Sponsored by..

Thursday 3 November 2016

Malware spam: "!!! Urgent payment request" from random senders leads to Locky

This spam comes from random senders, the name in the "From" field always matches the fake email signature. The number of exclamation marks varies, and the payload is Locky ransomware.

Subject:     !!! Urgent payment request
From:     erika.whitwell@hillcrestlife.org (erika.whitwell@hillcrestlife.org)
Date:     Thursday, 3 November 2016, 10:01


Telefon: +49 1592 / 51-2545
Fax: +49 1592 / 5166-2545

Attached is a file with a long name made of random numbers (e.g. 5148202750-2115939053-201611153218-5476.zip) which contains a similarly-named malicious javascript file (e.g. 8357243996-7378883150-201611233647-0661.js) which looks like this [pastebin].

Analysis is pending. Please check back later.


This Hybrid Analysis shows the script downloading from:


There will be lots of other download locations too. That same report shows the malware phoning come to the following C2 servers (that overlaps somewhat with those found here): (Hostpro Ltd, Ukraine) (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine) (McHost.Ru, Russia)

Recommended blocklist:

No comments: