Thursday, 8 January 2015

Ieuan James invoice EME018.docx {emerysieuan@gmail.com macro} malware

Ieuan James invoice  {emerysieuan@gmail.com} invoice EME018.docx is being spammed out containing a macro embedded in a word document...

Message Header:
From: Ieuan James {emerysieuan@gmail.com}
Subject: invoice EME018.docx
X-Mailer: iPhone Mail (12B411)

Example Message Body:
N/A
Attachment name:
invoice EME018.doc

Md5 Hashes:
8c355ebd6582ce9bc1e2187eb826f1cb

Malware Macro document information:

VirusTotal Report [1]
(hits 1/56 Virus Scanners)

Malwr Report [1]

Decoded Macro [1]
Sanesecurity signatures are blocking this as:Sanesecurity.RogueDoc.0hr.20150108-0806
Sanesecurity.Malware.24679.DocHeur
NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
Cheers,

Steve

1 comment:

Andrew Sayers said...

I've had a few from other addresses too, so there may be a range of compromised addresses sending out this spam.