Sponsored by..

Thursday 3 November 2016

Malware spam: "!!! Urgent payment request" from random senders leads to Locky

This spam comes from random senders, the name in the "From" field always matches the fake email signature. The number of exclamation marks varies, and the payload is Locky ransomware.


Subject:     !!! Urgent payment request
From:     erika.whitwell@hillcrestlife.org (erika.whitwell@hillcrestlife.org)
Date:     Thursday, 3 November 2016, 10:01

ERIKA WHITWELL

Telefon: +49 1592 / 51-2545
Fax: +49 1592 / 5166-2545
E-Mail:
erika.whitwell@hillcrestlife.org

Attached is a file with a long name made of random numbers (e.g. 5148202750-2115939053-201611153218-5476.zip) which contains a similarly-named malicious javascript file (e.g. 8357243996-7378883150-201611233647-0661.js) which looks like this [pastebin].

Analysis is pending. Please check back later.

UPDATE

This Hybrid Analysis shows the script downloading from:

dornovametoda.sk/jhb6576?jPUTusVX=GXNaiircxm

There will be lots of other download locations too. That same report shows the malware phoning come to the following C2 servers (that overlaps somewhat with those found here):

194.28.87.26/message.php (Hostpro Ltd, Ukraine)
93.170.123.119/message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
109.234.34.227/message.php (McHost.Ru, Russia)


Recommended blocklist:
194.28.87.26
93.170.123.119
109.234.34.0/24




No comments: