Tuesday, 23 December 2014

Remittance Advice (malware excel attachment)

Another incoming excel attachment with macro...

From: "Hood"  (random from address)
Subject: Remittance Advice -FHAX74
(random reference)


Confidentiality and Disclaimer:  This email and its attachments are intended for the addressee only and may be confidential or the subject of legal privilege.
If this email and its attachments have come to you in error you must take no action based on them, nor must you copy them, distribute them or show them to anyone.
Please contact the sender to notify them of the error.  



This email and any attached files have been scanned for the presence of computer viruses. However, you are advised that you open any attachments at your own risk.
Please note that electronic mail may be monitored in accordance with the Telecommunications (Lawful Business Practices)(Interception of Communications) Regulations 2000.



 The Attachment, for example FHAX74.xls contains a macro code to download extra malware onto
you system.   The attachment filename is random.

Md5 hashes so far and report clean from VirusTotal:

013c90d7a07e365e82fd8ed0103efbe9
378a36d9d110251717de6061411f6714

Decoded macro here: (pastebin)

Sanesecurity signatures are blocking this one as:

Sanesecurity.Malware.24675.XlsHeur.UNOFFICIAL FOUND

Just to show you the sort of numbers involved in these virus runs... per hour... that one site is
receiving...





NOTE


The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))


Cheers,
Steve
Sanesecurity.com

No comments: