From: documents@victimdomain.tld
Date: 1 March 2016 at 13:43
Subject: Emailing: MX62EDO 01.03.2016
Your message is ready to be sent with the following file or link
attachments:
MX62EDO 01.03.2016 SERVICE SHEET
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
I have seen two samples so far, with an attachment that has a similar name to MX62EDO20160301538482.zip which contains a malicious randomly-named script (e.g. PK5293425659.js). Detection rates on the scripts are fairly low [1] [2]. According to these Malwr reports [3] [4] the payload is the Locky ransomware. These two samples download malicious binaries from:
tianshilive.ru/vqmod/xml/87yhb54cdfy.exe
ubermensch.altervista.org/system/logs/87yhb54cdfy.exe
In turn, these attempt to phone home to:
31.184.197.119/main.php
5.34.183.195/main.php
These are the same C&C servers as seen here.
9 comments:
Received this phishing email "Emailing: MX62EDO 01.03.2016" as a document zip from my internet provider telus.com. Glad I found this alert before I opened it. Thanks a million!!!!!!!!!!!!!
If we receive an email from our own domain, does it mean there's a sending script somewhere in our website files? Should I be running malware checks or contact my website provider?
Thanks for this useful information !
If I have already opened the attachment, how do i go about removing the malware code?
@Archa - no, this is just a simple forgery. Your server is not sending the email, it really is almost stupidly easy to forge who an email is "From"
@D Sterling - this impacts Windows PCs only. You would have to open the attachment and then run the .js file inside. If infected then your files will be encrypted and you''ll see a ransom notice. If you don't see that, then there is a chance you are not infected. Most anti-virus products will catch up with the threat in 24 to 48 hours, so running one later may clean your machine up.
Hi,
I received such a message and attachment today evening:
> x-mailer: Microsoft Office Outlook 11
> date: Tue, 01 Mar 2016 22:36:07 +0430
> sujet: Emailing: MX62EDO 01.03.2016
> une pièce jointe: MX62EDO201603014484.zip (2,1 Ko)
> ...
> MX62EDO 01.03.2016 SERVICE SHEET
Wonder how the sender got the email: From emails lists or rather from bots scanning the Web, what do you think is the probable initial origin? Note: Mine is displayed on some websites for legal motives.
Thanks very much for publishing yoru inquiry report here!
Cyrille L "kozaki"
Got one today, too. In Alaska and from my own address. Luckily I don't open attachments that don't make sense and it said it was from me, but I don't have Avast installed, another red flag.
Got one myself today (March 2) in my in-box. ... sender is "documents@[mydomain].com", but there's no such email address at that domain (and I should know, since I own and run it!). Topic is "Emailing: MX62EDO 01.03.2016." Attachment is "MX62EDO201603015669.zip". Didn't un-zip it (duh). Text says "scanned by Avast" but I don't use Avast. Scans by MBAM Anti-Malware Bytes and Windows Defender do NOT find this item to be problematic. Hope they update their definitions soon.
Post a Comment