Monday, 12 January 2015

Invoice from simply carpets of Keynsham Ltd document malware

Invoice from simply carpets of Keynsham Ltd - sales@simplycarpets.co.uk emails with an attached document, is being spammed out.  The document contains a macro.

The Word document has a random attachment, however these emails aren't from Keynsham Ltd
at all, they just being used to make the email look more genuine, ie. from a real company.

It's also worth remembering that the company itself  may not have any knowledge of this attachment as it won't have come from their servers and IT systems.

They may not be able to tell you if it's malware or even help clean up your system.
Message Header:
From: "Simply carpets " {sales@simplycarpets.co.uk}
To: hilaryr@newburydata.co.uk
Subject: Invoice from simply carpets of Keynsham Ltd
Date: Mon, 12 Jan 2015 09:40:29 +0200

Message Body:
Your invoice is attached.  Please remit payment at your earliest
convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

simply carpets of Keynsham Ltd

Inv_12983_from_simply_carpets_of_keynsham_ltd_3464.doc

Md5 Hashes:
030bbc1dc435a612d4ed7a049470ddb5
4cbc955ea75fa3edff0f73c2ca859119

Malware Macro document information:

VirusTotal Report [1]
(hits 0/56 Virus Scanners)

VirusTotal Report [2]
(hits 0/56 Virus Scanners)

Malwr Report [1]

Decoded Macro [1]
Sanesecurity signatures are blocking this as: Sanesecurity.Malware.24679.DocHeur.


NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
Cheers,

Steve

6 comments:

Anonymous said...

Thanks for the headsup, I also received this email this morning.
regards,

Mark

Anonymous said...

Received this email this morning - googled the subject line and found this. Thank you.

Ivy said...

Thank you very much for your blog entry, we received this email too in our company. :)

Anonymous said...

Also received this email this morning. Thanks for the warning.

Zoe Wilkins said...

I helped simply carpets try to manage this today. Constant phone calls, over 17000 emails from across the globe. There was little chance of genuine clients being able to contact them. A temporary email and contact number has been set up for genuine clients only. Today has been crippling. I hope something can be done to stop this occurring again.

sammm said...

just received the email just now. I figured it was a virus