Sponsored by..

Monday 12 September 2016

Malware spam: "Budget report" leads to Locky (and also evil network on

This fake financial spam leads to Locky ransomware:

From:    Lauri Gibbs
Date:    12 September 2016 at 15:11
Subject:    Budget report

Hi [redacted],

I have partially finished the last month's budget report you asked me to do. Please add miscellaneous expenses in the budget.

With many thanks,
Lauri Gibbs
Attached is a randomly-named ZIP file which in sample I saw contained two identical malicious scripts:

921FA0B8 Budget_report_xls - 1.js
921FA0B8 Budget_report_xls.js

The scripts are highly obfuscated however the Hybrid Analysis and Malwr report show that it downloads a component from:


These are hosted on a New Wave Netconnect IP at This forms part of a block which also contained Locky download locations at two other locations [1] [2] which rather makes me think that the whole range should be blocked.

A DLL is dropped with a detection rate of about 8/57 [3] [4] which appears to phone home to: (New wind Stanislav, Montenegro / OVH / France) [hostname: tyte.ru] (Dunaevskiy Denis Leonidovich, Russia / Zomro, Netherlands) [hostname: ilia909.myeasy.ru] (Digital Ocean, Netherlands) (Garant-Park-Internet Ltd, Russia) (ArtPlanet LLC, Russia)

Incidentally, the registrant information on the bad domains is also very familiar:

  Registry Registrant ID:
  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru
  Registry Admin ID:

Recommended minimum blocklist:

UPDATE - 2016/06/13

A list of the sites currently hosted on and their SURBL ratings can be found here.

No comments: