From: Tamika GoodThe spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_
Date: 5 September 2016 at 08:43
Subject: Credit card receipt
Dear [redacted],
We are sending you the credit card receipt from yesterday. Please match the card number and amount.
Sincerely yours,
Tamika Good
Account manager
A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:
canonsupervideo4k.ws/1bcpr7xx
This appears to be multihomed on the following IP addresses:
23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary)
Of interest, the WHOIS details have been seen before in relation to Locky. They are probably fake:
Registrant Name: Dudenkov Denis
Registrant Organization: Eranet International Limited
Registrant Street: Lenina 18 Lenina 18
Registrant City: Vladivostok
Registrant State/Province: RU
Registrant Postal Code: 690109
Registrant Country: RU
Registrant Phone: 85222190860
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: volosovik@inbox.ru
Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57. These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:
91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt.pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
The payload is probably Locky ransomware.
Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55