Sponsored by..

Monday 5 September 2016

Malware spam: "We are sending you the credit card receipt from yesterday. Please match the card number and amount."

This fake financial spam has a malicious attachment:

From:    Tamika Good
Date:    5 September 2016 at 08:43
Subject:    Credit card receipt

Dear [redacted],

We are sending you the credit card receipt from yesterday. Please match the card number and amount.

Sincerely yours,
Tamika Good
Account manager
The spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_

A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:


This appears to be multihomed on the following IP addresses: (New Wave NetConnect, US) (Virtual Machine Solutions LLC, US) [hostname: ns2.3arab.net] (Hudson Valley Host, US) (1B Holding ZRT, Hungary)

Of interest, the WHOIS details have been seen before in relation to Locky. They are probably fake:

  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru

Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57.  These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to: [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine) (Mir Telematiki, Russia) (Denis Leonidovich Dunaevskiy, Ukraine) (Eurohoster, Netherlands)
uxfpwxxoyxt.pw/data/info.php [] (TheFirst-RU, Russia)

The payload is probably Locky ransomware.

Recommended blocklist:

No comments: