Sponsored by..

Tuesday 19 July 2016

Malware spam: "Documents from work." / "Untitled(1).docm" leads to Locky

This rather terse spam appears to come from the victim themselves (but doesn't). It has a malicious attachment.
From: recipient@victim.tld
To: recipient@victim.tld
Subject: Documents from work.
Date:    19 July 2016 at 12:20
There is no body text, however there is an attachment named Untitled(1).docm. Analysis by a trusted source (thank you) indicates that the various versions of this attachment download a component from on of the following locations:

aerosfera.ru/0hb765
biovinci.com.br/0hb765
choogo.net/0hb765
control3.com.br/0hb765
dealsbro.com/0hb765
heonybaby.synology.me/0hb765
hiramteran.com/0hb765
lifecare-hc.com/0hb765
ostrovokkrasoty.ru/0hb765
tvernedra.ru/0hb765
valsystem.cl/0hb765
wacker-etm.ru/0hb765
webidator.co.il/0hb765
wineroutes.ru/0hb765
www.mystyleparrucchieri.com/0hb765

The dropped payload has a detection rate of 3/54 and it phones home to the following locations:

77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)

That's a subset of the locations found here.  The payload is Locky ransomware.

Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51


5 comments:

Unknown said...

I just received this. From myself. Did not open.

Unknown said...

Just got this for several of my domains. Marked as spam.

Unknown said...

What to do if you openen the attachment?

Conrad Longmore said...

@Marja K - depends on your system settings. If you have allowed active content then the chances are that it will download and install ransomware. It should be pretty obvious if this has happened, but for one reason or another the infection doesn't always trigger.

Alexander.K.Polyakov said...

A new wave:

accendojuris.com/mbv58gbv
alinmaagroup.com/mbv58gbv
australiandietitian.com/mbv58gbv
biopocasie.sk/mbv58gbv
dreamsigns.com.au/mbv58gbv
graficador.ch/mbv58gbv
gromantique.com/mbv58gbv
iceskochi.org/mbv58gbv
iclaw.co.il/mbv58gbv
makingitalia.net/mbv58gbv
nlazovic.mybesthost.com/mbv58gbv
rpgmakerdev.com/mbv58gbv
www.plantengineer.biz/mbv58gbv
zuerich-gewerbe.ch/mbv58gbv