Масове розсилання шкідливих електронних листів

Ransomware image

Повідомляємо, що відбувається масове розсилання шкідливих електронних листів із різних ІР та поштових адрес, що містять у вкладенні шкідливі *.zip архіви із JS сценаріями. При виконанні сценарію завантажується шкідливе ПЗ типу #ransomeware #troldesh.

Зразок електронного повідомлення:

Детальний опис:

Після запуску сценарію js-скрипта відбувається перехід за посиланням hххp://www.horstje.nl/wp-content/themes/mora/languages/1c.jpg IP-адреса 87.236.98.81 і завантаження екземпляру #ransomeware #troldesh,
та збереження його в системі як C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1c[1].jpg . Шкідливий файл перезапускається як C:\Users\admin\AppData\Local\Temp\rad24B87.tmp, перевіряє ІР-адресу комп’ютера, додається в автозавантаження, завантажує інструкції для зашифрованого комп’ютера, зашифровує файли користувача. Після шифрування файли мають такий вигляд:

Рівень загрози: НИЗЬКИЙ

Поштовий лист –> .zip-архів  ->  java-скрипт (.js)  –>  exe-файл –> Ransomware/Troldesh

Механізм роботи:

Індикатори кіберзагроз:

IP адреси з якої проводиться розсилання

   91.203.146.214
   5.9.25.105
   202.191.119.59
   212.227.17.12
   144.217.67.210
   220.130.127.159
   124.133.35.228
   208.109.80.52
   203.141.129.184
   79.98.28.20
   210.131.2.80
   91.185.184.157
   27.120.129.40
   148.251.132.162
   212.227.17.21
   66.96.186.6
   111.86.247.13
   46.4.77.12
   109.254.248.227
   67.210.233.131
   148.153.12.226
   176.223.209.99
   134.119.228.110
   110.158.1.90
   96.35.212.12
   23.227.135.34
   118.238.26.162
   217.195.176.108
   133.242.80.223
   111.86.247.12
   212.227.17.22
   173.212.204.227
   219.99.220.147
   138.201.128.25
   62.149.156.160
   122.146.194.244
   203.137.83.91
   66.96.187.1
   125.209.239.156
   121.254.168.203
   218.249.29.198
   111.87.236.94
   208.112.75.204
   210.131.2.90
   212.227.15.19
   5.77.45.240

Main object- "Информация о заказе.2019-07.02.docx.js"

    sha256    726943f9160b2c09fd20e081b0cae6830bfc74b8529d576cd1202f2ab83ae327
    sha1         7aea6c384e79687e8c3c40c680f2cb4296de4989
    md5         2d91da1991b1a1479cbb95741e048c02

    sha256   76eaffb3fcb3b1721e6824b2c805db53c81dacabdc74c4ef73c2c786ba5d2607
    sha1        746e217304636bc06fc25933375f61ddea505abd
    md5        9983c590e9404a9a019afe9fa23463b4

Dropped executable file

   sha256     C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1c[1].jpg       32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0

Connections

   ip 87.236.98.81
   ip 171.25.193.9
   ip 194.109.206.212
   ip 198.23.156.50
   ip 51.89.133.253
   ip 104.16.155.36
   ip 104.16.154.36
   ip 163.172.21.117
   ip 104.18.35.131

