Sponsored by..

Tuesday 21 June 2016

Malware spam: "Please find attached our invoice for services rendered and additional disbursements in the above-mentioned matter."

This malicious spam leads to Locky ransomware, something that we haven't seen for several weeks:

From:    Lilian Fletcher
Date:    21 June 2016 at 20:01
Subject:    Re:

Dear lisa:

Please find attached our invoice for services rendered and additional disbursements in the above-
mentioned matter.

Hoping the above to your satisfaction, we remain.

Sincerely,
Lilian Fletcher
Head of Maintenance
These are being sent out in huge numbers at the moment. Details vary from message to message, but the body text is essentially the same. Attached is a ZIP file containing the words addition, invoice or services plus the recipients email address and a number (e.g. lisa_addition_278292.zip) containing a malicious script beginning with the word "addition".

A trusted third-party analysis (thank you, you know who you are) shows download locations at:

204.232.192.84/abjvucr
akdenizozalit.com/ixoxi
allchannel.net/lue6c4
aloprint.com/bk0f2
arabian-star.com/nay7jq7
beluxfurniture.com/0jcxx
cbactive.com/1sdfs
clerici.info/g1sd5d59
depaardestal.nl/z5htsm
ding-a-ling-tel.com/bazk3kao
easysupport.us/fl85xie
ekonova.nazwa.pl/wc0coj
ft.dol.za.pl/ymsikgp7
fuji-mig.com/awcigpa1
futuretech-iq.net/koqpy
handicraftmag.com/mrihc
heavenboundministry.com/i7a59qj
hrlpk.com/s5ibqz1
hyip-all.com/9qwmc65
iminlife.com/cqoanbzr
infocuscreative.net/didt48j
innatesynergy.com/mrgdve3
jasoncoroy.com/szlzqni
kitchenconceptagra.com/5s9xb7j
komplettraeder-24.de/w61qx92
marxforschung.de/tt18a
modelestrazackie.za.pl/zfww8nx
otolocphat.com/bv2n241r
passagegoldtravel.com/bqugo3qb
pawelbuczynski.za.pl/z1q8u
percorsipsicoarte.com/6gz707c
pub-voiture.com/dcsjrjm
racedayworld.com/808k8pd
reginamargherita96.net/hhtvomcw
rzezba-bierowiec.za.pl/y7fbo1a
samrhamburg.com/jrh9b
scpremiumbikes.com/3y1b0n4s
searchforamy.com/1fz0k9kp
stbb.pt/z59ifwj
stckwt.net/p4jlk
testfacility.awsome.pl/zc73v
totalsportnetwork.com/kpbrp2mq
ugmp.nazwa.pl/xkhhf2n
unitedprogamers.za.pl/ylxt67
vantagenetsvc.com/a7xssz
vinabuhmwoo.com/69udv
wasearch.us/6mm3hk
wbksis.com/5mxl28il
yourworshipspace.com/a3py3w


Analysis by those parties shows that it phones home to:

51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
185.82.216.55 (ITL, Bulgaria)
217.12.223.83 (ITL, Ukraine)


As I mentioned before, this is Locky ransomware which has not been circulating at all since about 31st May.

Recommended blocklist:
51.254.240.48
91.219.29.41
185.82.216.55
217.12.223.83


No comments: