Fake 'sorry' SPAM - malicious attachment
22 July 2016 - "This spam has a malicious attachment:
From: "Lizzie Carpenter"
Subject: sales report
Date: Fri, 22 Jul 2016 21:38:25 +0800
I am truly sorry that I was not available at the time you called me yesterday.
I attached the report with details on sales figures.
Best of luck,
SCHRODER GLOBAL REAL ESTATE SEC LTD ...
The sender is randomly generated. Attached is a ZIP file combining elements of the recipients email address and a random number, which in turn contains a malicious .wsf script beginning with "sales report". In a change from recent malware runs, the script does -not- directly download a binary from a remote location but instead has the entire binary executable Base64 encoded in the script. This executable has a detection rate of 4/54* and trusted analysis says that it is Locky ransomware, phoning home to:
18.104.22.168/upload/_dispatch.php (SpaceWeb CJSC, Russia)
22.214.171.124/upload/_dispatch.php (Internet Hosting Ltd, Russia)
126.96.36.199/upload/_dispatch.php (Marosnet, Russia)
188.8.131.52/upload/_dispatch.php (United Networks of Ukraine Ltd, Ukraine)
Fake 'Fedex label' SPAM - .docm leads to Locky
22 July 2016 - "An email with the subject of 'PO5' pretending to come from Mary Leons <mary.leons@ airmenzies .com> with a malicious word doc attachment which downloads Locky ransomware... The email looks like:
From: Mary Leons <mary.leons@ airmenzies .com>
Date: Fri 22/07/2016 10:04
Please see Fedex label as attached
Customer Service Supervisor | Air Menzies International ...
22 July 2016: 906569711935.docm - Current Virus total detections 10/55*
.. MALWR** shows a download from http ://dillerator.chat .ru/09yhbvt4 (VirusTotal 6/53***).
Other download locations for today’s Locky version include [duplicate's removed]:
http ://allmusic .c0.pl/09yhbvt4
allmusic .c0.pl: 184.108.40.206: https://www.virustot...65/information/
http ://delta5.homepage.t-online .de/09yhbvt4
http ://dillerator.chat .ru/09yhbvt4
chat .ru: 220.127.116.11: https://www.virustot...85/information/
http ://files.igamingbusiness .co.uk/09yhbvt4
igamingbusiness .co.uk: 18.104.22.168: https://www.virustot...62/information/
http ://fotouniek.grafi-offshore .com/09yhbvt4
grafi-offshore .com: 22.214.171.124: https://www.virustot...45/information/
http ://hxt.50webs .com/09yhbvt4
50webs .com: 126.96.36.199: https://www.virustot...64/information/
http ://mizosiri3.web.fc2 .com/09yhbvt4
fc2 .com: 188.8.131.52: https://www.virustot...81/information/
http ://okumachiryouin.yu-yake .com/09yhbvt4
yu-yake .com: 184.108.40.206: https://www.virustot...29/information/
http ://pamm-invest .ru/09yhbvt4
pamm-invest .ru: 220.127.116.11: https://www.virustot...51/information/
http ://tattoo-studio .nl/09yhbvt4
tattoo-studio .nl: 18.104.22.168: https://www.virustot...10/information/
http ://www.gerichtszeichnungen .de/09yhbvt4
gerichtszeichnungen .de: 2a01:238:20a:202:1148::
http ://www.moran10.karoo .net/09yhbvt4
karoo .net: Could not find an IP address for this domain name.
http ://www.silvotecna .co.cl/09yhbvt4
silvotecna .co.cl: Could not find an IP address for this domain name.
http ://www.sirigor.republika .pl/09yhbvt4
republika .pl: 22.214.171.124: https://www.virustot...17/information/
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
dillerator.chat .ru: 126.96.36.199: https://www.virustot...85/information/
Fake 'Invoice/Credit/Statement' SPAM - leads to Locky
22 July 2016 - "... an email with the subject of 'VP Invoice/Credit/Statement – H10040' pretending to come from Prism Server Account <accounts@ vpplc .com> with a malicious word doc attachment which downloads Locky ransomware...
The email looks like:
From: Prism Server Account <accounts@ vpplc .com>
Date: Fri 22/07/2016 10:27
Subject: VP Invoice/Credit/Statement – H10040
Please find document(s) attached.
The attached file(s) are in Adobe PDF format. Use Adobe Acrobat Reader or equivalent to view the file(s)...
This attachment downloads the same Locky ransomware as described in this post* from the same locations... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
HelpDesk Upgrade Outlook Web - PHISH
22 July 2016 - "... many small companies and even ISPs do outsource IT support and email to 3rd parties and an end user never really is sure who the email provider actually is... slightly more believable than many others and it is quite easy to fall for it...
The -link- in the email goes to:
http ://xprs.imcreator .com/free/icthelpdesk/password
... which looks like this:
> https://myonlinesecu...te-1024x535.png "
imcreator .com: 188.8.131.52: https://www.virustot....1/information/
Edited by AplusWebMaster, 22 July 2016 - 12:43 PM.