Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-09-05: #locky email phishing campaign "Scanning"
- Email sample:
- ---------------------------------------------------------------------------------------------------------------------
- From: Mollie Hollywell <Mollie.Hollywell@tayloredgroup.co.uk>
- To: [REDACTED]
- Subject: Scanning
- Date: Thu, 18 May 2017 20:26:35 +0100
- https://dropbox.com/file/672A13953 -> http://daniellloyd.com/MSG000-00090.7z
- --
- Mollie Hollywell DipFA
- Taylored Group
- 26 City Business Centre
- Hyde Street
- Winchester
- SO23 7TA
- Members of the CAERUS Capital Group
- www.tayloredgroup.co.uk [1]
- Office Number: 01962 826870
- Mobile: 07915 612277
- email: Mollie.Hollywell@tayloredgroup.co.uk
- Taylored Financial Planning is a trading style of Jonathan & Carole Taylor
- who are an appointed representative of Caerus Financial Limited, Building
- 120, Windmill Hill Business Park, Swindon, SN5 6NX which is authorised
- and regulated by the Financial Conduct Authority.
- Email communications are not secure, for this reason Taylored Financial
- Planning cannot guarantee the security of the email or its contents or that
- it remains virus free once sent. This email message is strictly confidential
- and intended solely for the person or organisation to who it is addressed.
- It may contain privileged and confidential information and if you are not
- the recipient, you must not copy, distribute or take any action in reference
- to it. If you have received this email in error, please notify us as soon as
- possible and delete the message from your system.
- Links:
- ------
- [1] http://www.tayloredgroup.co.uk
- Attachment: SCNMSG000089.7z ->
- ---------------------------------------------------------------------------------------------------------------------
- - sender is forged to be <name>@tayloredgroup.co.uk
- - subject is "Scanning"
- - body contains link that looks like to be to Dropbox, but in fact it will lead to one of downloader download sites, same as in attachment
- - attached file "SCNMSG0000<2-4 digits>.7z" contains file "Invoice INV-000<3 digits>.vbs", a VBScript downloader which will download malware from:
- Downloader download sites:
- http://adoption.tcs.org.sg/MSG000-00090.7z
- http://artdevinci.com/MSG000-00090.7z
- http://atlantik-ec.com/MSG000-00090.7z
- http://bravomobiliario.com/MSG000-00090.7z
- http://ciriledefrance.com/MSG000-00090.7z
- http://daniellloyd.com/MSG000-00090.7z
- http://dekritekunstenfotografie.nl/MSG000-00090.7z
- http://dna-sequencing.org/MSG000-00090.7z
- http://dynamicnoumea.com/MSG000-00090.7z
- http://grande-flora.nl/MSG000-00090.7z
- http://hepdesign.net/MSG000-00090.7z
- http://muebleslacomoda.com/MSG000-00090.7z
- http://viselaconstruccion.com/MSG000-00090.7z
- http://wazzuplive.com/MSG000-00090.7z
- Malware download sites:
- http://agrourbis.com/876tYU6tg8e
- http://amatoi.com/876tYU6tg8e
- http://anstudio.it/876tYU6tg8e
- http://autoecolebeconcentre.com/876tYU6tg8e
- http://auto-ecolecoccinelle.com/876tYU6tg8e
- http://autoecolejeanluc.com/876tYU6tg8e
- http://bjp.co.id/876tYU6tg8e
- http://callt.co.uk/876tYU6tg8e
- http://capedorato.com/876tYU6tg8e
- http://domani.grol.ru/876tYU6tg8e
- http://ferienwohnung-schitter.at/876tYU6tg8e
- http://finnigans.org.uk/876tYU6tg8e
- http://gclubrace.info/p66/876tYU6tg8e
- http://huismartens.be/876tYU6tg8e
- http://mistresspenny.co.uk/876tYU6tg8e
- http://msanchez.com.au/876tYU6tg8e
- http://naturofind.org/p66/876tYU6tg8e
- http://pamplonarecados.com/876tYU6tg8e
- http://pidara.nl/876tYU6tg8e
- http://rccartrailers.com/876tYU6tg8e
- http://software-unlimited.at/876tYU6tg8e
- http://technicolor-tes.org/876tYU6tg8e
- http://xploramail.com/876tYU6tg8e
- The malware is same as in previous today's campaigns, see https://pastebin.com/FGr47Z3E
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement