Sponsored by..

Wednesday 2 March 2016

Malware spam: "Invoice" / "Payment Confirmation" lead to Locky

The fake financial spam emails lead to the Locky ransomware:

From:    Cedrick Burch
Date:    2 March 2016 at 10:31
Subject:    Payment Confirmation

Dear User,

The attached document is a transaction payment confirmation from USMarketing Ltd.

Thank you for your business - we appreciate it very much.

Sincerely,

Cedrick Burch
Project Manager

=============

From:    Alfredo Bauer
Date:    2 March 2016 at 10:24
Subject:    Invoice

Dear User,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Alfredo Bauer
Project Manager

I received only two samples (VT [1] [2]) of which only one worked in Malwr (this is the other). However, third-party analysis (thank you) shows download locations at:

cabanasestina.ro/num/5buybbtyu8
camberfam.de/num/5f6vtvrtv
ecofriend.co.jp/num/0ujinybvt
e-monalisa.ro/num/7yh5c44duyy
sumiden-e.co.jp/num/87hn8bv6r
leksvik.historielag.org/num/887hb56f
www.countrysaloonriki.sk/num/9987tg6v54


Each location has a different binary (VT [1] [2] [3] [4] [5] [6]) which between them phone home to the following IPs:

95.213.184.10 (Selectel, Russia)
192.71.213.69 (EDIS, Spain)
217.172.182.99 (PlusServer, Germany)


The payload is Locky ransomware.

Recommended blocklist:
95.213.184.10
192.71.213.69
217.172.182.99




1 comment:

Hexorcist said...

Locky indeed.

Unpacked binary: https://www.virustotal.com/en/file/259eceb5621d980297ea5b59b63c8bd0787e94d66cc9d78bc51d63824c26fc73/analysis/1456922081/