HTTP/HTTPS requests

Завантаження: #ransomeware #troldesh

url http://www.horstje.nl/wp-content/themes/mora/languages/1c.jpg
url http://vocalistas.com.br/1c.jpg
url http://academiaosler.curupira21.com.br/auth/cas/CAS/CAS/Languages/1c.jpg
url http://adamedia.web.id/cache/plg_system_rsfirewall/1c.jpg
url http://adoteumproblema.com.br/wp-includes/ID3/1c.jpg
url http://alex.vendaecontrole.com.br/database/1c.jpg
url http://alphasudvtc.fr/wp-content/themes/Divi/epanel/css/1c.jpg
url http://aquadrops.jp/wp-admin/css/colors/blue/1c.jpg
url http://archive.muteqx.com/images/menu/1c.jpg
url http://attpbgolf.omgmediagroup.com/mobile/att/css/1c.jpg
url http://audioarchitects.omginteractive.com/css/1c.jpg
url http://auto-olimpia.pl/new1/wp-admin/css/colors/coffee/1c.jpg
url http://blog.buycom108.com/wp-admin/css/colors/blue/1c.jpg
url http://bordir-konveksi.com/.well-known/acme-challenge/1c.jpg
url http://busybhive.com/wp-content/themes/flatsome/dev/components/_notused/1c.jpg
url http://canseidobrasil.com.br/wp-includes/ID3/1c.jpg
url http://casaitinerante.com.br/wp-includes/ID3/1c.jpg
url http://cashless.design/wp-admin/css/colors/blue/1c.jpg
url http://catherine-marty-kinesiologue.fr/wp-includes/ID3/1c.jpg
url http://centredetriargenteuil.ca/.well-known/pki-validation/1c.jpg
url http://cerovica.com/wp-content/themes/longevity/css/1c.jpg
url http://champweb.net/wp-content/themes/twentyfifteen/genericons/1c.jpg
url http://clinic.niftycampaigns.com/wp-includes/ID3/1c.jpg
url http://czyjestemtata.pl/pro/wp-admin/css/colors/blue/1c.jpg
url http://daneshyarpub.ir/includes/database/mysql/1c.jpg
url http://dash10.digital/dl/app/1c.jpg
url http://davyanders.fr/wp-content/themes/breena/widgets/1c.jpg
url http://dd18.nl/wp-content/themes/twentyeleven/js/1c.jpg
url http://dennisisasshole.com/css/1c.jpg
url http://design-constructor.ru/wp-admin/css/colors/blue/1c.jpg
url http://dev.abitotv.it/.tmb/1c.jpg
url http://diabloedesign.com/templates/diablo/css/1c.jpg
url http://dmseating.com/wp-content/themes/theretailer/fonts/font-awesome/css/1c.jpg
url http://dubktoys.com/Shop/wp-admin/css/colors/blue/1c.jpg
url http://dybenko.net/_backup/1c.jpg
url http://ecofinition.ca/images/1c.jpg
url http://eklektx.com/ads/1c.jpg
url http://favoritei.000webhostapp.com/wp-content/themes/astra/inc/addons/breadcrumbs/assets/js/minified/1c.jpg
url http://fotoms.pl/wp-content/themes/xAvada/bbpress/1c.jpg
url http://ghoziankarami.com/wp-includes/ID3/1c.jpg
url http://hb.buycom108.com/.well-known/pki-validation/1c.jpg
url http://hoanggia.tech/wp-includes/ID3/1c.jpg
url http://huvudstadsguiden.eu/wp-admin/css/colors/blue/1c.jpg
url http://ideadom.pl/templates/ideadom/js/1c.jpg
url http://idiotpodden.se/podcasts/1c.jpg
url http://ilyapetrov.com/wp-content/themes/twentynineteen/classes/1c.jpg
url http://iptvdesk.com/wp-includes/ID3/1c.jpg
url http://its52.ru/modules/aggregator/tests/1c.jpg
url http://kaghazdivarishop.ir/bin/1c.jpg
url http://koolergazishop.ir/cli/1c.jpg
url http://labanglashire.com/wp-content/themes/sparkling/inc/libraries/epsilon-framework/assets/css/1c.jpg
url http://landskronaguiden.se/menylista/1c.jpg
url http://lets-go-to-russia.com/administrator/cache/1c.jpg
