Sponsored by..

Monday 29 February 2016

Malware spam: "Invoice #16051052/15" / "Dear costumer"


This fake financial email (sent to "Dear costumer") has a malicious attachment.

From:    Velma hodson
Date:    29 February 2016 at 16:49
Subject:    Invoice #16051052/15

Dear costumer,

You are receiving this informational letter because of the fact that you have a debt totaling $157,54 due to late payment of invoices dating March ‘15.

In attachment you will find a reconciliation of the past 12 months (year 2015).

Please study the file and contact us immediately to learn what steps you should take to avoid the accrual of penalties.


I have only seen a single sample with an attachment named Invoice_ref-16051052.zip which in turn contains a malicious script invoice_kOUEsX.js that looks like this [pastebin]. The script has a VirusTotal detection rate of 2/55 and these automated analysis tools [1] [2] show that it attempts to download a binary from the following locations:

ohiyoungbuyff.com/69.exe?1
helloyungmenqq.com/69.exe?1


The domain names have a similar theme, indicating that the servers are malicious. It migh be worth blocking:

91.196.50.241 (EuroNet, Poland)
50.3.16.250 (Eonix, US)


This Malwr report  shows that the dropped payload is ransomware, calling home to the following domains:

biocarbon.com.ec
imagescroll.com
music.mbsaeger.com
stacon.eu


I recommend that you block traffic to those domains plus the two IPs, giving a recommended blocklist of:

91.196.50.241
50.3.16.250
biocarbon.com.ec
imagescroll.com
music.mbsaeger.com
stacon.eu



No comments: