2016-04-19 - TELSACRYPT MALSPAM - SUBJ: YOUR LATEST DOCUMENTS FROM ANGEL SPRINGS LTD

ASSOCIATED FILES:

• CSV spreadsheet with info on ten examples of the malspam:  2016-04-19-ten-emails-from-the-wave-of-TeslaCrypt-malspam.csv   2.3 kB (2,299 bytes)
• ZIP archive of the ten email examples:  2016-04-19-TeslaCrypt-malspam-ten-examples-of-the-emails.zip   45.1 kB (45,149 bytes)
• ZIP archive of the attachments, TeslaCrypt, etc:  2016-04-19-TeslaCrypt-malspam-attachments-malware-etc.zip   403.2 kB (403,179 bytes)
• ZIP archive of the pcap:  2016-04-19-traffic-caused-by-a-TeslaCrypt-malspam-attachment.pcap.zip   223.5 kB (223,547 bytes)

 

NOTES:

• This subject line has been used in previous waves of malicious spam (malspam).
• It was documented in January 2016 dropping Dridex as seen in Dynamoo's Blog (link).
• It was also documented earlier this month dropping Locky ransomware as seen at My Online Security (link).
• A quick Google search shows many others have also seen this subject line used in malspam.
• Today, this theme was used to drop TeslaCrypt ransomware.

 

EMAILS

Shown above:  Ten examples from this wave of malspam.

 

Shown above:  More information on the attachments from those 10 emails.

 

SCREENSHOT FROM ONE OF THE EMAILS:

 

TEXT OF THE MESSAGE:

Dear Customer,

Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we've invested in upgrading our billing systems to make things a little easier for you.

Here's a few ways we've made it easier for you:

    Your new documents are now attached to your email. You don't have to follow a link now to get to your documents.

    Our customer portal has been upgraded to give you a clearer, simpler view of your documents and any outstanding invoices.

    You can simply and easily raise any queries you may have through the customer portal.

Please note: you may wish to save your documents on initial viewing. However, after your first viewing you will be able to access copy documents by simply clicking the link.

If you would like to discuss or have any queries in relation to any of the documents then please do not hesitate to contact us on 0845 230 9555 and we will be more than happy to assist you. Please do not reply to this email.

To see Angel Springs latest special offer that will save you money and help support Make a Wish, please click on the attached document

With Kind Regards,

Angel Springs Ltd

 

TRAFFIC

Shown above:  Pcap of the traffic from executing the extracted .js files, filtered in Wireshark.

 

.JS FILE DOWNLOADING THE TESLACRYPT .EXE BINARY:

• 54.212.162.6 port 80 - thereissomegoodqq.com - GET /21.exe?1
• 54.212.162.6 port 80 - thereissomegoodqq.com - GET /80.exe?1
• 106.247.144.171 port 80 - thereissomegoodqq.com - GET /21.exe?1
• 106.247.144.171 port 80 - thereissomegoodqq.com - GET /80.exe?1

 

TESLACRYPT POST-INFECTION TRAFFIC:

• 103.57.24.251 port 80 - 13343225565.com - POST /mzfile.php
• 185.12.108.138 port 80 - 4turka.com - POST /images/mzfile.php

 

IMAGES

Shown above:  Desktop of the Windows host after it was infected with the TeslaCrypt ransomware.

 

FINAL NOTES

Once again, here are the associated files:

• CSV spreadsheet with info on ten examples of the malspam:  2016-04-19-ten-emails-from-the-wave-of-TeslaCrypt-malspam.csv   2.3 kB (2,299 bytes)
• ZIP archive of the ten email examples:  2016-04-19-TeslaCrypt-malspam-ten-examples-of-the-emails.zip   45.1 kB (45,149 bytes)
• ZIP archive of the attachments, TeslaCrypt, etc:  2016-04-19-TeslaCrypt-malspam-attachments-malware-etc.zip   403.2 kB (403,179 bytes)
• ZIP archive of the pcap:  2016-04-19-traffic-caused-by-a-TeslaCrypt-malspam-attachment.pcap.zip   223.5 kB (223,547 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website, or email me and ask.

Click here to return to the main page.