2017-04-26 - MOLE RANSOMWARE AND KOVTER INFECTIONS FROM EMAILS IMPERSONATING USPS

NOTICE:

ASSOCIATED FILES:

BACKGROUND ON THIS CAMPAIGN:

NOTES FOR TODAY:

 


Shown above:  Flowchart for this infection traffic.

 

EMAILS


Shown above:  Screenshot of one of the emails seen today.

 

DATES/TIMES:

 

EXAMPLES OF SENDING ADDRESSES (ALL SPOOFED):

 

EXAMPLES OF SUBJECT LINES:

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS FROM THE EMAILS:

 

REDIRECT:

 

FAKE WORD ONLINE SITE:

 

PARTIALS URLS FROM THE .JS FILES FOR ADDITIONAL MALWARE:

 

MOLE RANSOMWARE POST-INFECTION TRAFFIC:

 

EMAIL ADDRESSES FROM THE MOLE RANSOMWARE DECRYPTION INSTRUCTIONS:

 

SOME OF THE KOVTER POST-INFECTION TRAFFIC:

 

MALWARE


Shown above:  Zip archive disguised as an Office plugin downloaded from today's fake Word Online page.

 


Shown above:  Each downloaded zip archive contains a .js file.

 

SAMPLES OF ZIP ARCHIVES DOWNLOADED FROM THE FAKE WORD ONLINE SITE:

 

.JS FILES EXTRACTED FROM THE ABOVE ZIP ARCHIVES:

 

SAMPLES OF MALWARE DOWNLOADED BY THE .JS FILES:

 

IMAGES


Shown above:  Screenshot of an infected Windows desktop.

 

Click here to return to the main page.