Sponsored by..

Friday, 2 September 2016

Malware spam: "Scanned image from MX2310U@victimdomain.tld" leads to Locky

This fake document scan appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a malicious Word document.

Subject:     Scanned image from MX2310U@victimdomain.tld
From:     office@victimdomain.tld (office@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 2 September 2016, 2:29

Reply to: office@victimdomain.tld [office@victimdomain.tld]
Device Name: MX2310U@victimdomain.tld
Device Model: MX-2310U
Location: Reception

File Format: PDF MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Use Acrobat(R)Reader(R) or Adobe(R)Reader(R) of Adobe Systems Incorporated to view the document.
Adobe(R)Reader(R) can be downloaded from the following URL:
Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, and Reader are registered trademarks or trademarks of Adobe Systems Incorporated in the United States and other countries.

    http://www.adobe.com/

Attached is a .DOCM file with a filename consisting of the recipients's email address, date and a random element. There are various different scripts which according to my source (thank you!) download a component from on of the following locations:

body-fitness.net/lagmslh
bushman-rest.com/aoeueyk
capannoneinliguria.com/lijrnub
foerschl.gmxhome.de/emyomqa
imakarademo.web.fc2.com/akwhorc
inge28.mytactis.com/cqmoxef
pennylanecupcakes.com.au/mhkqxia
rabbitfood.web.fc2.com/ixvnfyj
sakon118.web.fc2.com/srmrsgf
sebangou8.xxxxxxxx.jp/kfkdpvl
sojasaude.com.br/ahtoijg
sp-moto.ru/vodusim
t-schoener.de/mdexigc
www.bytove.jadro.szm.com/dgsqens
www.callisto.cba.pl/oqmfnar
www.ccnprodusenaturiste.home.ro/hiogthu
www.coropeppinumereu.it/xyhhytf
www.one-clap.jp/pourpjr
www.parrucchieriagiacomo.com/dekjxus
www.radicegioielli.com/aayfixd
www.sieas.com/mkndcbn
www.spiritueelcentrumaum.net/ksqoyps
www.vanetti.it/inywdjo
www.whitakerpd.co.uk/ymmcguk
www.xolod-teplo.ru/ygpwfty
yggithuq.utawebhost.at/getatoj

The payload is Locky ransomware, phoning home to:

212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
149.154.152.108/data/info.php [hostname: 407.AT.multiservers.xyz] (EDIS, Austria)

Recommended blocklist:
212.109.192.235
149.154.152.108
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)