From: admin [ands21@victimdomain.tld]The email appears to originate from within the victim's own domain. Attached is a randomly-named file with a format similar to 2016022936833473.zip containing a malicious script with a name somewhat like SCAN000469497.js I have seen three different versions of the attached scripts with detection rates of around 1/55 [1] [2] [3]. The Malwr reports for those [4] [5] [6] show download locations at:
Date: 29 February 2016 at 19:05
Subject: Scanned image
Image data in PDF format has been attached to this email.
www.notebooktable.ru/system/logs/7ygvtyvb7niim.exe
svetluchok.com.ua/admin/images/7ygvtyvb7niim.exe [404]
mansolution.in.th/system/logs/7ygvtyvb7niim.exe
This appears to be Locky ransomware with a detection rate of just 3/55. Those Malwr reports also indicate C&C servers at:
51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
185.14.29.188 (ITL aka UA Servers, Ukraine)
Note that one of the download locations is 404ing. There may be other download locations that I am not aware of, howerver I recommend that you block all traffic to:
51.254.19.227
185.14.29.188
1 comment:
Nice catch!
Have you seen the preventive method to stop Locky provided by Minerva Labs?
http://goo.gl/Y4QHa6
Post a Comment