From: administrator8991@victimdomain.comPossibly due to an error in setting up the spam run, there is an attachment named 05-07-2016_rndnum(4,9)}}.docm which contains a malicious macro. We haven't seen much in the way of Word-based malware recently. The two samples I received have VirusTotal detection rates of 5/52 and 6/52. The Malwr analysis for those samples [1] [2] shows the macro downloading a binary from:
Date: 5 July 2016 at 12:47
Subject: Scanned image
Image data has been attached to this email.
leafyrushy.com/98uhnvcx4x
sgi-shipping.com/98uhnvcx4x
There will be a lot more locations too. This drops a binary with a detection rate of 5/55 which appears to be Locky ransomware. Hybrid Analysis shows it phoning home to:
185.106.122.38 (Host Sailor, Romania / UAE)
185.106.122.46 (Host Sailor, Romania / UAE)
185.129.148.6 (MWTV, Latvia)
Host Sailor is a notoriously Black Hat web host, MWTV has is problems too. The payload appears to be be Locky ransomware.
Recommended blocklist:
185.106.122.0/24
185.129.148.0/24
1 comment:
I got these spam messages. And some of them came from these IPs:
191.184.53.137
58.26.29.194
Post a Comment