Friday, 9 January 2015

Datasharp UK Ltd - Monthly Invoice & Report - ebilling@datasharp.co word malware

Datasharp UK Ltd - Monthly Invoice & Report - ebilling@datasharp.co emails with an attached document, is being spammed out.  The document contains a macro.

The Word document has a random attachment, however these emails aren't from Datasharp UK Ltd
at all, they just being used to make the email look more genuine, ie. from a real company.

It's also worth remembering that the company itself  may not have any knowledge of this attachment as it won't have come from their servers and IT systems.

They may not be able to tell you if it's malware or even help clean up your system.
Comment Update: "I Work for Datasharp - we are receiving a high volume of calls due to this email - please just treat as spam - delete and virus check No need to call in - the email was not sent from us. (14:38)"
Message Header:
From: {ebilling@datasharp.co}
Subject: DO-NOT-REPLY Datasharp UK Ltd - Monthly Invoice & Report
Date: Fri, 09 Jan 2015 14:42:47 +0700

Message Body:
THIS MESSAGE WAS SENT AUTOMATICALLY
Attached is your Invoice from Datasharp Hosted Services for this month.
To view your bill please go to www.datasharp.co.uk.  Allow 24 hours before viewing this information.
For any queries relating to this bill, please contact hosted.services@datasharp.co.uk or call 01872 266644.
Please put your account number on your reply to prevent delays
Kind Regards
Ebilling

Invoice_2839240.doc

Md5 Hashes:
625dd97b2495691ea687adb122749508
94e5abd0bffe71c4e6b73a81c362fa5b

Malware Macro document information:

VirusTotal Report [1]
(hits 0/56 Virus Scanners)

VirusTotal Report [2]
(hits 0/56 Virus Scanners)

Malwr Report [1]

Decoded Macro [1]
Sanesecurity signatures are blocking this as: Sanesecurity.RogueDoc.0hr.20150109-0752


NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
Cheers,

Steve

10 comments:

Anonymous said...

Thanks for confirmation of this scam - the second new one for me in two days. I was alerted because I do not use Datasharp.
Early yesterday morning I recieved a phone call supposedly from Microsoft telling me my 'Windows computer was distributing viruses'. When I was asked to download a file from www.ammyy.com I realised this was not a genuine call from Microsoft. Tricky times.

Anonymous said...

Thanks for the info - just caught a load of these thanks to a new rule created because of this blog...

Anonymous said...

Thanks, I Googled this because I got one this morning. It's the first time one of these types of email have not been automatically sent to my spam folder :\

Anonymous said...

I too received this email this morning invoicing me for apparent hosted services. It was sent to my business email address where I would ordinarily open invoices but I didn't recognise the vendor so erred on the side of caution.

Thank you to all for posting comments and so quickly.

lucy@bigpondconsulting.com said...

I phoned your office because I did not expect a bill from you. The person on the call did not advise that this was malware, and just told me that your IT team were looking into things. He agreed to contact me when you had found out how you had my address. This was completely misleading. Why did he not tell me that this was malware and advise me not to open the attachment?

Vince said...

I suspect the reason is that at the time you called Datasharp didn't know the full impact of the issue or what precisely was happening.

They aren't generating these e-mails, or the content of them remember, it's someone spoofing them which is the problem - so they're as much a victim in that regard as you.

Vince (who doesn't work for them but does work in this industry and understands the issues)

Anonymous said...

I’m usually very security-orientated but this morning, before I had my morning coffee and was running on auto-pilot, I accidentally opened this file and macro. However my anti-virus software (Panda) isn’t picking anything up. Any recommendations of what to do in the meantime?

Anonymous said...

Many Thanks for information received email last tonight

Anonymous said...

I Work for Datasharp - we are receiving a high volume of calls due to this email - please just treat as spam - delete and virus check
No need to call in - the email was not sent from us.

Anonymous said...

Chelsea girl - I to received this email on 9/1/15 along with another email from PPHE Hotel Group, when I googled they seem to exist but I suspect it is also a malware, I have only just renewed my security for another year but unfortunately for a couple of days I was un-protected.