Sponsored by..

Wednesday 9 December 2015

Fake "Fretter Inc" spam leads to Teslacrypt ransomware

This email claims to be from the long-dead retailer Fretter Inc, but it is not. Instead it comes with a malicious attachment leading to the Teslacrypt ransomware.

From:    Tonia Graves [GravesTonia8279@ikom.rs]
Date:    9 December 2015 at 14:50
Subject:    Your order #11004118 - Corresponding Invoice #B478192D

Dear Valued Customer,

We are pleased to inform you that your order #11004118 has been processed and ready to be dispatched. However, according to our records, above mentioned invoice is still unpaid.
We would highly appreciate if you sent your payment promptly. For your information, don't hesitate to check the invoice enclosed to this letter or contact us directly.
In case if you have already sent your payment, please disregards this letter and kindly allow us up to 3 business days to clear the incoming payment.

We look forward to your remittance and will the dispatch the goods.

Thank you for choosing our services we sincerely hope to continue doing business with you again.

Sincerely,
Tonia Graves


Sales Department Manager
Fretter Inc.
2715 Sycamore Road
Nyssa, OR 97913
There sender's name and the reference numbers change in each version. Attached is a file copy_invoice_11004118.zip which in turn contains a malicious script [VT 5/54] which in the sample I investigated was named invoice_iU9A2Y.js. When deofuscated it looks like this.

The Malwr report for that script shows it downloading from:

softextrain64.com/86.exe?1

The script itself shows an alternate location of:

46.151.52.197/86.exe?1

This has a VirusTotal detection rate of 3/55. A Malwr report on just the executable plus this Hybrid Analysis report shows it connecting to:

gjesdalbrass.no

It also tries to identify the IP address of the host by connecting to http://myexternalip.com/raw which is a benign service that you might consider to be a good indicator of compromise.

You can see in the screenshots of that Malwr report that this is ransomware, specifically Teslacrypt.

Recommended blocklist:
gjesdalbrass.no
softextrain64.com
46.151.52.197

1 comment:

Randy Belham said...

How do you get rid of it?