Wednesday, 17 December 2014

Excel Malware: PL REMITTANCE Integra Finance

Another macro based malware incoming, using Excel

From: "Frederic Nichols" 
Subject: PL REMITTANCE DETAILS ref825235IN

The attached remittance details the payment of £720.58 made on
16-DEC-2014 by BACSE.

This email was generated using PL Payment Remittance of Integra Finance System.

Can you please check that your supplier details are correct, if any
changes are required please email back to this email address quoting
your remittance reference.

825235IN.xls (random filename)

 
Four Variants (md5 hashes below)
 

12a329ec30a90b57ad5d65261a03038c
666a50998673aca9abc1b54be355a950
7c9e2b80062f7e5c7faa8a97ea134df1
80e98b1dbc5af0e40e4fa0b96e181c14
 

Detected as: 
 
Sanesecurity.Rogue.0hr.20141217-1001 (rogue.hdb)
Sanesecurity.Malware.24667.XlsHeur (phish.ndb)
 
Update: the live malware from one of the download locations, seems to
have been run by 96,120 people already :(
 
h t t p : / / [remove]38 DOT 96 DOT 175 DOT 139:8080/stat/stati.php
 
 
Cheers,
 
Steve
Sanesecurity.com 
 

21 comments:

Sean Durrant said...
This comment has been removed by the author.
Sean Durrant said...

Just got one of these emails today...

Sean Durrant said...
This comment has been removed by the author.
Anonymous said...

I just received this to my work email from Darla

Subject PL REMITTANCE DETAILS ref183634OL

The attached remittance details the payment of £375.69 made on 16-DEC-2014 by BACSE.

This email was generated using PL Payment Remittance of Integra Finance System.

Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

Radchek said...

I just received this to my work email from Darla

Subject PL REMITTANCE DETAILS ref183634OL

The attached remittance details the payment of £375.69 made on 16-DEC-2014 by BACSE.

This email was generated using PL Payment Remittance of Integra Finance System.

Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

Anonymous said...

This one received this morning.

The attached remittance details the payment of £753.75 made on 16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

Sean Durrant said...

Interestingly it was sent TO a company that we are a supplier to.

Whether that was by accident or it originated from them I’m not sure.

But it certainly gave it an extra element of credibility.

Anonymous said...

Just had this reported :
From: Sharron [mailto:Sharron.864@kims-world.net]
Sent: 17 December 2014 09:54
To: xxxxx xxxxx
Subject: PL REMITTANCE DETAILS ref047460WL

The attached remittance details the payment of £480.83 made on 16-DEC-2014 by BACSE.

This email was generated using PL Payment Remittance of Integra Finance System.

Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

Anonymous said...

just received one of these emails this morning to my works email

Anonymous said...

had one from 'Danny'

Morgana said...

Yes I just got the same: From: "Anita Barron"

Anonymous said...

Also had one today - deleted unopened:The attached remittance details the payment of £336.27 made on 16-DEC-2014 by BACSE.

This email was generated using PL Payment Remittance of Integra Finance System.

Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

Julia Walton said...

I've had two today. What are they and where do they come from? Do they contain viruses? Hacks? What do I need to do?

Julia Walton said...

I had two this morning, sent within 2 minutes. Do I need to do anything? Have I been hacked, scammed, infected? Please reply

Jean said...

I got one today, tried to delete it but it won't delete, do i need to do anythins

Jean said...

I had one of these today, and I cannot delete it. do I need to do anything

Chelsie Coles said...

The attached remittance details the payment of £540.44 made on 16-DEC-2014 by BACSE.

This email was generated using PL Payment Remittance of Integra Finance System.

Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

can someone actually comment to say if you or we should be worried by this? like have they or will they tak the money out or what?

Anonymous said...

Thanks for publicising this. Yahoo did not pick this out as spam but did however allow me to easily identify the originating country as Uruguay, grateful to them for that useful feature.

Ash Mcintosh said...

Can anybody shed any light to what these emails are all about instead off posting the email they got...... We all got more or less the same email

Anonymous said...

I received a similar mail and the value stated was exactly the same as a recent transaction I made via online banking. Does the same apply to everyone who has already posted? A phishing mail is one thing, but the fact that it includes details of actual transactions is more sinister.

William Totten said...

I received one of these mails yesterday and the value in the body was exactly the same (to the penny) as a transaction I made recently via online banking. Has that been the case for everyone who has posted above? A simple phishing email is one thing but the fact that it includes details of actual transaction amounts is more sinister.
Thanks.