Tuesday, 6 January 2015

Saint Gobain UK SGBD National Payments Centre This is your Remittance Advice xls macro malware

Saint Gobain UK SGBD National Payments Centre are being used to send out a Excel malware run,
with a subject This is your Remittance Advice.

The Excel document has a random attachment, however these emails aren't from Saint Gobain UK SGBD National Payments Centre at all, they just being used to make the email look more
genuine, ie. from a real company.

Message Headers (Note that the email address is random):
From: "Elise"
Subject: This is your Remittance Advice #VCO26607

Message Body:

DO NOT REPLY TO THIS EMAIL ADDRESS
Please find attached your remittance advice from Saint Gobain UK.
For any queries relating to this remittance please notify the Payment Enquiry Team on 01484334407 
Regards,
SGBD National Payments Centre


One example of the random attachment file name:
ZYVI47493.xls

Md5 Hashes:
4f8564d80c1ad702ea9ea408c8d222d8
5f1b2eef4b7f1fd919f82f5c756531a0
ab6335a9f9d616f9bc767e553299898d
c12819787eb0d5949a507b50ab1d18cb

Malware Macro document information:

VirusTotal Report [1]
(hits 0/56 Virus Scanners)

VirusTotal Report [2]
(hits 0/56 Virus Scanners)

VirusTotal Report [3]
(hits 0/56 Virus Scanners)

VirusTotal Report [4]
(hits 0/56 Virus Scanners)

Malwr Report [1]

Decoded Macro [1]
Sanesecurity signatures are blocking this as: Sanesecurity.Malware.24675.XlsHeur


NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
Cheers,

Steve

No comments: