Sponsored by..

Thursday 17 March 2016

Malware spam: "Documentxx" apparently coming from the victim leads to Locky

This spam appears to come from the victim, but this is just a simple forgery (explained here). Attached is a ZIP file beginning "Document" followed by a one or two digit random number, which matches the subject. There is no body text. Here is an example:
From:    victim@domain.tld
To:    victim@domain.tld
Date:    17 March 2016 at 10:37
Subject:    Document32
Inside is a randomly-named script (samples VirusTotal reports [1] [2] [3] [4] [5] [6] [7]). These Malwr reports [8] [9] [10] [11] [12] [13]  indicate that the script attempts to download a binary from the following locations:


The dropped binary has a detection rate of just 2/57. Those reports and these other automated analyses [14] [15] [16] show network traffic to: (PS Internet Company LLC, Kazakhstan) (Infium UAB, Ukraine) (SmartApe, Russia) (Ukrainian Internet Names Center, Ukraine)

This is Locky ransomware.

Recommended blocklist:

1 comment:

DK said...

Another links: