From credit control [invoices@thistleremovals.co.uk]Attached is a file with a semirandomly name, e.g. RG026052317614-SIG.zip which contains a malicious script. This script then downloads an executable from the same locations as found here, dropping a malicious executable with a detection rate of 10/55 (changed from earlier today).
Date Fri, 19 Feb 2016 17:52:49 +0200
Subject Unpaid Invoice #350
Message text
Please see attached letter and a copy of the original invoice.
Third party analysis (thank you) indicates that this then phones home to the following locations:
91.121.97.170/main.php (OVH, France)
46.4.239.76/main.php (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
31.184.233.106/main.php (Virty.io, Russia)
The payload is the Locky ransomware.
Recommended blocklist:
91.121.97.170
46.4.239.64/27
31.184.233.106
No comments:
Post a Comment