From: recipient@victim.tldThere is no body text, however there is an attachment named Untitled(1).docm. Analysis by a trusted source (thank you) indicates that the various versions of this attachment download a component from on of the following locations:
To: recipient@victim.tld
Subject: Documents from work.
Date: 19 July 2016 at 12:20
aerosfera.ru/0hb765
biovinci.com.br/0hb765
choogo.net/0hb765
control3.com.br/0hb765
dealsbro.com/0hb765
heonybaby.synology.me/0hb765
hiramteran.com/0hb765
lifecare-hc.com/0hb765
ostrovokkrasoty.ru/0hb765
tvernedra.ru/0hb765
valsystem.cl/0hb765
wacker-etm.ru/0hb765
webidator.co.il/0hb765
wineroutes.ru/0hb765
www.mystyleparrucchieri.com/0hb765
The dropped payload has a detection rate of 3/54 and it phones home to the following locations:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)
That's a subset of the locations found here. The payload is Locky ransomware.
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51
I just received this. From myself. Did not open.
ReplyDeleteJust got this for several of my domains. Marked as spam.
ReplyDeleteWhat to do if you openen the attachment?
ReplyDelete@Marja K - depends on your system settings. If you have allowed active content then the chances are that it will download and install ransomware. It should be pretty obvious if this has happened, but for one reason or another the infection doesn't always trigger.
ReplyDeleteA new wave:
ReplyDeleteaccendojuris.com/mbv58gbv
alinmaagroup.com/mbv58gbv
australiandietitian.com/mbv58gbv
biopocasie.sk/mbv58gbv
dreamsigns.com.au/mbv58gbv
graficador.ch/mbv58gbv
gromantique.com/mbv58gbv
iceskochi.org/mbv58gbv
iclaw.co.il/mbv58gbv
makingitalia.net/mbv58gbv
nlazovic.mybesthost.com/mbv58gbv
rpgmakerdev.com/mbv58gbv
www.plantengineer.biz/mbv58gbv
zuerich-gewerbe.ch/mbv58gbv