Sponsored by..

Thursday, 17 March 2016

Malware spam: "Documentxx" apparently coming from the victim leads to Locky

This spam appears to come from the victim, but this is just a simple forgery (explained here). Attached is a ZIP file beginning "Document" followed by a one or two digit random number, which matches the subject. There is no body text. Here is an example:
From:    victim@domain.tld
To:    victim@domain.tld
Date:    17 March 2016 at 10:37
Subject:    Document32
Inside is a randomly-named script (samples VirusTotal reports [1] [2] [3] [4] [5] [6] [7]). These Malwr reports [8] [9] [10] [11] [12] [13]  indicate that the script attempts to download a binary from the following locations:

escortbayan.xelionphonesystem.com/wp-content/plugins/hello123/89h8btyfde445.exe
fmfgrzebel.pl/wp-content/plugins/hello123/89h8btyfde445.exe
superiorelectricmotors.com/wp-content/plugins/hello123/89h8btyfde445.exe
sabriduman.com/wp-content/plugins/hello123/89h8btyfde445.exe
bezerraeassociados.com.br/wp-content/plugins/hello123/89h8btyfde445.exe


The dropped binary has a detection rate of just 2/57. Those reports and these other automated analyses [14] [15] [16] show network traffic to:

78.40.108.39 (PS Internet Company LLC, Kazakhstan)
46.148.20.46 (Infium UAB, Ukraine)
188.127.231.116 (SmartApe, Russia)
195.64.154.114 (Ukrainian Internet Names Center, Ukraine)


This is Locky ransomware.

Recommended blocklist:
78.40.108.39
46.148.20.46
188.127.231.116
195.64.154.114







1 comment:

DK said...

Another links:

http://cepteknik.org/wp-content/plugins/hello123/89h8btyfde445.exe
http://samaseclothes.com/wp-content/plugins/hello123/89h8btyfde445.exe