Subject: Tax invoiceThe name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .wsf with a name beginning with "tax_invoice_scan PDF". According to my trusted source (thank you!) the various scripts download a component from one of the following locations:
From: Kris Allison (Allison.5326@resorts.com.mx)
Date: Tuesday, 13 September 2016, 11:22
Dear Client,
Attached is the tax invoice of your company. Please do the payment in an urgent manner.
Best regards,
Kris Allison
adzebur.com/dsd7gk [37.200.70.6] (Selectel Ltd, Russia)
duelrid.com/b9m1t [37.200.70.6] (Selectel Ltd, Russia)
[78.212.131.10] (21 Century Telecom Ltd, Russia)
[31.210.120.153] (Sayfa Net, Turkey)
madaen.net/e3ib4f [143.95.252.28] (Athenix Inc, US)
morningaamu.com/6wdivzv [192.3.7.44] (Virtual Machine Solutions LLC, US)
[23.95.106.223] (New Wave Netconnect, US)
[23.249.164.116] (Net3 Inc, US)
smilehm.com/f72gngb [not resolving]
The payload then phones home to:
91.214.71.101/data/info.php (ArtPlanet LLC, Russia)
51.255.105.2/data/info.php (New Wind Stanislav, Montenegro / OVH, France)
185.154.15.150/data/info.php (Denis Dunaevskiy, Ukraine / Zomro, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
95.85.29.208/data/info.php (Digital Ocean, Netherlands)
yofkhfskdyiqo.biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
khpnqbggoexgbyypy.pw/data/info.php [217.187.13.71] (O2 / Telefonica, Germany)
nbrqrwyjbwcludpjj.click/data/info.php
atjefykfsk.su/data/info.php
dsvuclpoxbqmkdk.xyz/data/info.php
bidmvvhwy.pl/data/info.php
gfhstncbxtjeyhvad.work/data/info.php
iyvrkkrpk.biz/data/info.php
awqgqseghmwgulmyl.su/data/info.php
hioknruwp.ru/data/info.php
cucwonardfib.xyz/data/info.php
vwcwpoksnfk.su/data/info.php
Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71
UPDATE: further analysis gives these other IPs to block..
78.212.131.10
31.210.120.153
192.3.7.44
23.95.106.128/25
23.249.164.116