From: Thanh Sears
Date: 11 March 2016 at 10:29
Subject: FW: Payment 16-03-#507586
Dear [redacted],
We have received this documents from your bank, please review attached documents.
Yours sincerely,
Thanh Sears
Financial Manager
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
Attached is a ZIP file named in the format payment_doc_507586.zip, containing a randomly named script containing one of the following strings plus a random number and also it seems a # sign at the end of some.
- Post_Shipment_Confirmation_id
- Post_Shipment_Label_id
- q.
- Post_Shipment_Case_id
- Post_Tracking_Confirmation_id
- Post_Parcel_Confirmation_id
nro.gov.sd/23r35y44y5
nobilitas.cz/0954t4h45
There are probably other download locations. The dropped binaries are actually different [1] [2] and both look like Locky ransomware. The C2s to block are the same as found in this earlier Locky run.
UPDATE 1
Two further download locations can be found at:
www.momstav.com/087hg67
perfumy_alice.republika.pl/08h867g5
The dropped binaries are different again [1] [2], but it is still Locky phoning home to the C2s detailed here.
UPDATE 2
Further download locations are at:
50.28.211.199/hdd0/89o8i76u5y4
galit-law.co.il/32tguynjk
peterdickem.com/87745g
scorpyofilms.com/67j5h5h4
thaihost.biz/bestylethai.com/43t3gh4
Again, the dropped binaries are all different but seem to be Locky [1] [2] [3] [4] [5].
1 comment:
nro.gov .sd/23r35y44y5 is actually hosting iframed page from http://tehnoartss .in/kk/PC1sFW, with parameters ?se_referrer=' + encodeURIComponent(document.referrer) + '&default_keyword=' + encodeURIComponent(document.title) +
Post a Comment