Sponsored by..

Friday 11 March 2016

Malware spam: "FW: Payment 16-03-#507586" / "We have received this documents from your bank, please review attached documents."

These spam messages come from various senders with different references and attachment names.

From:    Thanh Sears
Date:    11 March 2016 at 10:29
Subject:    FW: Payment 16-03-#507586

Dear [redacted],

We have received this documents from your bank, please review attached documents.

Yours sincerely,

Thanh Sears
Financial Manager


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.

Attached is a ZIP file named in the format payment_doc_507586.zip, containing a randomly named script containing one of the following strings plus a random number and also it seems a # sign at the end of some.

  • Post_Shipment_Confirmation_id
  • Post_Shipment_Label_id
  • q.
  • Post_Shipment_Case_id
  • Post_Tracking_Confirmation_id
  • Post_Parcel_Confirmation_id
Detection rates for these scripts are all zero at the moment [1] [2] [3]. A Malwr analysis of some of the samples [4] [5] [6] shows download locations at:

nro.gov.sd/23r35y44y5
nobilitas.cz/0954t4h45


There are probably other download locations. The dropped binaries are actually different [1] [2] and both look like Locky ransomware. The C2s to block are the same as found in this earlier Locky run.

UPDATE 1

Two further download locations can be found at:

www.momstav.com/087hg67
perfumy_alice.republika.pl/08h867g5

The dropped binaries are different again [1] [2],  but it is still Locky phoning home to the C2s detailed here.

UPDATE 2

Further download locations are at:

50.28.211.199/hdd0/89o8i76u5y4
galit-law.co.il/32tguynjk
peterdickem.com/87745g
scorpyofilms.com/67j5h5h4
thaihost.biz/bestylethai.com/43t3gh4


Again, the dropped binaries are all different but seem to be Locky [1] [2] [3] [4] [5].

1 comment:

TZ-Security said...

nro.gov .sd/23r35y44y5 is actually hosting iframed page from http://tehnoartss .in/kk/PC1sFW, with parameters ?se_referrer=' + encodeURIComponent(document.referrer) + '&default_keyword=' + encodeURIComponent(document.title) +