Sponsored by..

Tuesday 20 September 2016

Malware spam: "Tracking data" leads to Locky

This spam has a malicious attachment leading to Locky ransomware:

From:    Loretta Gilmore
Date:    20 September 2016 at 08:31
Subject:    Tracking data

Good afternoon [redacted],

Your item #9122164-201609 has been sent to you by carrier.
He will arrive to you on 23th of September, 2016 at noon.

The tracking data (4fec25a8429fd7485c56c9211151eb42d59b57abf402cc363bc635) is attached.

The sender's name and reference numbers vary. Attached is a randomly named .ZIP file containing a malicious .js script named in the format tracking data ~C503090F~.js (the hexadecimal number is random) plus a junk file with a single-letter name.

Analysis of the attachments is pending.


Hybrid Analysis of various samples [1] [2] [3] [4] shows the script downloading from various locations:


All of these are hosted on: (21 Century Telecom Ltd, Russia) (Netinternet Bilisim Teknolojileri AS, Turkey)

The malware then phones home to the following locations: (Anton Malyi aka conturov.net, Ukraine) (Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine) (TCTEL, Russia) (Ukrainian Internet Names Center, Ukraine)
kixxutnpikppnslx.xyz/data/info.php  [] (Anton Malyi aka conturov.net, Ukraine)

A DLL is dropped with a detection rate of 13/57.

Recommended blocklist:

No comments: