Sponsored by..

Monday 29 February 2016

Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."

This fake document scan has a malicious attachment:
From:    admin [ands21@victimdomain.tld]
Date:    29 February 2016 at 19:05
Subject:    Scanned image

Image data in PDF format has been attached to this email.
The email appears to originate from within the victim's own domain. Attached is a randomly-named file with a format similar to 2016022936833473.zip containing a malicious script with a name somewhat like SCAN000469497.js  I have seen three different versions of the attached scripts with detection rates of around 1/55 [1] [2] [3]. The Malwr reports for those [4] [5] [6] show download locations at:

svetluchok.com.ua/admin/images/7ygvtyvb7niim.exe [404]

This appears to be Locky ransomware with a detection rate of just 3/55. Those Malwr reports also indicate C&C servers at: (Dmitrii Podelko, Russia / OVH, France) (ITL aka UA Servers, Ukraine)

Note that one of the download locations is 404ing. There may be other download locations that I am not aware of, howerver I recommend that you block all traffic to:

1 comment:

Danik said...

Nice catch!
Have you seen the preventive method to stop Locky provided by Minerva Labs?