Sponsored by..

Friday 25 August 2017

Malware spam: "Voicemail Service" / "New voice message.."

The jumble of numbers in this spam is a bit confusing. Attached is a malicious RAR file that leads to Locky ransomware.

Subject:       New voice message 18538124076 in mailbox 185381240761 from "18538124076" <6641063681>
From:       "Voicemail Service" [vmservice@victimdomain.tdl]
Date:       Fri, August 25, 2017 12:36 pm

Dear user:

just wanted to let you know you were just left a 0:13 long message (number 18538124076)
in mailbox 185381240761 from "18538124076" <6641063681>, on Fri, 25 Aug 2017
14:36:41 +0300
so you might want to check it when you get a chance.  Thanks!

                                --Voicemail Service
Attached is a RAR file containing a malicious VBS script. The scripts are all slightly different, meaning that the RARs are too. These are the MD5s I've seen so far for the RAR files themselves:

04059E14170996725CD2ED2324E485F2
0839A18B1F5C1D09F3DF3DC260C07194
0BD5C04D2680B5C8A801B4C2E73BECCD
12D1FC37D223E823C80CF052920DA9AB
1AA539798341930B5492764F2D668987
1ADFF05EEA041B34682FD92CDE45DBFA
1CCF7445D771B7F803E95090E96D0EB2
20162EC71639C4A9080C24B253F5FDFF
24133B658F7730205BCC5789B4CA30F1
42947EBFEFFA9A5CFA3AADDA7EADA572
4AC35594445EB22FE6971A5F81EAB761
4D4DBBCEC5B48EBA30D7B09F994BC009
54E7C8863E161D5A601230E3CD590134
556A6FC4D5607210FA7EF3CAF3CE59D6
645C4FB3BE1A8B1188E8B5A54B1BC011
80D9CEBB286D79955F18013DD3415EEF
8C9B20A61368E8956B6C49DA9AFF30D1
9739211AD009B97EBE0DF353AB11BEB5
9CDDA6C72F41039340E450FA4374E748
A9C0D2F356C455EB40B707D570D27318
BAF4482ED9F6DEE8CBE6F69366AAC434
EA7D52C3328A5A8A0C8334AE3E3C580C
FEC76C943E1252D0DE7D6B7936510B9D


The VBS script is similar to this (variable names seem to change mostly) with a detection rate of about 15/59. Hybrid Analysis shows it dropping a Locky executable with a 18/65 detection rate which phones home to 46.17.44.153/imageload.cgi (Baxnet, Russia) which I recommend that you block.

No comments: