Thursday, 8 October 2015

Frederico Kessler Deposit Payment Payments Deposit.xls

Frederico Kessler  Deposit Payment Payments Deposit.xls macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: Frederico Kessler {Frederico.Kessler@Gamesys.co.uk}
Subject: Deposit Payment
Message Body:
Hi,

Attached is receipt of transfer regarding the deposit increase for our new contract to the Cherry Tree Cottage.
Let me know if its all sorted.

Frederico Kessler
Product Owner | Games Platform
gamesysign
4th Floor, 10 Piccadilly
London, W1J 0DD




Attachment:
Payments Deposit.xls
Sha256 Hashes:
5f0834b2328845691ee7b14dc1b26ad5e0d02621a7d13501755a8c54bab95de1 [1]
909ace5da2a2549eafde6d39b25dbfef2850993d0aa94e8dde795ceaceb17543 [2]
a13a8719b93ba4593ae85d98c9e5764897698eb2ab28cdb2ae69be134b7ab0a3 [3]
b4d603221a9431e3a42ad7adbfe3657e8652c572b856dee4ae5735413782c8ca [4]
b61ef064039299ac551d02a06e33c08c2665c196af7a827c4d0314d392a05681 [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 1/56)
VirusTotal Report: [2] (detection 1/56)
VirusTotal Report: [3] (detection 1/56)
VirusTotal Report: [4] (detection 1/56)
VirusTotal Report: [5] (detection 1/56)



Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.XlsM.003

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Malware.25723.MacroHeurGen.ht

NOTE

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

13 comments:

DAS1951 said...

Received such an email today. It did look like malware but found your confirmation; very useful.

Rowan said...

How does one scan for this malware and get rid of it. I just opened this attachment.

Rowan said...

How does one scan for this malware and get rid of it. I just opened this attachment.

DAS1951 said...

Rowan, next time be more alert/suspicious!

Run your existing anti-malware programme and, if you do not have it, install and run Malwarebyte's Antimalware software (free version is ok).

DAS1951 said...

PS. in worst-case scenario scrub your computer with multiple overwrites and then reformat the HDD. