Sponsored by..

Wednesday, 9 November 2016

Malware spam: "Account temporarily suspended" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Nicole Roman
Date:    9 November 2016 at 10:44
Subject:    Account temporarily suspended

Dear Customer.

You have exceeded the limit of operations on your credit card.
Thus, we have temporarily blocked your account.
The full itemization of transactions and instructions are given in the document attached to this message.

Best regards.
The name of the sender varies. In the sample I looked at, the attachment was named after the recipient plus a random number, containing a randomly-named malicious .js script that looks like this

That particular script attempts to download a binary from one of the following locations (you can be sure there are others);

hippaupsup.com/3gc7c2rp
melkar.com/icfi5mg
inspireyouths.org/j48tb3
ausulifer.net/3xwpi
koratwifi.info/io4h3

This Hybrid Analysis and this Malwr report show a DLL being dropped with an MD5 of f86d98b1a67952f290c550db1c0bdcbc and a detection rate of 9/56.

No C2 locations have been identified yet. I will post them here if I get them.


No comments: