SHARE
TWEET

2017-09-05 Locky "New voice message"

Racco42 Sep 5th, 2017 728 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-09-05: #locky email phishing campaign "New voice message"
  2.  
  3. Email sample:
  4. -------------------------------------------------------------------------------------------------------------------------
  5. From: "Voicemail Service" <vmservice@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: New voice  message 14495013047 in mailbox 144950130471 from "14495013047" <2781148583>
  8. Date: Tue, 05 Sep 2017 17:58:10 +1000
  9.  
  10. Dear user:
  11.  
  12. just wanted to let you know you were just left a 0:24 long message (number 14495013047)
  13. in mailbox 144950130471 from "14495013047" <2781148583>, on Tue, 05 Sep 2017 17:58:10 +1000
  14. so you might want to <a href="http://grande-flora.nl/MSG000-00090.7z>check</a> it when you get a chance.  Thanks!
  15.  
  16.                                 --Voicemail Service
  17.  
  18. Attachment: MSG000-000685.7z -> "Invoice INV-000907.vbs"
  19. -------------------------------------------------------------------------------------------------------------------------
  20. - sender is "vmservice@[sender's domain]"
  21. - body is "New voice  message <11 digits> in mailbox <12 digits> from "<11 digits>" <10 digits>"
  22. - body contain link that will download VBS downloader, same kind as the attached one
  23. - attached file "MSG000-000<3 digits>.7z" contains file "Invoice INV-000<3 digits>.vbs", a VBScript downloader which will download malware from one of the malware download sites:
  24.  
  25. Downloader download sites:
  26. http://adoption.tcs.org.sg/MSG000-00090.7z
  27. http://artdevinci.com/MSG000-00090.7z
  28. http://atlantik-ec.com/MSG000-00090.7z
  29. http://bravomobiliario.com/MSG000-00090.7z
  30. http://ciriledefrance.com/MSG000-00090.7z
  31. http://daniellloyd.com/MSG000-00090.7z
  32. http://dekritekunstenfotografie.nl/MSG000-00090.7z
  33. http://dna-sequencing.org/MSG000-00090.7z
  34. http://dynamicnoumea.com/MSG000-00090.7z
  35. http://grande-flora.nl/MSG000-00090.7z
  36. http://hepdesign.net/MSG000-00090.7z
  37. http://muebleslacomoda.com/MSG000-00090.7z
  38. http://viselaconstruccion.com/MSG000-00090.7z
  39. http://wazzuplive.com/MSG000-00090.7z
  40.  
  41. Malware download sites:
  42. http://agrourbis.com/876tYU6tg8e
  43. http://amatoi.com/876tYU6tg8e
  44. http://anstudio.it/876tYU6tg8e
  45. http://autoecolebeconcentre.com/876tYU6tg8e
  46. http://auto-ecolecoccinelle.com/876tYU6tg8e
  47. http://autoecolejeanluc.com/876tYU6tg8e
  48. http://bjp.co.id/876tYU6tg8e
  49. http://callt.co.uk/876tYU6tg8e
  50. http://capedorato.com/876tYU6tg8e
  51. http://domani.grol.ru/876tYU6tg8e
  52. http://ferienwohnung-schitter.at/876tYU6tg8e
  53. http://finnigans.org.uk/876tYU6tg8e
  54. http://gclubrace.info/p66/876tYU6tg8e
  55. http://huismartens.be/876tYU6tg8e
  56. http://mistresspenny.co.uk/876tYU6tg8e
  57. http://msanchez.com.au/876tYU6tg8e
  58. http://naturofind.org/p66/876tYU6tg8e
  59. http://pamplonarecados.com/876tYU6tg8e
  60. http://pidara.nl/876tYU6tg8e
  61. http://rccartrailers.com/876tYU6tg8e
  62. http://software-unlimited.at/876tYU6tg8e
  63. http://technicolor-tes.org/876tYU6tg8e
  64. http://xploramail.com/876tYU6tg8e
  65.  
  66. The malware is same as in "Invoice from Verizon" campaign https://pastebin.com/FGr47Z3E
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top