From Sally Webb [swebb@thekmgroup.co.uk]
Date Thu, 03 Mar 2016 10:58:07 +0100
Subject Receipt - Order No 173535
--
regards,
Sally
*Sally Webb*
Recruitment Media Sales Executive
KM Media Group
DDI : 01622 794500
Email : swebb@thekmgroup.co.uk
*KM Media Group is Kent's only independent multimedia company*
*433,751 readers*, 166,800 listeners** and 1,668,973 monthly unique
browsers*** Together we make a difference*
*Sources: * JICREG Apr 2015 / ** RAJAR Q1 2015 / *** ABC Jul - Dec 2014
Get local news direct to your inbox by subscribing to daily KM News Alerts
and the Kent Business newsletter and our weekly What's On round-up.*
Attached is a file Receipt - Order No 173535.docm which comes in several different versions with detectin rates around 3/55. Analysis from another source (thank you) gives download locations at:
coolsellers4u.com/catalog/controller/98yh87b564f.exe
corsian.com/system/logs/98yh87b564f.exe
demo.rent-shops.ru/foto/26/98yh87b564f.exe
dremasleep.by/system/logs/98yh87b564f.exe
euro-basket.ru/wp-content/upgrade/98yh87b564f.exe
isgim.com/system/logs/98yh87b564f.exe
jmc-thai.com/system/logs/98yh87b564f.exe
mevabekhuongnhi.com/system/logs/98yh87b564f.exe
msco.com.vn/system/logs/98yh87b564f.exe
myfabbfinds.com/system/logs/98yh87b564f.exe
partiduragi.com/system/logs/98yh87b564f.exe
paslanmazmobilya.org/system/logs/98yh87b564f.exe
vmagazin55.ru/system/logs/98yh87b564f.exe
The initial payload has a detection rate of 4/55 which has now been updated with a new payload with a similar detection rate. My source says that this is Dridex botnet 220 (not Locky) with C&C servers at:
188.40.224.78 (Hetzner / NoTaG Community, Germany)
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
188.40.224.78
78.108.93.186
87.106.8.177
91.236.4.234
No comments:
Post a Comment