Sponsored by..

Friday 19 February 2016

Malware spam: "Unpaid Invoice #350" / credit control [invoices@thistleremovals.co.uk]

This fake financial spam does not come from Thistle Removals but is instead a simple forgery with a malicious attachment.
From     credit control [invoices@thistleremovals.co.uk]
Date     Fri, 19 Feb 2016 17:52:49 +0200
Subject     Unpaid Invoice #350
Message text

Please see attached letter and a copy of the original invoice.
Attached is a file with a semirandomly name, e.g. RG026052317614-SIG.zip which contains a malicious script. This script then downloads an executable from the same locations as found here, dropping a malicious executable with a detection rate of 10/55 (changed from earlier today).

Third party analysis (thank you) indicates that this then phones home to the following locations:

91.121.97.170/main.php (OVH, France)
46.4.239.76/main.php
(Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
31.184.233.106/main.php (Virty.io, Russia)

The payload is the Locky ransomware.

Recommended blocklist:
91.121.97.170
46.4.239.64/27
31.184.233.106


No comments: