Sponsored by..

Friday, 29 July 2016

Malware spam: "Bank account record" leads to Locky

This fake financial spam leads to malware:

Subject:     Bank account record
From:     Stephen Ford (Ford.24850@aworkofartcontracting.com)
Date:     Friday, 29 July 2016, 10:56

Good morning,

Did you forget to finish the Bank account record?
Read the attachment and let me know if there is anything I didn't make clear.

Yours sincerely,
Stephen Ford

57ad5eceb5e68fe97525ff408e9da2ecda5a97be6743bbe0fe 

The sender will vary from email to email, but the "From" name is always consistent with the one in the email. Attacked is a ZIP file with a random hexadecimal number which in the sample I am looking at contains a malicious .wsf script starting with the words "account record" (sample here).

According to the Hybrid Analysis on that script and Malwr report on a partly deobfuscated version the script downloads a binary from:

oleanderhome.com/q59ldt5r

This dropped binary has a detection rate of 5/55 and is presumably Locky ransomware, but automated analysis is inconclusive [1] [2].

The is also traffic to kassa.p0.ru which is more of a puzzle and doesn't look particularly malicious. I don't know if that is common to all scripts, but it might be worth looking out for in your traffic logs.

If I get more information on this I will post it here.

UPDATE

My trusted source (thank you) gives the following download locations:

211.18.200.4/~tlas021/3rwcozqv
80.241.232.207/fefj1r
agazoumi.com/t30z6j8
alci.dommel.be/clf26lu
amandinearmand.perso.sfr.fr/6piy70m
azmusclemart.com/pb79s
bartocha-photography.com/~fib-naturfoto/99xny
blekitniproba.cba.pl/fo1k6o
chelmy.cba.pl/yv7h2r3
childmoon.web.fc2.com/coy0nl
fcc-thechamps.de/6g5vo1a
garo903.web.fc2.com/2mf4v0
handball-literatur.de/3ua7j
happurg-schulanger.atspace.org/0s6lyu6
hw.srca.org/iwg54jh
impregui.com/h3cywm
inhouserecording.atspace.com/t4wj9316
intracorpwestsidecollection.com/ifs0j92
joslinsalesltd.com/kro1gx
jyoumon.web.fc2.com/7tcec
kenestyonline.com/h782hd
minocki.republika.pl/nvlx7
minocki.republika.pl/s125d6
newt150.tripod.com/4bcsv
oleanderhome.com/q59ldt5r
ratnam.fx.perso.sfr.fr/vtpm9k
senzai.nobu-naga.net/2jv74
smc.psuti.ru/3rcxu
theuniongroup.com/5sv0c
tomart3d.cba.pl/3ivctw
voisin-sa.com/~voisin9689/vnsaumj
vova318.vline.ru/mkmkr
wbbs176.web.fc2.com/20srj
wktkwkbaaan.web.fc2.com/0mm9qx
wn420pjpa.homepage.t-online.de/046ss5
www.13one.de/vz8gl5a
www.astool.com/ljgzai
www.attivita-antroposofiche-roma.org/gpjjr5u
www.damasoinfante.com/7pmfw
www.dukewayne.talktalk.net/todga
www.erikacostruzioni.com/0z1hkf
www.ferresur.es/3k58w8z
www.fotosdelburgo.com/oerwg1
www.frank-nickel.de/7e46f9t5
www.hydroenergie.fr/yzhhkit
www.istruiscus.it/qzdy65b0
www.istruiscus.it/r5ncu
www.kassa.p0.ru
www.snvl-ptrc.go.ro/srhgx
zauber-fred.de/0zth9jfv


C2 servers are the same as found here.

178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain.in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4.biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti.ru]

Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139


1 comment:

Alexander.K.Polyakov said...

14883840e1a4b051b3c89d5e306c2f32 is, indeed, Locky.
The script contains three download locations, but only the second one is available at the moment:

www.kassa.p0.ru
oleanderhome.com/q59ldt5r
happurg-schulanger.atspace.org/0s6lyu6