Very similar to the spam run I’ve seen over the last couple of days.
Headers, this time sent from Heart Internet (The previous run was almost all from HostGator):
Received: from mailscan2.extendcp.co.uk (176.32.230.36) by AM1FFO11FD015.mail.protection.outlook.com (10.174.64.93) with Microsoft SMTP Server (TLS) id 15.1.213.8 via Frontend Transport; Wed, 22 Jul 2015 17:07:04 +0000 Received: from mailscanlb0.hi.local ([10.0.44.160] helo=mailscan1.hi.local) by mailscan-s99.hi.local with esmtp (Exim 4.80.1) (envelope-from <swissknifeshop.co.uk@web168.extendcp.co.uk>) id 1ZHxU0-0005Zr-91 for REDACTED@REDACTED; Wed, 22 Jul 2015 18:07:04 +0100 Received: from mailscanlb0.hi.local ([10.0.44.160] helo=web168.extendcp.co.uk) by mailscan1.hi.local with esmtps (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.80.1) (envelope-from <swissknifeshop.co.uk@web168.extendcp.co.uk>) id 1ZHxTl-0004e2-Qz for REDACTED@REDACTED; Wed, 22 Jul 2015 18:06:53 +0100 Received: from swissknifeshop.co.uk by web168.extendcp.co.uk with local (Exim 4.80.1) (envelope-from <swissknifeshop.co.uk@web168.extendcp.co.uk>) id 1ZHxTl-0000jl-Dn for REDACTED@REDACTED; Wed, 22 Jul 2015 18:06:49 +0100 To: <REDACTED@REDACTED> Subject: Your order # 139290 has been declined From: Bert Massey <Bert.Massey@tomra.com> Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_ab3df924-62fe-4888-8237-6b2183086e05_" Message-ID: <E1ZHxTl-0000jl-Dn@web168.extendcp.co.uk> Date: Wed, 22 Jul 2015 18:06:49 +0100 X-Authenticated-As: swissknifeshop.co.uk@web168.extendcp.co.uk Return-Path: swissknifeshop.co.uk@web168.extendcp.co.uk
This time the e-mail premise / content has changed to:
From: Bert Massey <Bert.Massey@tomra.com>
Subject: Your order # 139290 has been declined
Attachment: Your order # 139290 has been declined.zipDear customer
Your order # 139290 has been declined
Please see attachment for details.
Kind regards,
Bert Massey
and
From: Stevie Santos <StevieSantos@intertek.com>
Subject: Your order # 328503 has been despatchedDear customer
Your order # 328503 has been despatched
Please see attachment for details.
Sincerely,
Stevie Santos
and
From: Landon Hutchinson <LandonHutchinson@jigsaw24.com>
Subject: Payment Confirmation #291147Dear Sirs,
Many thanks for your card payment. Please find payment confirmation attached below.
Should you have any queries, please do not hesitate to contact Landon Hutchinson.
Kind regards,
Credit Control Team
Landon Hutchinson
Contained within the “Your order # 139290 has been declined.zip” attachment was a javascript file “Your order # 139290 has been declined.js”.
SHA256 885a9a569294f9a0b1440e3ceafaf52f3cc2d8fdd0521619a49df1557e707b19
and
SHA256 b3fdc27826bbb68b8b3738511f9b1b3b88297f0803508f29cf7b465fbc32f963
SHA256 11f634de051b4828202c621185ffde5e3e481c494056008bdbbe80a188f162e3
SHA256 c7764e3644c4c831ba1b24bffc309d66f1d78c18258d42008aee7938f388514f
SHA256 917a996256ae6b2523c073e78aec1a91919f3b53fc92f3fd531dc474e07f76a7
SHA256 5b2baba3f56b43176ff199c101c023093416e5804427f0e7141cb6de2182236c
See the other article on what the attachment is likely to do. It is likely to drop Cryptowall and encrypt and ransom files.
The second bit of spam went back to HostGator as being the source:
http://www.eurobolico.com/wp-admin/network/network.php
http://personaltrainerchiswick.com/wp-admin/css/css.php
http://cioj.org/wp-includes/js/js.php
http://barriemobi.com/wp-content/plugins/plugins.php
thecomputerperson 