From: "Lizzie Carpenter"
Subject: sales report
Date: Fri, 22 Jul 2016 21:38:25 +0800
I am truly sorry that I was not available at the time you called me yesterday.
I attached the report with details on sales figures.
----- Best of luck, Lizzie Carpenter
SCHRODER GLOBAL REAL ESTATE SEC LTD Phone: +1 (773) 812-15-66 Fax: +1 (773) 812-15-86
The sender is randomly generated. Attached is a ZIP file combining elements of the recipients email address and a random number, which in turn contains a malicious .wsf script beginning with "sales report".
In a change from recent malware runs, the script does not directly download a binary from a remote location but instead has the entire binary executable Base64 encoded in the script.
This executable has a detection rate of 4/54 and trusted analysis says that it is Locky ransomware, phoning home to:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine Ltd, Ukraine)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51

No comments:
Post a Comment