Another day another attempt at sending through zipped attachments…
From: Truman Koch <Truman.Koch@onyxmd.com>
Subject: Invoice #879384
Attachment: Invoice #879384.zip
Please find Invoice #879384 attached
Please note that our payment terms are #25 days.
The invoice number and the number of days seems to change in each email.
Also seen were these sender names:
Aldo Mcdonald <Aldo-Mcdonald@freestarbank.com>
Mohammed Sheppard <Mohammed-Sheppard@marsh.com>
Craig Mathis <Craig.Mathis@fitzservicecompany.com>
Inside the ZIP is a file “Invoice #879384.js”. Different e-mails contained slightly different file content. Here are the ones I’ve seen so far:
When run requests are sent to:
And then Cryptowalls your files (Encrypts and ransoms)
The domain 22072014c.com uses nameservers seen in this scam within the past week.
The domain points to the following IP addresses: