This fake document scan email appears to come from within the victim's own domain, but it doesn't. Instead it is a simple forgery with a malicious attachment.
Example subjects include:
Attached Doc
Attached Image
Attached Document
Attached File
Example senders:
epson@victimdomain.tld
scanner@victimdomain.tld
xerox@victimdomain.tld
There is no body text. Attached is a ZIP file with the recipients email address forming part of the name plus a couple of random numbers. These ZIP files contain a variety of malicious scripts, the ones that I have seen download a binary from:
emcartaz.net.br/08j78h65e
kizilirmakdeltasi.net/08j78h65e
easytravelvault.com/08j78h65e
64.207.144.148/08j78h65e
cdn.cs2.pushthetraffic.com/08j78h65e
The VirusTotal detection rate for the dropped binary is
3/55. That VirusTotal report and this
Hybrid Analysis show subsequent traffic to:
giotuipo.at/api/
giotuipo.at/files/dDjk3e.exe
giotuipo.at/files/VTXhFO.exe
The payload is Locky ransomware. This is hosted on what appears to be a bad server at:
134.249.238.140 (Kyivstar GSM, Ukraine)
Kyivstar is a GSM network, something hosted on this IP is usually a sure sign of a botnet. A lookup of the giotuipo.at domain shows that it is multihomed on many IPs:
109.194.247.26 (ER-Telecom Holding, Russia)
95.189.128.70 (Sibirtelecom, Russia)
79.119.196.161 (RCS & RDS Business, Romania)
5.248.229.186 (Lanet Network Ltd, Ukraine)
188.230.17.38 (Airbites, Ukraine)
134.249.238.140 (Kyivstar, Ukraine)
5.58.29.200 (Lanet Network Ltd, Ukraine)
212.3.103.225 (Apex, Ukraine)
93.95.187.243 (Triolan, Ukraine)
178.151.243.153 (Triolan, Ukraine)
These IPs are likely to be highly dynamic, so blocking them may or may not work. If you want to try, here is a
recommended blocklist:
109.194.247.26
95.189.128.70
79.119.196.161
5.248.229.186
188.230.17.38
134.249.238.140
5.58.29.200
212.3.103.225
93.95.187.243
178.151.243.153