Wednesday 8 June 2016

Malware spam: "Good morning" résumé spam drops Cerber ransomware and makes a statement

This fake résumé spam leads to malware:

From:    Dora Bain
Date:    7 June 2016 at 03:37
Subject:    Good morning

What's Up?
I visited your website today..
I'm currently looking for work either full time or as a intern to get experience in the field.
Please look over my CV and let me know what you think.

With gratitude,

Dora Bain
In the sample I saw, the attached file was named Dora-Resume.doc and had a VirusTotal detection rate of 11/56. The Malwr report and Hybrid Analysis show that a script executes that tries to make a political statement along the way..

This downloads a file from which is then saved as %APPDATA%\us_drones_kills_civilians.exe  which VirusTotal gives a detection rate of 20/56 and seems to give an overall diagnosis as being Cerber ransomware.

The IP address of is allocated to an apparent Seychelles shell company called Quasi Networks Ltd (which is probably Russian). There seems to be little if anything of value in which could be a good candidate to block. Incidentally, the IP hosts best-booters.com which is likely to be a DDOS-for-hire site.

According to the VT report the malware scans for a response on port 6892 on the IP addresses through to However, this Hybrid Analysis indicates that the only server to respond is on (GuardoMicro SRL, Romania) which is part of the notoriously bad which is a good thing to block.

That report also shows traffic to ipinfo.io which is a legitimate "what is my IP" service. While not malicious in its own right, it does make a potentially good indicator of compromise.

Recommended blocklist:


James said...

We know a great deal about Quasi networks - it's a rebrand of a Dutch hosting company called Ecatel, and they are nothing but trouble.

aliyaa said...

People generally send resumes without a cover letter. This article discusses the importance of having a cover letter with the job application.so, please visit our site high school senior resume.I hope you will take benefit from this site.

ankyller said...

Quasi is dutch, not russian)