Sponsored by..

Thursday 29 September 2016

Malware spam: "Bill for documents" / "Bill for papers" / "Bill for parcel" leads to Locky

This spam leads to Locky ransomware. The sample I have seen have no body text, but have subjects in the format:

 Bill for documents 31564-29-09-2016
 Bill for parcel 08388-28-09-2016
 Bill for papers 657-29-09-2016


Each subject has a random number appended by the date. Attached is a RAR archive file with a name similar to Bill 657-29-09-2016.rar containing a malicious .js script which downloads a binary from one of the following locations (according to a trusted source):

81millstreet.nl/8g74crec
alamanconsulting.at/8g74crec
aseandates.com/8g74crec
bandbcreuse.com/8g74crec
baraderoteinforma.com.ar/8g74crec
birthstory.com/8g74crec
cafe-bg.com/8g74crec
cmcomunicacion.es/8g74crec
delphinph.com/8g74crec
droukulnad.com/8g74crec
econopaginas.com/8g74crec
eitanbehar.org/8g74crec
g2cteknoloji.com/8g74crec
gadget24.ro/8g74crec
globalremoteservices.com/8g74crec
gomelnaushnik.com/8g74crec
iachovski.com/8g74crec
ingpors.sk/8g74crec
kelownatownhomes.com/8g74crec
lafripouniere.com/8g74crec
mergrain.com/8g74crec
opmsk.ru/8g74crec
parentchildmothergoose.com/8g74crec
parroquiansg.org/8g74crec
pecschool.com/8g74crec
serenadacourt.com/8g74crec
sipcomponents.com/8g74crec
slaterarts.com/8g74crec
smokintech.com/8g74crec
spaciodentalrd.com/8g74crec
sundanceballoons.com/8g74crec
techsilicon.com/8g74crec
teothemes.com/8g74crec
travelinsider.com.au/8g74crec
undiaem.com/8g74crec
unforgettabletymes.com/8g74crec
veganvet.net/8g74crec
victorcasino.com/8g74crec
w3hostingserver.com/8g74crec

The malware then phones home to the following servers:

194.67.208.69/apache_handler.php (Marosnet, Russia)
89.108.83.45/apache_handler.php (Agava, Russia)

Payload detection for the version analysed was 16/56 but there could be an updated payload by now.

Recommended blocklist:
194.67.208.69
89.108.83.45



No comments: