Sponsored by..

Friday 2 September 2016

Malware spam: "old office facilities" leads to Locky

This spam has a malicious attachment:

Subject:     old office facilities
From:     Kimberly Snow (Snow.741@niqueladosbestreu.com)
Date:     Friday, 2 September 2016, 8:55

Hi Corina,

Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.

Best wishes,
Kimberly Snow
The name of the sender will vary. Attached is a ZIP file with a random hexadecimal number, containing a malicious .js script beginning with office_facilities_ plus another random hexadecimal number.

Analysis is pending, but this Malwr report indicates attempted communications to:


..both apparently hosted on (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.


According to this Malwr report it drops a DLL with a detection rate of 10/58. Also those mysterious .wang domains appear to be multihomed on the following IPs: (New Wave NetConnect, US) [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US) (Crowncloud, US) ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US) (Net3, US) (OVH, Canada) (OVH, Canada)

Recommended blocklist:

No comments: