From: IlaThe sender and subject vary, but the subject seems to be in a format similar to the following:
Date: 18 July 2016 at 13:01
Subject: scan0000511
Sent from my Samsung device
scan0000511
SCAN000044
COPY00002802
Attached is a .DOCM file with the same name as the subject. Analysis by another party (thank you!) shows the macros in the document downloading from one of the following locations:
bursaforex.home.ro/54ghnnuo
car-sound.go.ro/54ghnnuo
cats.ugu.pl/54ghnnuo
dmb.republika.pl/54ghnnuo
eightplusnine.com/54ghnnuo
enpitsutenpura.web.fc2.com/54ghnnuo
gastro411.com/54ghnnuo
howtosucceed.tripod.com/54ghnnuo
iss0.tripod.com/54ghnnuo
klasste.tripod.com/54ghnnuo
marcinek.republika.pl/54ghnnuo
naturopatheenligne.free.fr/54ghnnuo
pacyna2.republika.pl/54ghnnuo
pichuile.free.fr/54ghnnuo
sgvillage.com/54ghnnuo
static.indirveoyna.com/54ghnnuo
www.carboplast.it/54ghnnuo
The payload is Locky with a detection rate of 4/53. It phones home to:
77.222.54.202 (SpaceWeb CJSC, Russia)
91.240.86.221 (JSC Server, Russia)
That's a subset of the IPs found here, so I recommend you block the following IPs:
77.222.54.202
91.240.86.221
176.111.63.51
209.126.112.14
No comments:
Post a Comment