Wednesday, 10 December 2014

XLS Macro malware: K J Watking & Co

Another run of the faked  K J Watking & Co, containing an XLS spreadsheet... BAC439622TB.xls (example name) which has Macro based malware inside it....


Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Heath David
Senior Accounts Payable Specialist
K J Watking & Co
Tel: 01469 432377
 Interestingly they've used the same malware XLS has the earlier post today and just renamed it...

eg.

This malware run: BAC998947HJ.xls (hash: 061930c8fc246872dda3af5670d3ea44)
Ealier malware run: ID_00477M.xls: (hash: 061930c8fc246872dda3af5670d3ea44)
All varients were zero hour (0 hour) detected by:

Sanesecurity.Malware.24631.XlsHeur (phish.ndb)
and  Additionally Sanesecurity.Rogue.0hr.20141210-1026 (rogue.hdb)

Update:

Since the macro malware downloads an exe... it's interesting to see how many times
the malware exe file has actually succeeded  in being downloaded:

73,655 -- http://217 DOT 174 DOT 240 DOT 46 :8080/stat/stati.php
73,672 -- http://187 DOT 33 DOT 2 DOT 211 :8080/stat/stati.php

That's a few infected pc's there :(

Cheers,
Steve
Sanesecurity

6 comments:

Anonymous said...

I just had a similar email - very believable and reputedly from a real company with Google history -

Here is what the email said and how it was signed.

10 December 2014 15:08
Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Tyrone Ortiz
Senior Accounts Payable Specialist
K J Watking & Co
Tel: 01469 526323

Anonymous said...

Have just received two emails from K J Watking & Co both re remittances. really worrying as, having opened on I found that there were real xls sheets of my current bank accounts. Does this virus affect Macs?

Anonymous said...

Have just received two emails from K J Watking & Co both saying I had a BACS payment. Unfortunately I opened one to find that the attachments showed a spreadsheet of my recent bank account transactions. This is very worrying. Does the virus affect Macs?

Anonymous said...

Anyone who's downloaded these XLS files and found relevant information - suggest you check your on-line banking system - if it's all through on particular bank, they themselves may have been hacked!

Anonymous said...

ive received an email but there was no excel attachment on the. the same as everyone else but my contact was Diane Gilmore Tel No 01469 706319

Anonymous said...

Looks like the anonymous colleagues are inviting people to open the XLS files ... beware of that