url http://liliantreiger.umpublicidade.com.br/wp-admin/css/colors/blue/1c.jpg
url http://loge10.nl/wp-content/themes/blackoot-pro/img/prettyPhoto/dark_rounded/1c.jpg
url http://loostershop.ir/cli/1c.jpg
url http://lordsofthecloudage.com/wp-content/themes/twentysixteen/inc/1c.jpg
url http://lydia-unger.com/wp-content/themes/studiorio/images/1c.jpg
url http://magdalenatota.pl/wp-admin/css/colors/blue/1c.jpg
url http://marco-ising.nl/wp-content/themes/weaver-ii/help/images/1c.jpg
url http://mbtkd2.omgmediagroup.com/wp-admin/css/colors/blue/1c.jpg
url http://mbtkd.omgmediagroup.com/wp-admin/css/colors/blue/1c.jpg
url http://microwaveshop.ir/cli/1c.jpg
url http://montereyboatparade.com/css/1c.jpg
url http://norecreio.com.br/wp-admin/css/colors/blue/1c.jpg
url http://pikadons.omginteractive.com/comments/classes/1c.jpg
url http://pilotfilm.dk/wp-content/themes/soho/core/admin/css/1c.jpg
url http://posexemploservico.vendaecontrole.com.br/1c.jpg
url http://presqueisle-knights.org/Soccer2018/index_files/vlb_engine/1c.jpg
url http://prima-dom.eu/wp-includes/ID3/1c.jpg
url http://renanviegas.com.br/wp-content/languages/plugins/1c.jpg
url http://rigtr.nl/templates/rigtr10/images/system/1c.jpg
url https://ambitionconcepts.com/wp-content/themes/enfold/config-events-calendar/views/pro/1c.jpg
url https://anniesangels.org/wp-content/themes/Divi/css/tinymce-skin/fonts/1c.jpg
url http://saphir-bruxelles.be/wp-content/themes/twentyten/images/headers/1c.jpg
url https://applebee.nl/wp-content/themes/applebee/fonts/1c.jpg
url https://authenticinternationalbd.com/wp-content/themes/llorix-one-lite/languages/1c.jpg
url https://chiavarichairs.rentals/wp-content/themes/rentchivari/_ui/css/bootstrap/bootstrap/mixins/1c.jpg
url https://complanbt.hu/templates/shaper_simplicity_ii/js/1c.jpg
url https://dcid-web.com/wp-content/themes/Divi/et-pagebuilder/1c.jpg
url https://eko-pranie.eu/wp-content/themes/ekopranie/library/1c.jpg
url http://senital.co.uk/templates/a4joomla-ocean-free/js/1c.jpg
url https://fpthaiduong123.com/Full-VPSSIM/1c.jpg
url https://homesfinder.vn/Full-VPSSIM/1c.jpg
url http://shoponlineforfree.com/wp-content/themes/twentynineteen/fonts/1c.jpg
url https://impresaranghetti.it/.tmb/1c.jpg
url https://jh-soft.de/wp-content/themes/conica/images/demo/1c.jpg
url https://landskronakatalogen.se/Evenemang/wp-admin/css/colors/blue/1c.jpg
url https://leixiayiran.com/wp-content/themes/begin/group/1c.jpg
url http://smartline.com.ua/templates/jabellatrix/scripts/1c.jpg
url http://smd.omginteractive.com/wp-admin/css/1c.jpg
url https://m-jansen.nl/wp-content/themes/Divi/images/1c.jpg
url http://soc.omgmediagroup.com/bootstrap3/css/1c.jpg
url http://solklart.fi/wp-content/themes/Divi/core/admin/css/1c.jpg
url https://p30qom.ir/templates/kalaresan/js/1c.jpg
url https://paimiontietotekniikka.fi/wp-content/themes/cake/includes/1c.jpg
url https://pmbroker.it/.tmb/1c.jpg
url https://quiz.wellbeing-health.com/.well-known/acme-challenge/1c.jpg
url https://rijschoolharrysmit.nl/wp-content/themes/twentythirteen/css/1c.jpg
url https://scaryle.de/wp-content/themes/donovan/inc/customizer/controls/1c.jpg
url https://studiomonforte.com/.tmb/1c.jpg
url http://starmkt.omginteractive.com/_notes/1c.jpg
