From: fueldner1A0@lfw-ludwigslust.de
Date: 19 February 2016 at 09:10
Subject: Rechnung Nr. 2016_131
Sehr geehrte Damen und Herren,bitte korrigieren Sie auch bei der Rechnung im Anhang den Adressaten:LFW Ludwigsluster Fleisch- und WurstspezialitätenGmbH & Co.KGVielen Dank!Mit freundlichen GrüßenAnke FüldnerFinanzbuchhaltungTel.: 03874-422038Fax: 03874-4220844LFW Ludwigsluster Fleisch- und WurstspezialitätenGmbH & Co.KG, Bauernallee 9, 19288 LudwigslustHRA 1715, Amtsgericht SchwerinGeschäftsführer: U.Müller, U.WarnckeUSt.-IdNr. DE202820580, St.Nr. 08715803209Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen enthalten. Wenn Sie nicht der richtige Adressant sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten diese E-Mail und alle Anhänge und Ausdrucke unverzüglich.Das Gebrauchen, Publizieren, Kopieren oder Ausdrucken sowie die unbefugte Weitergabe des Inhalts dieser E-Mail ist nicht erlaubt.This e-mail and any attached files may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Attached is a file with a format similar to RG460634280127-SIG.zip which contains a malicious javascript in the format RG6459762168-SIG.js or similar. At the moment, I have seen two samples, both with zero detection rates at VirusTotal [1] [2]. Malwr analysis of one of the samples shows that a binary is downloaded from:
mondero.ru/system/logs/56y4g45gh45h
Other samples probably have different download locations. This executable has a detection rate of 7/53 and it appears to drop another executable with a relatively high detection rate of 26/55. Both the VirusTotal and Malwr reports indicate that this is the Locky ransomware from the people who usually push Dridex.
The malware phones home to:
46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
But in fact the entire 46.4.239.64/27 range looks pretty bad and I recommend that you block it.
Incidentally, full credit to the company involved in putting this massive banner on their website warning people about the fake email..
UPDATE
An additional analysis from a trusted source (thank you). Download locations are:
mondero.ru/system/logs/56y4g45gh45h
tcpos.com.vn/system/logs/56y4g45gh45h
www.bag-online.com/system/logs/56y4g45gh45h
The malware phones home to:
46.4.239.76/main.php
94.242.57.45/main.php
wblejsfob.pw/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php
The active C2s (some may be sinkholes) appear to be:
46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
94.242.57.45 (vstoike.com / Fishnet Communications, Russia)
185.46.11.239 (Agava Ltd, Russia)
69.195.129.70 (Joes Datacenter, US)
Analysis those C2 locations give a recommended blocklist of:
46.4.239.64/27
94.242.57.45
185.46.11.239
69.195.129.70