Wednesday, 10 December 2014

XLS macro malware: Anglia Engineering Solutions Ltd

Looks like another XLS macro run has just started... this time it's faked from this company...


Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 694878F]

Dear ,

We are making a payment to you.

Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.

If you have any questions regarding the remittance please contact us using the details below.

Kind regards

Bertha Hahn

Anglia Engineering Solutions Ltd
Tel: 01469 382553


There are currently 4 variants all of which were zero hour (0 hour) detected by:

Sanesecurity.Malware.24631.XlsHeur

Additionally Sanesecurity.Rogue.0hr.20141210-1026 blocks the following hashes on VirusTotal and
currently all not detected by any of the 56 Virus Scanners:

061930c8fc246872dda3af5670d3ea44
20a66473d970a3b91aa0e6184e6d7e76
b5153a417ab4e4a2017a08909c771dfd
ed3f7389bd63fb1dd6c35279e7009046

Cheers,

Steve
www.sanesecurity.com

9 comments:

Russell said...

We've just had hundreds of these come in. Spreadsheet payload for ours is at hxxp://41.0.5.138:8080/stat/lld.php

Anonymous said...

Had 3 already!

Anonymous said...

Just had two emails exactly the same as this come through. Different senders.

Anonymous said...

Received this too!!!!!


Dear ,



We are making a payment to you.



Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.



If you have any questions regarding the remittance please contact us using the details below.





Kind regards

Fran Cardenas

Anglia Engineering Solutions Ltd

Tel: 01469 582108

Anonymous said...

Received this too!!!

Dear ,



We are making a payment to you.



Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.



If you have any questions regarding the remittance please contact us using the details below.





Kind regards

Fran Cardenas

Anglia Engineering Solutions Ltd

Tel: 01469 582108

Anonymous said...

I had this, this morning. Dear ,

We are making a payment to you.

Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.

If you have any questions regarding the remittance please contact us using the details below.


Kind regards
Isaias Mercer
Anglia Engineering Solutions Ltd
Tel: 01469 468592

M. Peacock said...

11:56am on 10/12/2014

I have had 2 fake e-mails in the last hour, both purporting to come from Anglia Engineering Solutions. One was from Sharron ether Nielsen or Nielson ( I can't remember, I deleted it), the other from "Katharine Sullivan" according to the return address in the header info.

Anglia . . . is a genuine company, and I believe that they know nothing about this scam. The fake e-mails include phone numbers starting 01469, which is correct for Anglia, but the rest of the number does not appear to correspond with the correct Anglia phone number.

A few days ago I had one referring to martechnology.co.uk. Martechnology is another genuine company, and in this case it may be significant that "martechnology" is part of my e-mail address and has been since the mid 90s.

In all cases there has been no attachment, either XLS or any other type.

In case anyone can make out where these are coming from and how to put a stop to it, I repeat below the complete text including all header info for the last one received.

================

From:
"Katharine Sullivan"
Save Addresses
To:
mp@martechnology.freeserve.co.uk
Date: Dec 10 2014, 11:33 AM
Subject:
Remittance Advice from Anglia Engineering Solutions Ltd [ID 953387A]
Close full header
Return-Path:
Received: from mwinf5c09 (mwinf5c09 [10.223.111.59])
by mwinb3503 with LMTPA;
Wed, 10 Dec 2014 12:33:10 +0100
X-Sieve: CMU Sieve 2.3
Received: from AGC114SUPERXP.att.net ([64.160.76.12])
by mwinf5c09 with ME
id RnWE1p00E0FvJzC01nWE9E; Wed, 10 Dec 2014 12:33:10 +0100
X-bcc: martechnology@freeserve.co.uk
Envelope-to: mp@martechnology.freeserve.co.uk
X-ME-bounce-domain: martechnology.freeserve.co.uk
X-ME-engine: default
X-me-spamcause: (0)(0000)gggruggvucftvghtrhhoucdtuddrfeejiedrgedtgddvjecutefuodetggcurfhrohhfihhlvgemucfogfenuceurghilhhouhhtmecugedttdenucenucfju
ghrpefhvffurhgtggfkffesrgdtfegstddtjeenucfhrhhomhepfdfmrghthhgrrhhinhgvucfuuhhllhhivhgrnhdfuceonfgrughonhhnrgdrieelkedtsegrthhtrdh
nvghtqe
X-me-spamlevel: not-spam
X-ME-Helo: AGC114SUPERXP.att.net
X-ME-IP: 64.160.76.12
X-ME-Entity: ouk
From: "Katharine Sullivan"
To: mp@martechnology.freeserve.co.uk
Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 953387A]
Reply-To: "Katharine Sullivan"
Content-Type: multipart/alternative; boundary="----=_Part_37356545_9532428387.8540982024441"
MIME-Version: 1.0
Message-Id: <20141210033014.031001653774@AGC114SUPERXP.att.net>
Date: Wed, 10 Dec 2014 03:30:14 -0700
Dear ,

We are making a payment to you.

Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.

If you have any questions regarding the remittance please contact us using the details below.


Kind regards
Katharine Sullivan
Anglia Engineering Solutions Ltd
Tel: 01469 679017

Anonymous said...

Also received two of these. Only worry, there is an attachment which I cannot find in the message. Have they found a way of disguising the attachment, so that if I click anywhere on the message I get infected?

Anonymous said...

I just spoke to Anglia Engineering who apologised and were unhappy that this had occurred although the 700 phone calls they've had today proves that if you want to reach lots of people get someone to fake a payment from your company. I gather this problem is in a hidden macro which autoruns if you open the file. I've not comae across this for some years so I expect less experienced folks will fall prey.
Rick