“Please find attached copy of the passport for my wife and daughter as requested” zip attachment virus mail

Yet more of these today. I feel like these kinds of spam runs are either run by the same group or somehow two entirely different botnet masters have aligned their spam mailing schedules.

This time e-mails sent to info@ addresses with random subjects similar to:

Passport copy Hershel Cochran
Passport scan copy – Harrison Hawkins
My passport – Octavio Luna
My passport – Eliseo Roach

The email content seems the same across all the mails:

Please find attached copy of the passport for my wife and daughter as requested. please note we need to complete on the purchase in 4 weeks from the agreed date.

Thank you,

Octavio Luna

Attached is a .zip file containing a .js file.

SHA256 17f7401d67a288a30593410860b98c32dd297efffd5bcd501386d3a2acc8861d
SHA256 a8f921f75bc9e997286b90d2c02194bb7f1865dbe62be7f8766bd12e45994298
SHA256 1d23c3792c1a7fa6d730d6eb69f549d490683849e326d1864e95b1b3380e162f
SHA256 f2640ab62c2f78387ce8757f6cec57230858b1ee559be1604a81a0d848382d99

When the .js file is run it fetched files from:

http://31072015a.com/images/five1.jpg
and
http://31072015a.com/images/five2.jpg

SHA256 77a1d31223a91489f9770766a0648571f1aaaab5f92bb0687a72c88d1f1a9b3c
VirusTotal Report / Malwr Report
and
SHA256 d73321df1fff7bf3db3afe1fc06afd43c03de8dd1c512de6c1713d5685a658fb
VirusTotal Report / Malwr Report

Then communicated with many broken CnC urls but the working ones were:

http://guypjones.com/wp-content/themes/twentyeleven/a.php?o=vzh6cr4dppbl
http://aeusasoftball.com/wp-content/themes/sports-team-theme/includes/advanced-custom-fields/assets/inc/datepicker/images/c.php?r=8avbfw85091

And then cryptowalled the computer.

This spam run is similar to the ones run only a few days or weeks earlier however this time the domain used in this spam run, 31072015a.com, uses different nameservers:

Name Server: ns1.loer555.org
Name Server: ns2.loer555.org
Name Server: ns3.loer555.org
Name Server: ns4.loer555.org

Addresses: 77.247.23.79 (Ukraine)
31.129.95.173 (Ukraine)
178.159.113.8 (Russia)
188.17.83.192 (Russia)
92.42.11.222 (Russia)
89.185.21.82 (Ukraine)

The domain itself points to:

Name: 31072015a.com
Addresses: 37.139.98.29 (Russia)
178.54.238.73 (Ukraine)
188.230.31.190 (Ukraine)
46.46.79.62 (Ukraine)
213.231.23.65 (Ukraine)
77.109.58.84 (Ukraine)
178.150.153.18 (Ukraine)
46.98.196.176 (Ukraine)
109.227.97.188 (Ukraine)
46.172.212.54 (Russia)

As with the previous spam runs the domain gives away how new the spam campaign is. It is in date format so the domain is registered on 31st July 2015 and indeed whois confirms this!

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s