Amazon3

Amazon

Wednesday, 7 January 2015

Eliza Fernandes NUCSOFT-Payroll December document malware

Eliza Fernandes NUCSOFT-Payroll December document, is being spammed out containing a macro
embedded in a word document

The Word document has a random attachment, however these emails aren't from NUCSOFT
at all, they just being used to make the email look more genuine, ie. from a real company.

Message Header:
From: "Eliza Fernandes" {eliza_fernandes@nucsoft.co.in}
Date: Wed, 07 Jan 2015 13:56:00 +0530
Subject: NUCSOFT-Payroll December 2014

Message Body:
Please find the data for payroll processing.

Please forward the PDF of summary.

Regards,
Eliza Fernandes

NUCSOFT Ltd.
Finance Dept.
---------------------------------------------------------------------
This message contains privileged and confidential information and is 
intended only for an individual named. If you are not the intended 
recipient, you should not disseminate, distribute, store, print, 
copy or deliver this message. Please notify the sender immediately 
by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system. E-mail transmission cannot be 
guaranteed to be secure or error-free as information could be 
intercepted,
---------------------------------------------------------------------
NUCSOFT : With You - Until Success  and Beyond....
Visit us at http://www.nucsoft.com
---------------------------------------------------------------------

Payroll Dec'14.doc

Md5 Hashes:
a5a79e75d3bb52de745ed45a6be86cbe

Malware Macro document information:

VirusTotal Report [1]
(hits 2/56 Virus Scanners)

Malwr Report [1]

Decoded Macro [1]
Sanesecurity signatures are blocking this as: Sanesecurity.Malware.24646.DocHeur


NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
Cheers,

Steve
Sanesecurity.com

Posted by at
Labels: , , ,

8 comments:

Anonymous said...

Thank you, I have just got one :(

7 January 2015 at 10:39
Anonymous said...

Very helpful . Just got one too

7 January 2015 at 12:52
Roger Vaughan said...

Getting some ourselfves. Thaks for this.

7 January 2015 at 13:02
Anonymous said...

Thanks for the info - I just got one as well. It seemed phishy.

7 January 2015 at 13:04
Sir Gonville Ffrench said...

We received one this morning at 0832 GMT. Thanks.

7 January 2015 at 13:51
Anonymous said...

Thanks

I just checked my email & have received. Never open up anything from anyone I don't know, then always google it & find the consequences if I had!

Thanks again

7 January 2015 at 20:08
Anonymous said...

Thank you

Just checked my email & had it, now deleted

7 January 2015 at 20:09
Anonymous said...

I have just received one too, are we able to forward it to someone to check it out?

8 January 2015 at 16:43

Post a Comment

Subscribe to: Post Comments (Atom)