Sponsored by..

Thursday 28 April 2016

Malware spam: "FW: Invoice" from multiple senders

This fake financial spam comes from randomly-generated senders, for example:

From:    Britt Alvarez [AlvarezBritt29994@jornalaguaverde.com.br]
Date:    28 April 2016 at 11:40
Subject:    FW: Invoice

Please find attached invoice #342012

Have a nice day

Attached is a ZIP file containing elements of the recipient's email address. In turn, this contains a malicious script that downloads a binary from one of many locations. The ones I have seen are:

http://rabitaforex.com/pw3ksl
http://tribalsnedkeren.dk/n4jca
http://banketcentr.ru/v8usja
http://3dphoto-rotate.ru/h4ydjs
http://switchright.com/2yshda
http://cafe-vintage68.ru/asad2fl
http://minisupergame.ru/a9osfg


The payload looks like Locky ransomware. The DeepViz report shows it phoning home to:

83.217.26.168 (Firstbyte, Russia)
31.41.44.246 (Relink, Russia)
91.219.31.18 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
51.254.240.60 (Relink, Russia / OVH, France)
91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua.  Ukraine)


These two Hybrid Analysis reports [1] [2] show Locky more clearly.

Recommended blocklist:
83.217.26.168
31.41.44.246
91.219.31.18
51.254.240.60
91.234.32.19

1 comment:

DK said...

http://banketcentr.ru/v8usja
http://berezy74.ru/n8sjad
http://cafe-vintage68.ru/asad2fl
http://dotatest.ru/zowjsk
http://holy.webtm.ru/o4ksla
http://minisupergame.ru/a9osfg
http://rabitaforex.com/pw3ksl
http://test.barbasov.ru/z0olqa
http://tribalsnedkeren.dk/n4jca
http://unipan96.ru/xo5ksp
http://xn--12ct7bab7ccc0ga4bik3a2b1koa4km8d.com/zmd7jf
http://yury2.nichost.ru/i7dksa