From: Caitlin VelezSo far I have seen just one sample of this, so it is possible that other companies are being spoofed as well. Attached is a file INV09BEE9.zip which in turn contains a malicious script statistics_60165140386.js. This has a detection rate of precisely zero.
Date: 1 March 2016 at 11:50
Subject: March Invoice
Hi,
Attached is the November invoice.
Thanks!
Caitlin Velez
Customer Service
Balkan Dream Properties
090-157-5969
This Malwr report shows that it is the Locky ransomware, download a binary from:
intuit.bitdefenderdistributor.info/intrabmw/get.php
This is hosted on a bad webserver at..
93.95.100.141 (Mediasoft ekspert, Russia)
..and it then phones home to..
5.34.183.195 (ITL / UA Servers, Ukraine)
There are probably other download locations. My contacts tell me that these are C2 servers for an earlier German-language campaign, it is possible they are being used here. Block 'em anyway..
31.184.197.119 (Petersburg Internet Network ltd., Russia)
51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
91.219.29.55 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
Recommeded blocklist:
5.34.183.195
31.184.197.119
51.254.19.227
91.219.29.55
93.95.100.141
No comments:
Post a Comment