Sponsored by..

Monday, 14 March 2016

Malware spam: "Blocked Transaction. Case No 19706002" leads to Teslacrypt

This fake financial transaction has a malicious attachment:

From:    Judy brittain
Date:    14 March 2016 at 08:12
Subject:    Blocked Transaction. Case No 19706002

The Automated Clearing House transaction (ID: 19706002), recently initiated from your online banking account, was rejected by the other financial institution.

Canceled ACH transaction
ACH file Case ID: 09293
Transaction Amount: 607,89 USD
Sender e-mail: brittainJudy056@panick.com.ar
Reason of Termination: See attached statement
The sender's name, references and dollar amounts vary from message to messages. The attachment names are randomly-generated (the format seems the same as this) containing either one or four malicious scripts. According to this analysis the scripts download from:

ohelloguyzzqq.com/85.exe?1

Although the infection mechanism seems the same as this spam run, the MD5 of the dropped executable is now 57759F7901EBA73040597D4BA57D511A with a detection rate of 2/55. This is Teslacrypt ransomware, and I recommend that you block traffic to the IP addresses listed here.

1 comment:

John Barness said...

Thank you for describing this case. Malware threat is the one that need to be eliminate at all till the Internet of Things starts working because it may cause unpredictable consequences. Besides it would be useful for cloud data security systems like Ideals data room and similar.