url http://strategiepro.com/wp-content/themes/iamsocial/fonts/1c.jpg
url http://stylemayk.com/wp-content/themes/redmag/languages/1c.jpg
url https://velvetstore.com.ua/tmp/com_csvi/export/1c.jpg
url http://svmh.omginteractive.com/assets/css/1c.jpg
url https://www.accretioconsulting.com/wp-content/themes/interface/page-templates/1c.jpg
url https://www.altamiuzkg.com/wp-content/themes/elnooronline-tamyoz/1c.jpg
url https://www.bprj.co.uk/wp-content/themes/spacious/font-awesome/css/1c.jpg
url https://www.draht-center.de/wp-content/themes/betheme/muffin-options/css/1c.jpg
url https://www.fontein-ontruimingen.nl/wp-content/themes/express-movers/layouts/1c.jpg
url https://www.hittabox.se/wp-content/themes/15zine/buddypress/activity/1c.jpg
url https://www.houseinspaininvest.com/wp-content/themes/realhomes-child-theme/assets/classic/icons/1c.jpg
url https://www.motorradecke-richter.de/wp-content/themes/twentyseventeen/template-parts/footer/1c.jpg
url https://www.scripto.nu/wp-content/themes/super-skeleton/languages/1c.jpg
url https://yourinnergy.nl/wp-content/themes/twentysixteen/template-parts/1c.jpg
url http://takharandshankertour.com/wp-content/themes/thegem/css/jquery-ui/base/images/1c.jpg
url http://testinstall.electronicmusicskills.com/1c.jpg
url http://travelsandairfares.com/wp-includes/ID3/1c.jpg
url http://twosisterstravelco.com/wp-content/themes/uncode/core/assets/css/1c.jpg
url http://universalblogs.es/wp-content/themes/realhomes/images/map/1c.jpg
url http://vandeneijndenfotografie.nl/wp-content/themes/expression/includes/1c.jpg
url http://videofuneral.net/wp-content/themes/ave/languages/1c.jpg
url http://virtual.mv/wp-content/themes/uplift/includes/customizer/1c.jpg
url http://visitjourney.org/wp-content/plugins/admin-menu-editor/ajax-wrapper/1c.jpg
url http://vocalistas.com.br/1c.jpg
url http://wamber.com/wp-content/themes/twentythirteen/css/1c.jpg
url http://wapenvanijlst.nl/Kalender/Basis/1c.jpg
url http://wargacki.eu/.htpasswds/1c.jpg
url http://wo1f.net/wp-content/themes/generatepress/js/1c.jpg
url http://wulingsurabayasidoarjo.com/administrator/D:/xampp/htdocs/nguling1/administrator/logs/1c.jpg
url http://www.cg.light-chicago.com/1c.jpg
url http://www.chrisblackhurst.co.uk/wp-content/themes/norebro/page-templates/1c.jpg
url http://www.eve-marin.com/wp-content/themes/twentynineteen/classes/1c.jpg
url http://www.fana.curupira21.com/1c.jpg
url http://www.horstje.nl/wp-content/themes/mora/languages/1c.jpg
url http://www.kylie.com.br/wp-content/themes/kylie/languages/1c.jpg
url http://www.liljan.is/wp-content/themes/liljan/images/1c.jpg
url http://www.mobiadnews.com/wp-content/themes/mobiadDC/images/1c.jpg
url http://www.otryt.bieszczady.pl/administrator/cache/1c.jpg
url http://www.scottpatton.com/cam/1c.jpg
url http://www.vitalhands.com/wp-content/themes/vitalhands/languages/1c.jpg
url http://www.ydnartech.com/wp-content/themes/CherryFramework/css/1c.jpg
url http://yellowpages.zmiev.top/cli/1c.jpg
url http://zodiacrobots.ru/images/2014/12/1c.jpg

Запис в автозавантаження

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   name: Client Server Runtime Subsystem
   operation: write
   typeValue: REG_SZ
   value: "C:\ProgramData\Windows\csrss.exe"