Bad guys need to constantly find new ways to lure their victims. If billing notifications were very common for a while, not all people in a company are working with such kind of documents. Which types of notification do they have in common? All of them have a phone number and with modern communication channels (Unified Communications">
From: voicemail@rootshell.beTo: [redacted]
The sender is spoofed with the victim domain name. The following file was attached to the message:"> $ unzip Message_from_01422520472.wav.zipArchive: Message_from_01422520472.wav.zip testing: 197577509502.wsf OKNo errors detected in compressed data of Message_from_01422520472.wav.zip.$ md5sum 197577509502.wsff2ee33a688a45b161d3191693196cb1d 197577509502.wsf
Note the.wav.zip extension to lure the user. As usual, the payload is heavily obfuscated and the AV detection ratio is still very low (6/55 at 11:55:00 UTC)[1]
Vigor is UK company building ADSL residential modems[2]. This tends to think that the newwave is targeting residential customers.
Here are the C2 servers (for your IDS):
%%ip:89.42.39.81%%
%%ip:213.205.40.169%%
%%ip:51.254.55.171%%
%%ip:194.67.210.183%%
%%ip:185.51.247.211%%
%%ip:185.129.148.19%%
%%ip:91.201.202.125%%
[1]https://www.virustotal.com/en/file/97be73cf491cf8e4d30e0e6d9b73e95151f77b3e52813e06b2ef391fa6f26b2a/analysis/1471949327/
[2]http://www.draytek.co.uk/products/legacy/vigor-2820
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key