Sponsored by..

Friday, 20 May 2016

Malware spam: "I wanted to follow up with you about your refund. Please find the attached document" leads to Locky

This spam comes from random senders and has a malicious attachment. Here is an example:

From:    Frederic Spears
Date:    20 May 2016 at 10:29
Subject:    Re:

Hi [redacted],

I wanted to follow up with you about your refund.
Please find the attached document

Regards,
Frederic Spears
CBS Corporation

The company name and sender's name varies from message to message. Attached is a ZIP file which contains elements of the recipient's name, which in turn contains one of a variety of malicious scripts. Out of the samples I have seen, I have so far found download locations of:

delicious-doughnuts.net/oqpkvlam
dev.hartis.org/asvfqh2vn
dugoutdad.com/0ygubbvvm
craftbeerventures.nl/hgyf46sx
babamal.com/av2qavqwv
forshawssalads.co.uk/af1fcqav


Only three of those download locations work so far (VirusTotal results [1] [2] [3]) and automated analysis of those [4] [5] [6] [7] [8] shows behaviour consistent with Locky ransomware. All of those reports show the malware phoning home to:

91.219.29.106 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
51.254.240.89 (Relink LLC, Russia / OVH, France)
138.201.118.102 (Hetzner, Germany)


Recommended blocklist:
91.219.29.106
51.254.240.89
138.201.118.102


1 comment:

Leon Kame said...

Hello,
I use some of your post as defense element for our anti-spam solution but in some post like here, you write messages elements partially so could you post the complete eml file or at least precise details like name or pattern of file in the attachment archive ? Original headers could lead to a more complete analysis.
I have to thank you again for the work you do maintaining this blog and keeping us informed of attack we could have missed.
Best regards,
Leon Kame