Fake 'project status report', 'New invoices', 'Confirmation letter' SPAM
FYI...
Fake 'project status report' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malw...ct-status.html
3 Aug 2016 - "This spam leads to Locky ransomware:
From: Keri Jarvis [Jarvis.64030@ bac.globalnet .co.uk]
Date: 2 August 2016 at 22:13
Subject: report
Hi,
I attached the project status report in order to update you about the last meeting
Best regards,
Keri Jarvis
Attached is a randomly named ZIP file containing a malicious .js script beginning with the word "report". This downloads an evil binary... (MANY locations listed)...
(Thank you to my usual source for this data). The malware phones home to:
37.139.30.95/php/upload.php (Digital Ocean, Netherlands) [hostname: belyi.myeasy .ru]
93.170.128.249/php/upload.php (Krek Ltd, Russia)
93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm .in]
Recommended blocklist:
37.139.30.95
93.170.128.249
93.170.104.20 "
37.139.30.95: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/a6...10fa/analysis/
93.170.128.249: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/de...a6b6/analysis/
93.170.104.20: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/8a...537f/analysis/
___
Fake 'New invoices' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malw...ed-i-send.html
3 Aug 2016 - "Another day, another Locky ransomware run:
From: Marian Mcgowan
Date: 3 August 2016 at 11:15
Subject: Fw: New invoices
As you directed, I send the attachment containing the data about the new invoices
Attached is a randomly-named ZIP file which contains a highly obfuscated .js script which according to this Malwr analysis downloads a binary from..
blog-aida .cba .pl/2zensi7t
..when decrypted it creates a binary with a detection rate of 4/54*. That same Malwr analysis shows it phoning home to:
93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm .in]
This IP was seen last night** and it seems that there is a concurrent Locky spam run phoning home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv .com]
Both those IPs are in known-bad-blocks.
Recommended blocklist:
93.170.104.20
185.129.148.0/24
89.108.127.0/24 "
* https://virustotal.com/en/file/dd8d6...is/1470220208/
** http://blog.dynamoo.com/2016/08/malw...ct-status.html
93.170.104.20: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/8a...537f/analysis/
185.129.148.19: https://www.virustotal.com/en/ip-add...9/information/
89.108.127.160: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Confirmation letter' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malw...ter-leads.html
3 Aug 2016 - "Another -spam- run leading to Locky ransomware..
From: Mavis Howe [Howe.4267@ croestate .com]
Date: 3 August 2016 at 13:32
Subject: Confirmation letter
Hi [redacted],
I attached the employment confirmation letter I prepared.
Please check it before you send it out.
Best regards
Mavis Howe
The name of the sender varies from email to email. The malicious attachment and payload seem very close to the one described here*."
* http://blog.dynamoo.com/2016/08/malw...ed-i-send.html
