Sponsored by..

Friday, 9 September 2016

Malware spam: "Order Confirmation xxxxx" leads to Locky

This fake financial spam leads to malware:

From:    Ignacio le neve
Date:    9 September 2016 at 10:31
Subject:    Order Confirmation 355050211

--
This message is intended only for the individual or entity to which it is
addressed and may contain information that is private and confidential. If
you are not the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication and its
attachments is strictly prohibited.
The name of the sender and the reference number will vary. Attached is a file named consistently with the reference (e.g. Ord355050211.zip) but an error in the MIME formatting means that this may save with a .dzip ending instead of .zip.

Contained within the ZIP file is a malicious .HTA script with a random name (example). This simply appears to be an encapsulated Javascript.

Analysis is pending, my trusted source (thank you) says that the various scripts download from one of the following locations:

adasurgical.com/7832ghd
agileprojects.ro/7832ghd
anatoliamaket.com/7832ghd
annurmaheshphotography.in/7832ghd
aycilinsaat.com/7832ghd
biogreentech.in/7832ghd
cardimax.com.ph/7832ghd
citycollection.com.tr/7832ghd
craskart.com/7832ghd
dashingleather.com/7832ghd
doctortools.eu/7832ghd
factumtech.com/7832ghd
flexfitent.com/7832ghd
goldenladywedding.com/7832ghd
iandiinternational.com/7832ghd
jmetalloysllp.com/7832ghd
linosys.info/7832ghd
marathazhunj.com/7832ghd
micaraland.com/7832ghd
moko-2.wptemplate.net/7832ghd
mylespollard.com.au/7832ghd
onlinepurohit.com/7832ghd
perfectfixuae.com/7832ghd
platformarchitects.com.au/7832ghd
rapiderbariyer.com/7832ghd
safiazsports.com/7832ghd
shagunproperty.com/7832ghd
sowhatresearch.com.au/7832ghd
stylecode.co.in/7832ghd
tipsforall.in/7832ghd
tscbearings.in/7832ghd
Ungelie.com/7832ghd
utsavi.net/7832ghd
walkerandhall.co.uk/7832ghd
webdesignselite.com/7832ghd
webnox.in/7832ghd
www.alfajerdecor.com/7832ghd
www.jmetalloysllp.com/7832ghd
www.mehrabtech.ae/7832ghd
www.pstimes.com/7832ghd
www.thegurukulians.com/7832ghd
yesiloglugrup.com/7832ghd


The URL is appended with a randomised query string (e.g. ?abcdEfgh=ZYXwvu). The payload is Locky ransomware has an MD5 of 5db5fc57ee4ad0e603f96cd9b7ef048a but I do not have a sample yet.

This version of Locky does not use C2s, so if you want to block traffic then I recommend using the list above or monitoring/blocking access attempts with 7832ghd in the string.

UPDATE: The Hybrid Analysis of one of the scripts does not add much except to confirm that this is ransomware.

No comments: