Sponsored by..

Monday, 16 May 2016

Malware spam: "I have attached a revised spreadsheet.."

This spam has a malicious attachment:

From:    Britney Hart
Date:    16 May 2016 at 13:15
Subject:    Re:

hi [redacted]

I have attached a revised spreadsheet contains customers. Please check if it's correct

Regards,
Britney Hart

Other variations of the body text seen so far:

I have attached a revised spreadsheet contains general journal entries. Please check if it's correct
I have attached a revised spreadsheet contains estimates. Please check if it's correct


Attached is a ZIP file with three identical malicious .js files. The ones I have seen so far download from

fundaciontehuelche.com.ar/897kjht4g34
thetestserver.net/fg45g4g
technobuz.com/876jh5g4g4


There are probably other download locations. Each one downloads a slightly different binary (VirusTotal prognosis [1] [2] [3]) and automated analysis [5] [6] [7] [8] [9] shows the malware phoning home to:

188.127.231.124 (SmartApe, Russia)
31.184.197.72 (Petersburg Internet Network, Russia)
92.222.71.26 (RunAbove / OVH, France)
149.202.109.202 (Evgenij Rusachenko aka lite-host.in, Russia / OVH, France)


The payload is Locky ransomware.

Recommended blocklist:
188.127.231.124
31.184.197.72
92.222.71.26
149.202.109.202


1 comment:

DK said...

Additional download sites

http://albany.asn.au/0843r43ttg4g
http://aquatixbottle.com/nhftgrg45
http://deanstum.com/gnhy5jh4g
http://fashmedia.co.uk/mhgh44g4
http://fundaciontehuelche.com.ar/897kjht4g34
http://lhhme.com.sg/09756y4g
http://modulofm.com.br/drg4g45g
http://muscleinjuries.com/0934f4fr4g
http://neophrontech.com/8j656hg45hg
http://optimus-communication.com/6y45gj445
http://scpremiumbikes.com/4g45gh45
http://srilaktours.com/096r23e23r
http://sunlite.com.au/j76jn5nbv
http://tafeta.ca/32r45h5
http://technobuz.com/876jh5g4g4
http://thetestserver.net/fg45g4g
http://versus.uz/87i65hgr
http://visionpharmapk.com/32svbrth67