Sponsored by..

Tuesday, 5 September 2017

Malware spam: "Scanning" pretending to be from tayloredgroup.co.uk

This spam email pretends to be from tayloredgroup.co.uk but it is just a simple forgery leading to Locky ransomware. There is both a malicious attachment and link in the body text. The name of the sender varies.

Subject:       Scanning
From:       "Jeanette Randels" [Jeanette.Randels@tayloredgroup.co.uk]
Date:       Thu, May 18, 2017 8:26 pm

https://dropbox.com/file/9A30AA
--
Jeanette Randels DipFA

Taylored Group
26 City Business Centre
Hyde Street
Winchester
SO23 7TA

Members of the CAERUS Capital Group

www.tayloredgroup.co.uk

Office Number: 01962 826870
Mobile: 07915 612277
email: Jeanette.Randels@tayloredgroup.co.uk

Taylored Financial Planning is a trading style of Jonathan & Carole
Taylor who are an appointed representative of Caerus Financial Limited,
Building 120, Windmill Hill Business Park, Swindon, SN5 6NX which is authorised
and regulated by the Financial Conduct Authority.

Email communications are not secure, for this reason Taylored
Financial Planning cannot guarantee the security of the email or its contents or
that it remains virus free once sent. This email message is strictly
confidential and intended solely for the person or organisation to who it is
addressed. It may contain privileged and confidential information and if you are
not the recipient, you must not copy, distribute or take any action in
reference to it. If you have received this email in error, please notify us as
soon as possible and delete the message from your system. 
Despite having what appears to be a Dropbox URL, the link actually goes to another site completely and downloads a .7z archive file containing a malicious VBS script. Attached is another .7z archive file with a slightly different evil VBS script inside.

Detection rates for the scripts are about 13/58 [1] [2]. Automated analysis [3] [4] [5] [6]  shows Locky ransomware attempting to phone home to the following locations:

91.234.35.170/imageload.cgi (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
109.234.35.75/imageload.cgi (McHost.ru / VDSINA, Russia)

McHost is such a well-known purveyor of toxic crap that I recommend you block all of their ranges (plus I guess the related VDSINA ones), or even block the entire Webzilla AS35415. You can find a list of the network ranges here. Also thehost.ua also has a lot of crap and I would lean towards blocking whole network ranges.

Recommended minimum blocklist:
91.234.35.0/24
109.234.35.0/24

No comments: