Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-09-05: #locky email phishing campaign "New voice message"
- Email sample:
- -------------------------------------------------------------------------------------------------------------------------
- From: "Voicemail Service" <vmservice@[REDACTED]>
- To: [REDACTED]
- Subject: New voice message 14495013047 in mailbox 144950130471 from "14495013047" <2781148583>
- Date: Tue, 05 Sep 2017 17:58:10 +1000
- Dear user:
- just wanted to let you know you were just left a 0:24 long message (number 14495013047)
- in mailbox 144950130471 from "14495013047" <2781148583>, on Tue, 05 Sep 2017 17:58:10 +1000
- so you might want to <a href="http://grande-flora.nl/MSG000-00090.7z>check</a> it when you get a chance. Thanks!
- --Voicemail Service
- Attachment: MSG000-000685.7z -> "Invoice INV-000907.vbs"
- -------------------------------------------------------------------------------------------------------------------------
- - sender is "vmservice@[sender's domain]"
- - body is "New voice message <11 digits> in mailbox <12 digits> from "<11 digits>" <10 digits>"
- - body contain link that will download VBS downloader, same kind as the attached one
- - attached file "MSG000-000<3 digits>.7z" contains file "Invoice INV-000<3 digits>.vbs", a VBScript downloader which will download malware from one of the malware download sites:
- Downloader download sites:
- http://adoption.tcs.org.sg/MSG000-00090.7z
- http://artdevinci.com/MSG000-00090.7z
- http://atlantik-ec.com/MSG000-00090.7z
- http://bravomobiliario.com/MSG000-00090.7z
- http://ciriledefrance.com/MSG000-00090.7z
- http://daniellloyd.com/MSG000-00090.7z
- http://dekritekunstenfotografie.nl/MSG000-00090.7z
- http://dna-sequencing.org/MSG000-00090.7z
- http://dynamicnoumea.com/MSG000-00090.7z
- http://grande-flora.nl/MSG000-00090.7z
- http://hepdesign.net/MSG000-00090.7z
- http://muebleslacomoda.com/MSG000-00090.7z
- http://viselaconstruccion.com/MSG000-00090.7z
- http://wazzuplive.com/MSG000-00090.7z
- Malware download sites:
- http://agrourbis.com/876tYU6tg8e
- http://amatoi.com/876tYU6tg8e
- http://anstudio.it/876tYU6tg8e
- http://autoecolebeconcentre.com/876tYU6tg8e
- http://auto-ecolecoccinelle.com/876tYU6tg8e
- http://autoecolejeanluc.com/876tYU6tg8e
- http://bjp.co.id/876tYU6tg8e
- http://callt.co.uk/876tYU6tg8e
- http://capedorato.com/876tYU6tg8e
- http://domani.grol.ru/876tYU6tg8e
- http://ferienwohnung-schitter.at/876tYU6tg8e
- http://finnigans.org.uk/876tYU6tg8e
- http://gclubrace.info/p66/876tYU6tg8e
- http://huismartens.be/876tYU6tg8e
- http://mistresspenny.co.uk/876tYU6tg8e
- http://msanchez.com.au/876tYU6tg8e
- http://naturofind.org/p66/876tYU6tg8e
- http://pamplonarecados.com/876tYU6tg8e
- http://pidara.nl/876tYU6tg8e
- http://rccartrailers.com/876tYU6tg8e
- http://software-unlimited.at/876tYU6tg8e
- http://technicolor-tes.org/876tYU6tg8e
- http://xploramail.com/876tYU6tg8e
- The malware is same as in "Invoice from Verizon" campaign https://pastebin.com/FGr47Z3E
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement