Sponsored by..

Wednesday 5 October 2016

Malware spam: "complaint letter" leads to Locky

This spam email message has a malicious attachment that leads to Locky ransomware:

Subject:     complaint letter
From:     Jae Mason
Date:     Wednesday, 5 October 2016, 10:48

Dear [redacted], client sent a complaint letter regarding the data file you provided.

The letter is attached. Please review his concerns carefully and reply him as soon as possible.
The sender name will vary. Attached is a ZIP file with a name in the format complaint_letter_955ce806.zip which contains a malicious .WSF script.

My source tells me that the scripts download from one of the following locations:

all-rides.com/owav14
bbs.vlibang.com/ojojbry
caggynext.net/0vm80
caggynext.net/1yz517
caggynext.net/36z66i
caggynext.net/6mcco3s
carpetcleaningwestchesterny.net/j2pkoex
dom-dekor.net/q62g3
drewolea.net/0fuhybw0
drewolea.net/1lc09
drewolea.net/25do4q7
drewolea.net/3r9jke
enricobasili.com/m4fqj4lt
goodkiddy.com/pvn5l
idealuze.com/lu814bj
instantstamp.com/j50mt
kencaedu.com/25do4q7
klamathkinetic.org/11c84e3
knoozroom.com/igv7j9e
lanamusty.net/11c84e3
lanamusty.net/1z5vbh
lanamusty.net/3b33zp
lanamusty.net/72mjp
lev-pr.com/i2acpqa1
lgbtbookstore.com/gech2hc
lzeshine.com/girq6q
markjenningsbates.com/72mjp
mediaalias.com/lplgnnaf
minoritycounselor.com/j8365gb
motionthatmovesme.com/h1n2ix7
mysolosource.com/l3x3oczx
ndsemi.com/gy5tw
nuntatimisoara.com/ekrc0i6
nuociss.com/b5ebfsuy
nytaihao.com/ffaw7
pattumalamatha.com/e7r2v1t
phohchaui.com/0mvwos0
phohchaui.com/1xqbcjm
pmfaccountant.com/ggbvw1nj
pobreloco.com/36z66i
praxis-blechert.de/t86h1a
rdoent.com/okq0h9
sasguildford.com/yccemkwd
semes.sk/y0fmps
shingpohk.com/wc2mp0d
snehil.com/vfksxp
sotaygiadinh.net/t9ifk7j
sportowy.info/tbccuj
supergem.net/mri7i
talentinzicht.eu/va7tgx6
technix.ca/jbatquey
theshopwiz.com/t6epks
tiaocuo.org/z4nyglmm
tulisasource.com/rne42v8
turkbyte.com/q7zorra
upper-classmen.com/k1hd6
vincentsvineyard.com/z02mw8ab
www.resumebuddy.net/rcz888
yinstrage.com/0g9b921
yinstrage.com/1tsi2zr
yinstrage.com/2ld6aep
yinstrage.com/5s56ss

There are no C2 servers.

2 comments:

nkl0x55 said...

Hi there,

Recently one of our user got infected, the variant of Locky changes the file extension to .shit.

The following are the 5 URL that was found:
http://sunproductivity.com/m6ot1
http://azaminsaat.com/nyzhvh2c
http://corployalty.it-strategy.ru/p4icah5h
http://vowedbutea.net/5491o
http://gruffcrimp.com/5inrze

Unknown said...

my domain is on this list and has nothing to do with malware. Please remove any reference to markjenningsbates.com. The referenced domain will simply show a 404 error.