The name of the sender varies, as does the fake invoice number. Attached is a .DOCM file with a filename matching that invoice number. Typical detection rates for the DOCM file are 13/56.
From: AUTUMN RHINES
Date: 12 December 2016 at 10:40
Subject: Invoice number: 947781
Please find attached a copy of your invoice.
Tel: 0800 170 7234
Fax: 0161 850 0404
For all your stationery needs please visit Stationerybase.
Automated analysis of a couple of these files [1] [2] [3] [4] show the macro downloading a component from miel-maroc.com/874ghv3 (there are probably many more locations). A DLL is dropped with a current detection rate of 11/57.
All those analyses indicate that this is Locky ransomware (Osiris variant), phoning home to:
176.121.14.95/checkupdate (Rinet LLC, Ukraine)
88.214.236.218/checkupdate (Overoptic Systems, UK / Russia)
91.219.31.14/checkupdate (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
Recommended blocklist:
176.121.14.95
88.214.236.218
91.219.31.14
No comments:
Post a Comment