Subject: Copy of Invoice 3206A link in the email downloads a malicious VBS script, and because it's quite late I'll just say that Hybrid Analysis has seen it all before. The download EXE (VT 21/64) script POSTS to 5.196.99.239/imageload.cgi (Just Hosting, Russia) which is in a network block that also had a fair bit of Angler last year, so I would recommend blocking all traffic to 5.196.99.0/24.
From: "Customer Service"
Date: Wed, August 23, 2017 9:12 pm
Please download file containing your order information.
If you have any further questions regarding your invoice, please call Customer Service.
Please do not reply directly to this automatically generated e-mail message.
Thank you.
Customer Service Department
Wednesday 23 August 2017
Malware spam: "Customer Service" / "Copy of Invoice xxxx"
This fairly generic spam leads to the Locky ransomware:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment