Another macro based malware incoming, using Excel
From: "Frederic Nichols"
Subject: PL REMITTANCE DETAILS ref825235IN
The attached remittance details the payment of £720.58 made on
16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any
changes are required please email back to this email address quoting
your remittance reference.
825235IN.xls (random filename)
Four Variants (md5 hashes below)
12a329ec30a90b57ad5d65261a03038c
666a50998673aca9abc1b54be355a950
7c9e2b80062f7e5c7faa8a97ea134df1
80e98b1dbc5af0e40e4fa0b96e181c14
Detected as:
Sanesecurity.Rogue.0hr.20141217-1001 (rogue.hdb)
Sanesecurity.Malware.24667.XlsHeur (phish.ndb)
Update: the live malware from one of the download locations, seems to
have been run by 96,120 people already :(
h t t p : / / [remove]38 DOT 96 DOT 175 DOT 139:8080/stat/stati.php
Cheers,
Steve
Sanesecurity.com
21 comments:
Just got one of these emails today...
I just received this to my work email from Darla
Subject PL REMITTANCE DETAILS ref183634OL
The attached remittance details the payment of £375.69 made on 16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.
I just received this to my work email from Darla
Subject PL REMITTANCE DETAILS ref183634OL
The attached remittance details the payment of £375.69 made on 16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.
This one received this morning.
The attached remittance details the payment of £753.75 made on 16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.
Interestingly it was sent TO a company that we are a supplier to.
Whether that was by accident or it originated from them I’m not sure.
But it certainly gave it an extra element of credibility.
Just had this reported :
From: Sharron [mailto:Sharron.864@kims-world.net]
Sent: 17 December 2014 09:54
To: xxxxx xxxxx
Subject: PL REMITTANCE DETAILS ref047460WL
The attached remittance details the payment of £480.83 made on 16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.
just received one of these emails this morning to my works email
had one from 'Danny'
Yes I just got the same: From: "Anita Barron"
Also had one today - deleted unopened:The attached remittance details the payment of £336.27 made on 16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.
I've had two today. What are they and where do they come from? Do they contain viruses? Hacks? What do I need to do?
I had two this morning, sent within 2 minutes. Do I need to do anything? Have I been hacked, scammed, infected? Please reply
I got one today, tried to delete it but it won't delete, do i need to do anythins
I had one of these today, and I cannot delete it. do I need to do anything
The attached remittance details the payment of £540.44 made on 16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.
can someone actually comment to say if you or we should be worried by this? like have they or will they tak the money out or what?
Thanks for publicising this. Yahoo did not pick this out as spam but did however allow me to easily identify the originating country as Uruguay, grateful to them for that useful feature.
Can anybody shed any light to what these emails are all about instead off posting the email they got...... We all got more or less the same email
I received a similar mail and the value stated was exactly the same as a recent transaction I made via online banking. Does the same apply to everyone who has already posted? A phishing mail is one thing, but the fact that it includes details of actual transactions is more sinister.
I received one of these mails yesterday and the value in the body was exactly the same (to the penny) as a transaction I made recently via online banking. Has that been the case for everyone who has posted above? A simple phishing email is one thing but the fact that it includes details of actual transaction amounts is more sinister.
Thanks.
Post a Comment