnung_0724300002_pdf_sign_telekomag_deutschland_gmbh.exe which has a very low VirusTotal detection rate of just 1/54. The Malwr report shows that it downloads a further executable rqvupdate.exe [Malwr report] which phones home to 204.93.183.196 (Server Central, US) and has a VT detection rate of just 2/52.

The Anubis report also shows connections to 50.31.146.109 (Server Central, US), 5.135.208.53 (OVH, France / QHoster Ltd, Bulgaria) and 103.25.59.120 (Ransom IT Hosting, New Zealand)

Recommend blocklist:
5.135.208.53
50.31.146.109
103.25.59.120
204.93.183.196

No comments: