From rosalyn.gregory@gmail.comI cannot tell if there is any body text, however there is an attachment Receipt.xls which contains malicious code [pastebin] that in the case of the sample I analysed downloads a binary from:
Date Thu, 29 Sep 2016 21:07:46 +0800
Subject Receipt 103-526
opmsk.ru/g76ub76
There will be many other download locations too. Automated analysis [1] [2] shows that this is Locky ransomware phoning home to:
89.108.83.45/apache_handler.php (Agava, Russia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
xpcwwlauo.pw/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
A malicious DLL is dropped with a detection rate of 6/57. Malicious IPs and domains overlap quite a bit with this earlier attack. This version of Locky encrypts files with a .odin extension.
UPDATE - a source indicates these are all the download locations in this attack:
1gouw.com/g76ub76
368lx.com/g76ub76
81millstreet.nl/g76ub76
alliswelltour.com/g76ub76
ampconnect.com/g76ub76
anhsaodem.info/g76ub76
aseandates.com/g76ub76
birthstory.com/g76ub76
cmcomunicacion.es/g76ub76
dedivan.ru/g76ub76
demo.website.pl/g76ub76
econopaginas.com/g76ub76
gadget24.ro/g76ub76
globalremoteservices.com/g76ub76
innogenap.com/g76ub76
juyinggroup.com/g76ub76
kelownatownhomes.com/g76ub76
mediumsize.org/g76ub76
opmsk.ru/g76ub76
parentchildmothergoose.com/g76ub76
parroquiansg.org/g76ub76
slaterarts.com/g76ub76
sonajp.com/g76ub76
studiorif.ru/g76ub76
unforgettabletymes.com/g76ub76
Recommended blocklist:
89.108.83.45
91.200.14.93
91.234.33.132
1 comment:
I'm seeing the filename matching the subject, and also doc as well as xls extensions. S, Receipt 103-526.xls for example.
Generically, the filename are: "Receipt n-n.xls|doc" where n = 0 to 99999.
The following regex will match on this filename for mail scanners that can use a regex.
^(\b[R][e][c][e][i][p][t])\b.([0-9]\d{1,5})([-])([0-9]\d{1,5})([.][xd][lo][sc])
Brian
Post a Comment