Sponsored by..

Tuesday 1 March 2016

Malware spam: "Dear ValuedCustomer, It is very unpleasant to hear about the delay with your order"

This strangely worded spam leads to the Locky ransomware:
From     =cU3RlZmFuaWUgU3VsbGl2YW4=?= [SullivanStefanie68750@numericable.fr]
Date     Tue, 01 Mar 2016 13:40:48 +0200
Subject     =?UTF-8?B?RGVsYXkgd2l0aCBZb3VyIE9yZGVyICM3QjZCN0UwOCwgSW52b2ljZSAjMzI1ODMzNDY=?=

Dear ValuedCustomer,

It is very unpleasant to hear about the delay with your order #7B6B7E08, but be sure
thatour department will do its best to resolve the problem.It usually takes around7
business days to deliver a package of this size to your region.

The local post office should contact your as soon as they will receive theparcel.Be
sure that your purchase will be delivered in time and we alsoguarantee that you will
be satisfied with our services.

Thank you for your business with our company.

Stefanie Sullivan
Sales Manager
All the samples I have seen have slightly mangled headers. The sender name varies. Attacked is a ZIP file named in a similar format to order_copy_7B6B7E08.zip which contains a malicious script named something like:

important_181031694.js
warning_659701636.js
statistics_466026824.js

I have seen six different samples so far with zero detection rates [1] [2] [3] [4] [5] [6] and which according to these analysis [7] [8] [9] [10] [11] [12] attempt to download a Locky binary from:

sitemar.ro/5/92buyv5
pacificgiftcards.com/3/67t54cetvy
maisespanhol.com.br/1/8y7h8bv6f


Those binaries phone home to:

5.34.183.195/main.php
31.184.197.119/main.php


Those C&C servers are the same as I mentioned in this spam run and I suggest you block traffic to:

5.34.183.195
31.184.197.119
51.254.19.227
91.219.29.55


No comments: