Tuesday, 24 February 2015

Berendsen UK Ltd Invoice 60020918 11 malware

Berendsen UK Ltd Invoice 60020918 11 being spammed containing a word/excel document with embedded macro.

These emails aren't from Berendsen UK Ltd at all, they just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.
Company:

Berendsen is part of Berendsen plc, a leading provider of support services in the UK.
Berendsen UK Limited. Incorporated in England No. 228604.
Registered Office: 4 Grosvenor Place, London
SW1X 7DL
01256 339 200

Message Header:

From: {donotreply@berendsen.co.uk}
Subject: Berendsen UK Ltd Invoice 60020918 117
Message Body:
Dear Sir/Madam,

Please find attached your invoice dated 21st February.
All queries should be directed to your branch that provides the service.
This detail can be found on your invoice.


Thank you.
___________________________________________________________
This e-mail and any attachments it may contain is confidential and
intended for the use of the named addressee(s) only. If you are not
the intended recipient, you have received it in error, please
immediately contact the sender and delete the material from your
computer system. You must not copy, print, use or disclose its
contents to any person. All e-mails are monitored for traffic data and
the content for security purposes.

Berendsen UK Ltd, part of the Berendsen plc Group.
Registered Office: 4 Grosvenor Place, London, SW1X 7DL.
Registered in England No. 228604
 Attachment:

IRN001549_60020918_I_01_01.doc
IRN001549_60020918_I_01_01.xls
Md5 Hashes:
ff3c3fbeed637cccc7549636b7e0f7cdb [1]
f037944013dc6074413dc5551d8fc305 [2]
03b3e2f0e14aa48c124e9814ca3038d7 [3]

Malware Macro document information:

VirusTotal Report [1] (hits 0/57 Virus Scanners)

VirusTotal Report [2] (hits 0/57 Virus Scanners)
VirusTotal Report [3] (hits 0/57 Virus Scanners)


Sanesecurity signatures are blocking this as:

Sanesecurity.Malware.24676.DocHeur

NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

1 comment:

Anonymous said...

Many thanks - I just received the same, apparently from IP 87.104.218.135