From: "AutoPosted PI Notifier" [NoReplyMailbox@redacted.tld]The number referenced in the spam varies, but attached is a .7z archive file with a matching filename. In turn, this contains one of a number of malicious VBS scripts (like this) that download an executable from one of the following locations (thanks to a trusted source for these):
Subject: Invoice PIS9344608
Date: Tue, September 26, 2017 5:29 pm
Please find Invoice PIS9344608 attached.
camerawind.com/jkhguygv73
envirotambang.com/jkhguygv73
fianceevisa101.com/jkhguygv73
fiancevisacover.com/jkhguygv73
financeforautos.com/jkhguygv73
fincasoroel.es/jkhguygv73
fmarson.com/jkhguygv73
formareal.com/jkhguygv73
fwbcondo.com/jkhguygv73
gaestehaus-im-vogelsang.de/jkhguygv73
gbvm.nl/jkhguygv73
geeks-online.de/jkhguygv73
playbrief.info/p66/jkhguygv73
The dropped file currently has a detection rate of 21/63. There are no C2s.
No comments:
Post a Comment