From: CLAUDIA MARTINEZ [contab_admiva2@forrosideal.com]Attached is a randomly-named ZIP file (e.g. 053324_00238.zip) which contains a malicious script (e.g. 0061007_009443.js). The samples I have seen download a binary from:
Date: 27 April 2016 at 16:22
Subject: Message from "RNP0BB8A7"
Este e-mail ha sido enviado desde "RNP0BB8A7" (Aficio MP 171).
Datos escaneo: 27.04.2016 00:31:10 (+0000)
Preguntas a: soporte@victimdomain.tld
mebdco.com/8759j3f434
amwal.qa/8759j3f434
ecmacao.com/8759j3f434
lifeiscalling-sports.com/8759j3f434
This drops a version of what appears to be Locky ransomware with a detection rate of zero. I know from another source, that these additional download locations were being used for an English-language spam run this afternoon:
absxpintranet.in/8759j3f434
amismaglaj.com.ba/8759j3f434
caegpa.com/8759j3f434
codeaweb.net/8759j3f434
coorgcalling.com/8759j3f434
gedvendo.com/8759j3f434
gedvendo.com.pe/8759j3f434
mc2academy.com/8759j3f434
teyseerlab.com/8759j3f434
www.adgroup.ae/8759j3f434
www.rumbafalcon.com/8759j3f434
This DeepViz report shows the malware phoning home to:
107.170.20.33 (Digital Ocean, US)
139.59.166.196 (Digital Ocean, Singapore)
146.185.155.126 (Digital Ocean, Netherlands)
There's a triple whammy for Digital Ocean! Well done them.
Recommended blocklist:
107.170.20.33
139.59.166.196
146.185.155.126