From: Nathanial LaneThe name of the sender varies. It appears that these are being sent out in very high volumes. Attached to the email message is a randomly-named ZIP file which contains a malicious .js scripts beginning with "sales charts".
Date: 2 August 2016 at 12:05
Subject: Paid bills
Hello [redacted],
Please see the attached last month’s paid bills for the company
Best regards
Nathanial Lane
Thank you to my usual source for this analysis: the script downloads from one of the following locations:
158.199.158.185/e2ti07
212.26.129.68/f0671
acnek.com/zfwiice
alex-walter.de/gzag8yht
beate-oberle-kosmetik.de/jqbf9
breinco.com/~export/jrjnlkc
cinerd.info/wwekm4yk
clinic.gov.ua/my2vo
dev.appleleafabstracting.com/uis21
ecpi.ro/3kc9d2
essenciadoequilibrio.net/7vsuk59
exportwroclaw.cba.pl/565489s
fotografuj.pl/qk4zo4cv
gebetech.at/lpgrvcoa
go4leiner.de/8wofbvq
itconcept.md/mgvlj3m
jhengineering.szm.com/5242czu9
lifeserv.myarena.ru/0siarbi
madiv.ru/pbzgphhj
morfaux.fr/hvk9pc
my-result.ru/vhzj63z
nolwo.ru/nimsr
olis.atspace.com/b6aqk
plasseramerican.net/3064rl
psclimat.ru/rnn59v
realm-of-rage.heimat.eu/e4pxmx1
rsxxx.com/xy4dghdn
russiansnow.web.fc2.com/d8k6pqag
sancompany.ru/pl8in
setcoop.com.br/87pyu
siteriqi.bget.ru/sfgjthf
subbenim.atspace.com/kqfyrwph
system-inka.de/31f7r
terminatorzy.cba.pl/goix6
thehybrid.0catch.com/36sye
totalrepalrhonda.web.fc2.com/g6qx0t
tvoy-android.com/mqs5z
ultramarincentr.ru/soao7gp
woblk17jc.homepage.t-online.de/ao4sg9
wt7dzbn78.homepage.t-online.de/2x5qs94
www.arstaelteknik.com/6kpppb
www.bagana.net/0743nt3
www.cafealaska.es/bc3z9j9
www.cosentinoarredamenti.com/1zq31
www.dsalchi.org/dmkd5
www.gioilda.com/lcoucn62
www.serial-production.com/9c4xv
www.simons-vakantiehuisje.nl/2e3vp
www.stucchifedele.com/9c5m4g
The payload is Locky ransomware, phoning home to:
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
93.170.128.249/upload/_dispatch.php (Krek Ltd, Russia)
Recommended blocklist:
37.139.30.95
93.170.128.249
1 comment:
Right! Thank you!
Post a Comment