Malware spam: “Please find attached a XLS Invoice 378296” / creditcontrol@somecompany.com / Ansell Lighting

This fake financial spam comes with a malicious attachment, purporting to come from Ansell Lighting:

Subject:     Please find attached a XLS Invoice 378296
From:     creditcontrol@potomachealthcare.com (creditcontrol@potomachealthcare.com)
Date:     Tuesday, 29 November 2016, 10:32

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Please find attached your Invoice for Goods/Services recently delivered. If you have any questions, then pleasedo not hesitate in contacting us.Karen Lightfoot -Credit Controller, Ansell Lighting, Unit 6B, Stonecross Industrial Park, Yew Tree Way, WA3 3JD. Tel: +44 (0)5216 154 830 Fax: +44 (0)5216 154 830

The email comes from a random creditcontrol@something email address. Attached is a malicious Excel file with a name such as

INVOICE.TAM_378296_20161129_886C9EAB6.xls

.

My usual reliable source says that the various versions of Excel spreadsheet download a component form one of the following locations:

ayurvedic.by/087gbdv4

pregnancysquare.com/087gbdv4

qiqi-store.com/087gbdv4

roberttrocina.com/087gbdv4

satherm.pt/087gbdv4

sayvir.com/087gbdv4

secotral.fr/087gbdv4

semeystvo.com.ua/087gbdv4

spookmedia.nl/087gbdv4

sp-tulun.ru/087gbdv4

stocktradex.com/087gbdv4

swkitchens.com.au/087gbdv4

thegarageteam.gr/087gbdv4

tyfastener.com/087gbdv4

The

Hybrid Analysis

shows that this is Locky ransomware, phoning home to:

185.115.140.210/information.cgi [hostname: nikita.grachev.81.example.com] (Megaserver LLC, Russia)
213.32.90.193/information.cgi [hostname:  sbg.13.vds.abcvg.ovh] (OVH, France)
95.213.195.123/information.cgi (Selectel SPb, Russia)

A DLL is dropped with an MD5 of b46f0fcb0f962f41b5b43725b440dabb and a VirusTotal detection rate of

11/57

.

Recommended blocklist:
185.115.140.210
213.32.90.193
95.213.195.123

Source: Dynamoo’s Blog @ November 29, 2016 at 04:30AM

0
Share