Wednesday, 22 March 2017

Fake bills deliver Crypt0L0cker in Sweden


After revealing the fake emails with finance related information from banks and the Tax Office in Ukraine delivering ransomware, we revealed the similar attack running in Sweden. The archive allegedly with a bill was placed on Dropbox and contains the latest version of Crypt0L0cker (a.k.a. TorrentLocker) inside.

The interesting peculiarity of this attack is the usage of Dropbox to deliver the archive with the ransomware. At the moment of writing this post, the link has been disabled:



Network IoCs

http://ipecho.net/plain
ipecho.net (82.76.177.134)
ebowet.gikorip.net (194.1.236.218)
ixrxosun.gikorip.net (194.1.236.218)
alopqget.gikorip.net (194.1.236.218)
osetifyti.gikorip.net (194.1.236.218)
zdyje.gikorip.net (194.1.236.218)
arfhafopeju.gikorip.net (194.1.236.218)

For more information on the downloaded ransomware sample (MD5: 3407018b603f9447910b592c0aaca445) look for the analysis report at http://nas.niogurad.com

PS: Thanks to Anders Carlsson, a forensic expert from BTH, for sharing the attack information.

No comments:

Post a comment