Sponsored by..

Showing posts with label Malware Viruses. Show all posts
Showing posts with label Malware Viruses. Show all posts

Thursday 28 April 2016

Malware spam: "FW: Invoice" from multiple senders

This fake financial spam comes from randomly-generated senders, for example:

From:    Britt Alvarez [AlvarezBritt29994@jornalaguaverde.com.br]
Date:    28 April 2016 at 11:40
Subject:    FW: Invoice

Please find attached invoice #342012

Have a nice day

Attached is a ZIP file containing elements of the recipient's email address. In turn, this contains a malicious script that downloads a binary from one of many locations. The ones I have seen are:


The payload looks like Locky ransomware. The DeepViz report shows it phoning home to: (Firstbyte, Russia) (Relink, Russia) (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine) (Relink, Russia / OVH, France) (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua.  Ukraine)

These two Hybrid Analysis reports [1] [2] show Locky more clearly.

Recommended blocklist: