Sponsored by..

Friday 11 March 2016

Malware spam: Your Amazon order #137-89653734-2688148 / AMAZON.COM [Mailer-daemon@amazon.com]

This fake Amazon spam comes with a malicious attachment:

From:    AMAZON.COM [Mailer-daemon@amazon.com]
Date:    11 March 2016 at 09:09
Subject:    Your Amazon order #137-89653734-2688148

Hello,

Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details

Order #137-89653734-2688148 Placed on March 11, 2016

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon.
Amazon.com 

Reference numbers vary from email to email. Attached is a file with a name similar to ORD137-89653734-2688148.zip which contains a malicious script of which I have seen just a single sample with a detection rate of 5/56. According to this Malwr report, the script downloads a binary from:

mercadohiper.com.br/system/logs/uy78hn654e.exe

That binary has a detection rate of 4/55. According to the Malwr report for the script and this Malwr report for the binary, it phones home to:

31.184.196.75 (Petersburg Internet Network, Russia)
91.219.30.254 (FLP Kochenov Aleksej Vladislavovich, Ukraine)


There are probably other download locations and C2s, I will update this post if I find out what they are.

UPDATE

Some additional C2s from various sources:

78.40.108.39 (PS Internet Company LLC. Kazakhstan)
31.184.196.78 (Petersburg Internet Network, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)


Some additional download locations for this and other locky spam runs today:

solucionesdubai.com.ve/system/logs/uy78hn654e.exe
ghayatv.com/system/logs/uy78hn654e.exe
dolcevita-ykt.ru/system/logs/uy78hn654e.exe


Recommended blocklist:
31.184.196.75
91.219.30.254
78.40.108.39
31.184.196.78
91.234.32.192


No comments: