Posted in Network Security; Tagged GlobeImposter, 726 ransomware, Blank Slate, malspam, Invoice NIC837385, campuslinne, maxmortgagenetwork, delimaslina, email spam, ransomware, bitcoin; Posted 9 months ago
Over the past 24 hours, Nuspire Networks’s SAT team has been monitoring a spam campaign via our nuMail service. This campaign has been found attempting to deliver the GlobeImposter/726 ransomware to Nuspire customers with multiple, differing subject lines such as "Voice Message Attached from," "Voicemail From,” and "Invoice NIC837385." These emails contain a .ZIP attachment that contains a malicious .VBS script file.
Once the .VBS script file is unzipped and executed, the malware contacts one of the malicious domains preloaded into the script in order to download the ransomware payload. Once the ransomware is dropped onto the machine, it begins the encryption process and ultimately presents the user with a ransom screen that demands a 0.37 ($997.15) Bitcoin payment. As always, paying the ransom is never recommended and the best method for restoring files is a functioning backup solution.
Below are some Indicators of Compromise (IOC's) we were able to obtain.
MD5 Hashes:
3dd6a432bae88995e7912e1dfd47b2fb
7c7245123550d5a15bc6a86f201d04ec
132dda57d1f0456ec1c31405b1d4087f
Malicious Domains:
campuslinne[dot]com
maxmortgagenetwork[dot]com
delimaslina[dot]com
Bitcoin Payment Address:
13gKKDGFmkFXzZLrXs5smC6AYglcrm9eh5
More information will be added as further developments arise.
Click here to learn more about nuMail, Nuspire’s Managed Enterprise Email service.
Nuspire Insights
Nuspire Infographic