Sponsored by..

Wednesday 30 March 2016

Malware spam: "Facture client N° FC_462982347 du 30/03/2016" leads to Locky

This French-language spam is pretending to be a renewal for anti-virus software, however instead it has a malicious attachment:

From:    administrator [netadmin@victimdomain.tld]
Date:    30 March 2016 at 11:09
Subject:    Facture client N° FC_462982347 du 30/03/2016

Bonjour,

Veuillez trouver ci-joint la facture pour le renouvellement de votre antivirus.

Bonne réception

A.Morel
It pretends to come from within the victim's own domain, but this is a simple forgery. The reference number changes from email to email, attached is a ZIP file named consistently with the subject (e.g. FC_462982347.zip). This ZIP file contains a malicious script (typical detection rate 8/56) which then downloads Locky ransomware. According to these automated analyses [1] [2] [3] [4] [5] show the scripts downloading from the following locations (there are almost definitely more):

bezuhova.ru/45t3443r3
thespinneyuk.com/45t3443r3
tishaclothing.co.za/45t3443r3


This dropped binary has a detection rate of 7/56. According to these analyses [6] [7] [8] it phones home to the same servers detailed in this earlier blog post.



No comments: