From: Trinh [zhanxing1497kcuo@163.com]In this case the attachment was named Bobette_resume_1817.doc however this will vary. The VirusTotal analysis of the document gives a detection rate of 8/55, mostly detecting a generic macro downloader.
Date: 27 October 2015 at 18:30
Subject: id:9828_My_Resume
Signed by: 163.com
Good afternoon!!! my name is Bobette Gloster. my resume is doc file.
I would appreciate your immediate attention to this matter.
Yours faithfully
Bobette Gloster
The macro looks like this [pastebin] and the Hybrid Analysis of the document shows traffic coming FROM 46.30.41.150 (EuroByte LLC, Russia) and being POSTED to the following:
all-inclusiveresortstravel.com
designtravelagency.com
bigboattravel.com
cpasolutiononline.com
ciiapparelblog.com
The first three are on 108.167.140.175 and the second two are on 192.185.101.210 which are both allocated to WebSiteWelcome customers. I would assume that those two servers are completely compromised.
The Hybrid Analysis report shows that the malware has some characteristics that make it look like ransomware.
Recommended blocklist:
46.30.41.150
108.167.140.175
192.185.101.210
UPDATE:
This Tweet indicates that the payload is Cryptowall.
No comments:
Post a Comment