Tuesday, 6 January 2015

PAYMENT ADVICE Senior Accountant bacs malware document

A bacs PAYMENT ADVICE from Senior Accountant's are being spammed out.

The Word document has a random attachment, however these emails aren't from Senior Accountant's
at all, they just being used to make the email look more genuine, ie. from a real company.

Message Headers (Note that the Name and email address is random):
From: "Deann, Senior Accountant" {zoaudydiqw@metaphorivr.com}
Subject: PAYMENT ADVICE 06-JAN-2015
Date: Tue, 06 Jan 2015 19:25:25 +0800

Message Body: (Note that the amount and Name is random):
Dear all,
Payment has been made to you in amount GBP 16916,66 by BACS.
See attachment.
Regards,
Deann
Senior Accountant


One example of the random attachment file name:
BACS278606_218.doc

Md5 Hashes:
55d6c57bdad8a1e4210c1ff89cd88f78
661e6777cc51c335835a16bb2b79f42c
67fd8aac791e49bc90e851fa994bd525
ce596594218922c9d7429e7de11de3dd

Malware Macro document information:

VirusTotal Report [1]
(hits 0/56 Virus Scanners)

VirusTotal Report [2]
(hits 0/56 Virus Scanners)

VirusTotal Report [3]
(hits 0/56 Virus Scanners)

VirusTotal Report [4]
(hits 0/56 Virus Scanners)

Malwr Report [1]

Decoded Macro [1]
Sanesecurity signatures are blocking this as: Sanesecurity.Malware.24646.DocHeur


NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
Cheers,

Steve

1 comment:

Anonymous said...

I received the same kind of e-mail entitled "PAYMENT ADVICE 06-JAN-2015".

It was sent with a fake e-mail address.

The sender is still a Senior Accountant.

The attached piece is a Word document BACS444251_493.doc.

It is as follows with the header.


From : Glenn, Senior Accountant [mailto:iuhrkdj@80-78-174-195.sdtelecom.de]
Sent : Tuesday 6 January 2015 12:05
To : olivier.huglo@neuf.fr
Subject : PAYMENT ADVICE 06-JAN-2015

Dear all,

Payment has been made to you in amount GBP 11364,15 by BACS.

See attachment.

Regards,

Glenn
Senior Accountant

The e-mail is a scam.