Sponsored by..

Friday 9 December 2016

Malware spam: "Firewall Software" leads to Locky

This spam appears to come from multiple senders and leads to Locky ransomware:

From:    Herman Middleton
Date:    9 December 2016 at 07:40
Subject:    Firewall Software

Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.

Please check it out.

King Regards,
Herman Middleton
IT Support Manager
Attached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated.

The Hybrid Analysis and Malwr report show that the script analysed downloads a component from welte.pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56. That Hybrid Analysis also detections C2 traffic to: [hostname: saluk1.example.com] (Total Server Solutions, US) (OVH, France)

It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows: [hostname: mrn46.powerfulsecurities.com] (Miran, Russia) [hostame: prujio.com] (Layer6, Latvia) [hostname: free.example.com] (Informtehtrans, Russia) (Rinet LLC, Ukraine) (Agava, Russia) (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)

Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are a at least a couple of bad /24 blocks in there.

Recommended blocklist:

No comments: