From: Jeffry Rogers [Jeffry.RogersA5@thibaultlegal.com]I have only seen a single sample of this, it is likely that the company names and sender will vary. Attached is a file missing_quickbooks982.zip which contains a malicious obfuscated javascript 91610_facture_2016.js which attempts to download a component from:
Date: 26 April 2016 at 12:58
Subject: Missing payments for invoices inside
Hi there!
Hope you are good.
Hope you are good. We're missing payments on our statements for the invoices included in this email. Please let us know, when the payments will be initiated.
BTW, trying to get reply from you for a long time. This is not junk, do not ignore it please.
Kind Regards
Jeffry Rogers
Henderson Group
Tel: 337-338-4607
web.spartanburgcommunitycollege.com/gimme/some/loads_nigga.php
This drops a file pretending to be favicon.ico which is actually an executable with a detection rate of 3/56. This Hybrid Analysis and this DeepViz report indicate network traffic to:
103.245.153.154 (OrionVM Retail Pty Ltd, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (FPT Telecom Company, Vietnam)
213.192.1.171 (EASY Net, Czech Republic)
The payload isn't exactly clear, but it looks like Dridex rather than Locky. Almost certainly one of the two.
Recommended blocklist:
103.245.153.154
176.9.113.214
210.245.92.63
213.192.1.171
No comments:
Post a Comment