Sponsored by..

Monday, 7 March 2016

Malware spam: "E-Service (Europe) Ltd Invoice No: 10013405" / andrew.williams@eurocoin.co.uk

This fake financial spam leads to malware:

From     Andrew Williams [andrew.williams@eurocoin.co.uk]
Date     Mon, 07 Mar 2016 17:37:49 +0530
Subject     E-Service (Europe) Ltd Invoice No: 10013405

Dear Customer,

Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
to make payment for all transactions on or before their due date.

Please contact E-Service (Europe) if you have any issues or queries preventing your
prompt payment on:

Tel (44) 01707 280000
Email: accounts@e-service.co.uk

Or logon and register to access your  customer portal where you can view all historic
orders & transactions on www.e-service.co.uk

PLEASE NOTE NEW E-SERVICE (EUROPE)  BANK DETAILS:

Currency        A/C No.         Sort Code         Swift Code      IBAN No.

GBP               21698613         40-04-37         MIDLGB22            GB48MIDL40043721698613
EUR               71685997         40-05-15         MIDLGB22           GB75MIDL40051571685997

Kind regards

E-Service (Europe) Accounts Team

Attached is a ZIP file named Invoice 10013405.zip which contains one of a wide range of randomly-named scripts.

A trusted third party analysis (thank you!) shows that there are download locations at:

aqarhits.com/system/logs/87tg7v645c.exe
alexkote.ru/wp-content/plugins/87tg7v645c.exe
azshop24.com.vn/system/logs/87tg7v645c.exe
dsignshop.com.au/system/logs/87tg7v645c.exe
fibrefamily.ru/system/logs/87tg7v645c.exe
jldoptics.com/system/logs/87tg7v645c.exe
kiddyshop.kiev.ua/image/data/87tg7v645c.exe
kievelectric.kiev.ua/art/media/87tg7v645c.exe
lightsroom.ru/system/logs/87tg7v645c.exe
ptunited.net/system/logs/87tg7v645c.exe
scs-smesi.ru/published/PD/87tg7v645c.exe
shapes.com.pk/system/logs/87tg7v645c.exe
sub4.gustoitalia.ru/system/logs/87tg7v645c.exe
surprise.co.in/system/logs/87tg7v645c.exe
texfibre.eu/system/logs/87tg7v645c.exe
www.promumedical.com/system/logs/87tg7v645c.exe
www.souqaqonline.com/system/logs/87tg7v645c.exe

The dropped binary has a detection rate of 5/56 and the Malwr report clearly shows this is the Locky ransomware.

My contact reports that the malware phones home to:

192.121.16.196 (EDIS, Netherlands)
46.108.39.18 (EDIS, Romania)
212.47.223.19 (Web Hosting Solutions OY, Estonia)
109.237.111.168 (Krek Ltd, Russia)
185.92.220.35 (Choopa LLC, Netherlands)
89.108.85.163 (Agava Ltd, Russia)
192.71.213.69 (EDIS, Spain)


Recommended blocklist:
192.121.16.196
46.108.39.18
212.47.223.19
109.237.111.168
185.92.220.35
89.108.85.163
192.71.213.69


No comments: