From: Herman MiddletonAttached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated.
Date: 9 December 2016 at 07:40
Subject: Firewall Software
Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.
Please check it out.
--
King Regards,
Herman Middleton
IT Support Manager
The Hybrid Analysis and Malwr report show that the script analysed downloads a component from welte.pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56. That Hybrid Analysis also detections C2 traffic to:
107.181.187.97/checkupdate [hostname: saluk1.example.com] (Total Server Solutions, US)
51.254.141.213/checkupdate (OVH, France)
It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows:
91.142.90.46/checkupdate [hostname: mrn46.powerfulsecurities.com] (Miran, Russia)
195.123.209.23/checkupdate [hostame: prujio.com] (Layer6, Latvia)
185.127.24.247/checkupdate [hostname: free.example.com] (Informtehtrans, Russia)
176.121.14.95/checkupdate (Rinet LLC, Ukraine)
185.46.11.236/checkupdate (Agava, Russia)
178.159.42.248/checkupdate (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)
Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are a at least a couple of bad /24 blocks in there.
Recommended blocklist:
51.254.141.213
91.142.90.46
107.181.187.97
176.121.14.95
178.159.42.248
185.46.11.0/24
185.127.24.247
195.123.209.0/24
No comments:
Post a Comment