Subject: Status of invoice
From: "Rosella Setter" ordering@[redacted]
Date: Mon, September 18, 2017 9:30 am
Hello,
Could you please let me know the status of the attached invoice? I
appreciate your help!
Best regards,
Rosella Setter
Tel: 206-575-8068 x 100
Fax: 206-575-8094
*NEW* Ordering@[redacted].com
* Kindly note we will be closed Monday in observance of Labor Day *
The name of the sender varies. Attached is a .7z arhive file with a name similar to A2174744-06.7z which contains in turn a malicious .vbs script with a random number for a filename (examples here and here).
Automated analysis of those two samples [1] [2] [3] [4] show this is Locky ransomware. Those two scripts attempt to download a component from:
yildizmakina74.com/87thiuh3gfDGS?
miliaraic.ru/p66/87thiuh3gfDGS?
lanzensberger.de/87thiuh3gfDGS?
web-ch-team.ch/87thiuh3gfDGS?
abelfaria.pt/87thiuh3gfDGS?
An executable is dropped with a detection rate of 19/64 which Hybrid Analysis shows is phoning home to:
91.191.184.158/imageload.cgi (Monte Telecom, Estonia)
195.123.218.226/imageload.cgi (Layer 6, Bulgaria)
.7z files are popular with the bad guys pushing Locky at the moment. Blocking them at your mail perimiter may help.
Recommended blocklist:
195.123.218.226
91.191.184.158