INVOICE ADVISE and NOVEMBER INVOICE ADVISE another 4 variants of the Senior Accountant documents, are being spammed out containing a macro embedded in a excel and word document
The Excel and Word documents have a random attachment and use a random company name...they just being used to make the email look more genuine, ie. from a real company.
Message Header:
Subject: NOVEMBER INVOICE ADVISE
Subject: NOVEMBER INVOICE
Subject: INVOICE ADVISE
Subject: INVOICE ADVISE 08/01/2015
Example Message Body (Note: Name, Job Title and Company Name are random)
Random Attachment name:
Good morning
Happy New Year
Please could you advise on the November GBP invoice in the attachment for me?
Many thanks
Kind Regards
Caroline Hunter
Senior Accountant
OXFORD TECHNOLOGY VCT PLC
RBAC_3800PI.xls or INV_5742CZ.doc
Md5 Hashes:
a8a9cc665f4cadb8bc32fdd9fe526ac6
61a314f2b18f93d65724abb84f0df3b9
93d2d7ad85e4e1f4f2ecf7c4065c4191
ce576a41bb0ad53c42aa4f2f534fb3bc
Malware Macro document information:
VirusTotal Report [1]
(hits 1/56 Virus Scanners)
VirusTotal Report [2]
(hits 1/56 Virus Scanners)
VirusTotal Report [3]
(hits 1/56 Virus Scanners)
VirusTotal Report [4]
(hits 1/56 Virus Scanners)
Malwr Report [1]
Decoded Macro [1]
Sanesecurity signatures are blocking this as: Sanesecurity.Malware.24671.DocHeur
Cheers,
NOTE
The current round of Word and Excel attachments are targeted at Windows users.
Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.
The auto-download file is normally a windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.
Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
Steve
No comments:
Post a Comment