This morning's spam run has a subject with one of the following words:
DOC
DOCUMENT
FAX
IMG
LABEL
ORD
PHOTO
PIC
SCAN
SHEET
..plus a four digit random number. Attached is a ZIP file with a name mating the subject, containing a randomly-named malicious javascript that attempts to download a component from one of the following locations:
jackybrith.net/yr387n3
premierpromotions.co.uk/yr387n3
prongai.com/yr387n3
right-livelihoods.org/yr387n3
ryrszs.com/yr387n3
semeystvo.com.ua/yr387n3
signumtte.net/yr387n3
supplyglassess.com/yr387n3
sydayont.com/yr387n3
tehrankhabar.ir/yr387n3
thegarageteam.gr/yr387n3
trebleimp.com/yr387n3
uzmanfren.com.tr/yr387n3
velolenta.com/yr387n3
videobandnaardvd.com/yr387n3
vmeste-hudeem.ru/yr387n3
The payload is Locky ransomware, phoning home to:
185.118.167.144/information.cgi [hostname: bogdankarpenko1998.pserver.ru] (Chelyabinsk-Signal, Russia)
91.142.90.55/information.cgi (Miran, Russia)
Recommended blocklist:
185.118.167.144
91.142.90.55
No comments:
Post a Comment