2017-09-05 Locky "Scanning"

1. 2017-09-05: #locky email phishing campaign "Scanning"
2.  
3. Email sample:
4. ---------------------------------------------------------------------------------------------------------------------
5. From: Mollie Hollywell <Mollie.Hollywell@tayloredgroup.co.uk>
6. To: [REDACTED]
7. Subject: Scanning
8. Date: Thu, 18 May 2017 20:26:35 +0100
9.  
10. https://dropbox.com/file/672A13953 -> http://daniellloyd.com/MSG000-00090.7z
11. --
12. Mollie Hollywell DipFA
13.  
14. Taylored Group
15.  
16. 26 City Business Centre
17.  
18. Hyde Street
19.  
20. Winchester
21.  
22. SO23 7TA
23.  
24. Members of the CAERUS Capital Group
25.  
26. www.tayloredgroup.co.uk [1]
27.  
28. Office Number: 01962 826870
29.  
30. Mobile: 07915 612277
31.  
32. email: Mollie.Hollywell@tayloredgroup.co.uk
33.  
34. Taylored Financial Planning is a trading style of Jonathan & Carole Taylor
35. who are an appointed representative of Caerus Financial Limited, Building
36. 120, Windmill Hill Business Park, Swindon, SN5 6NX which is authorised
37. and regulated by the Financial Conduct Authority.
38.  
39. Email communications are not secure, for this reason Taylored Financial
40. Planning cannot guarantee the security of the email or its contents or that
41. it remains virus free once sent. This email message is strictly confidential
42. and intended solely for the person or organisation to who it is addressed.
43. It may contain privileged and confidential information and if you are not
44. the recipient, you must not copy, distribute or take any action in reference
45. to it. If you have received this email in error, please notify us as soon as
46. possible and delete the message from your system.
47.  
48. Links:
49. ------
50. [1] http://www.tayloredgroup.co.uk
51.  
52. Attachment: SCNMSG000089.7z ->
53. ---------------------------------------------------------------------------------------------------------------------
54. - sender is forged to be <name>@tayloredgroup.co.uk
55. - subject is "Scanning"
56. - body contains link that looks like to be to Dropbox, but in fact it will lead to one of downloader download sites, same as in attachment
57. - attached file "SCNMSG0000<2-4 digits>.7z" contains file "Invoice INV-000<3 digits>.vbs", a VBScript downloader which will download malware from:
58.  
59. Downloader download sites:
60. http://adoption.tcs.org.sg/MSG000-00090.7z
61. http://artdevinci.com/MSG000-00090.7z
62. http://atlantik-ec.com/MSG000-00090.7z
63. http://bravomobiliario.com/MSG000-00090.7z
64. http://ciriledefrance.com/MSG000-00090.7z
65. http://daniellloyd.com/MSG000-00090.7z
66. http://dekritekunstenfotografie.nl/MSG000-00090.7z
67. http://dna-sequencing.org/MSG000-00090.7z
68. http://dynamicnoumea.com/MSG000-00090.7z
69. http://grande-flora.nl/MSG000-00090.7z
70. http://hepdesign.net/MSG000-00090.7z
71. http://muebleslacomoda.com/MSG000-00090.7z
72. http://viselaconstruccion.com/MSG000-00090.7z
73. http://wazzuplive.com/MSG000-00090.7z
74.  
75. Malware download sites:
76. http://agrourbis.com/876tYU6tg8e
77. http://amatoi.com/876tYU6tg8e
78. http://anstudio.it/876tYU6tg8e
79. http://autoecolebeconcentre.com/876tYU6tg8e
80. http://auto-ecolecoccinelle.com/876tYU6tg8e
81. http://autoecolejeanluc.com/876tYU6tg8e
82. http://bjp.co.id/876tYU6tg8e
83. http://callt.co.uk/876tYU6tg8e
84. http://capedorato.com/876tYU6tg8e
85. http://domani.grol.ru/876tYU6tg8e
86. http://ferienwohnung-schitter.at/876tYU6tg8e
87. http://finnigans.org.uk/876tYU6tg8e
88. http://gclubrace.info/p66/876tYU6tg8e
89. http://huismartens.be/876tYU6tg8e
90. http://mistresspenny.co.uk/876tYU6tg8e
91. http://msanchez.com.au/876tYU6tg8e
92. http://naturofind.org/p66/876tYU6tg8e
93. http://pamplonarecados.com/876tYU6tg8e
94. http://pidara.nl/876tYU6tg8e
95. http://rccartrailers.com/876tYU6tg8e
96. http://software-unlimited.at/876tYU6tg8e
97. http://technicolor-tes.org/876tYU6tg8e
98. http://xploramail.com/876tYU6tg8e
99.  
100. The malware is same as in previous today's campaigns, see https://pastebin.com/FGr47Z3E