Blank Emails With No Subject Delivering Locky And Kovter

Office Macro Malware

Just a quick heads up warning. We are starting to see Locky, Kovter delivery emails trickling in this morning. The sites and payloads are the same as described in this post https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/ It looks like the Locky gangs are gearing up for a mass malspam, but are getting the delivery systems fine tweaked and having a few problems.

We always see errors and problems before a mass Locky onslaught. If they keep to the sites they have been using for the last month or so, it will be relatively easy to track them & block malware.

The emails received so far today are totally blank, no subject. The zip attachment extracts to another zip before extracting to a supposedly .jse file. However these are not encoded javascript. They are just minimally obfuscated, in fact perfectly readable by a human.

From: charlie.wills@02glass.com

Date: Mon 16/01/2020 23:30 ( arrived 07:35 utc 17 /01/ 2020)

Subject: blank

Attachment: 38168891.zip extracts to 38168891.doc.zip extracts to 38168891.doc.jse VirusTotal | Payload Security

Payload:

1bin Locky – https://www.virustotal.com/en/file/2d193757baa6dfc600931ceeb0d8ffb690d57b403633c0c6c57833e4b6d5d618/analysis/1484631951/

2.bin Kovter https://www.virustotal.com/en/file/a1f770ddd4a0dcdfd481112708586aae857060909cbc4e93a802ae4b0359d965/analysis/1484642102/

Total
32
Shares
Leave a Reply

Your email address will not be published.

Related Posts