New Javascript ransomware: payment confirmation


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “payment confirmation”.

This email is send from the spoofed addresses and has the following body:

Dear Martin1964,

Many thanks for your card payment. Please find payment confirmation attached below.

Should you have any queries, please do not hesitate to contact Credit Control Team.

Best regards
Adeline Campbell
VP Finance & Controller

The attached file is this time a RAR archive  containing parts of the recipients email address in combination with words like “payment” plus a random number. Once extracted a folder with the file 556f0b08.js an F.

The malware is detected by 12/56 AV engines at Virus Total. Detailes analysis is available on Malwr.

The Javascript is readable and there is an HTTP GET command for the following URL in a Wscript.Shell: hxxp://webkits.ru/mn3dka

The malware is detected by 17/57 AV engines at Virus Total and the analysis is available on Malwr.

This campaign is currently very prominent in our global logs at MX Lab and  has the same characteristics as the campaign “recent bill” and “Additional information needed“. Sources indicate that this ransomware is Locky.