FYI...
Fake 'Account report' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/accou...elivers-locky/
14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Account report' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... Payload Security[1] shows an error in running the dll file... One of the emails looks like:
From: Kimberley Witt <Witt.0236@ shopscissors .com>
Date: Wed 14/09/2016 08:31
Subject: Travel expense sheet
Attachment: 667b8951c871.zip
Dear nohdys, we have detected the cash over and short in your account.
Please see the attached copy of the report.
Best regards,
Kimberley Witt
e-Bank Manager
14 September 2016: 667b8951c871.zip: Extracts to: Account report 2311EEF4.wsf - Current Virus total detections 5/55**
.. MALWR*** unable to get any content. Payload security[1] shows a download of an encrypted file from
maydayen .net/l835ztl which is transformed by the script to RjN1UKDIQLzodBg.dll (VirusTotal 21/58[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
178.212.131.10
** https://www.virustotal.com/en/file/e...is/1473838191/
*** https://malwr.com/analysis/YTRlNjk0Y...JlYTkxNTFlYWI/
4] https://www.virustotal.com/en/file/1...is/1472755942/
___
Fake 'Delivery Confirmation' SPAM - delivers Locky/Zepto
- https://myonlinesecurity.co.uk/deliv...rs-lockyzepto/
14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Delivery Confirmation: 00336499' [random numbers] coming as usual from ship-confirm@ random companies, names and email addresses with a random named zip attachment containing a .JS file. These are slightly better done than some recent ones. The attachment number Shipping Notification matches the subject Delivery Confirmation number... One of the emails looks like:
From: ship-confirm@ laughlinandbowen .com
Date: Wed 14/09/2016 10:55
Subject: Delivery Confirmation: 00336499
Attachment: Shipping Notification 00336499.zip
PLEASE DO NOT REPLY TO THIS E-MAIL. IT IS A SYSTEM GENERATED MESSAGE.
Attached is a pdf file containing items that have shipped
Please contact us if there are any questions or further assistance we can provide
14 September 2016: Shipping Notification 00336499.zip: Extracts to: WOIMKE51915.js
Current Virus total detections 7/55*. MALWR** shows a download of an encrypted file from one of these locations:
http ://adventurevista .com/hjy93JNBasdas?TVwzUk=tqFSMMU | http ://morerevista .com/hjy93JNBasdas?TVwzUk=tqFSMMU
which is transformed by the script to TKuAgcqe3.dll (VirusTotal 6/57***)... There are frequently 5 or 6 and even up to 150 download locations on some days, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1473847035/
** https://malwr.com/analysis/MWE1OWVkZ...ljOTFmNjkxYTk/
Hosts
204.93.163.87
23.236.238.227
*** https://www.virustotal.com/en/file/d...is/1473848281/
___
Fake 'Renewed License' SPAM - more Locky
- https://myonlinesecurity.co.uk/renew...elivers-locky/
14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Renewed License' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... One of the emails looks like:
From: Stella Henderson <Henderson.70579@ siamesegear .com>
Date: Wed 14/09/2016 17:58
Subject: Renewed License
Attachment: 4614d82776.zip
Here is the company’s renewed business license.
Please see the attached license and send it to the head office.
Best regards,
Stella Henderson
License Manager
14 September 2016: 4614d82776.zip: Extracts to: renewed business license 3D956A.wsf
Current Virus total detections 2/55*. MALWR** seems unable to cope with WSF files like this. Payload Security*** shows a download of an encrypted file from moismdheri .net/jqpxub which is transformed by the script to a working locky file, which unfortunately isn’t being shown or made available... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1473872609/
** https://malwr.com/analysis/MmFlNDUzM...M1MzE3ZjhlNzY/
*** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
37.200.70.6
52.32.150.180
93.184.220.29
54.192.203.123
___
Fake 'payment copy' SPAM - delivers Locky/Zepto
- https://myonlinesecurity.co.uk/payme...s-locky-zepto/
13 Sep 2016 - "... Locky downloaders.. an email with the subject of 'payment copy' coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file. The email body has -no- content except 'Best Regards' and the alleged senders name... One of the emails looks like:
From: Eddie screen <Eddie450@ hidrolats .lv>
Date: Tue 13/09/2016 22:02
Subject: payment copy
Attachment: PID6650.zip
—
Best Regards, _________
Eddie screen
13 September 2016: PID6650.zip: Extracts to: OCRXIB2826.wsf - Current Virus total detections 7/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://allchannel .net/jpqhvig?eGkOBjIQFz=dEVDXjWYjjH | http ://feechka .ru/wdxwxoa?eGkOBjIQFz=dEVDXjWYjjH
http ://jonathankimsey .com/rptyswr?eGkOBjIQFz=dEVDXjWYjjH
which is transformed by the script to yvXjbqxs1.dll (VirusTotal 7/58***). Payload security[4] is showing a different dll downloaded & converted... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1473800782/
** https://malwr.com/analysis/MzNiNjBmY...IzMjQyNDJmNjk/
Hosts
94.73.146.80
5.61.32.143
143.95.41.185
*** https://www.virustotal.com/en/file/7...is/1473801197/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
94.73.146.80
5.61.32.143
143.95.41.185
52.24.123.95
93.184.220.29
54.192.203.254
91.198.174.192
91.198.174.208
52.33.248.56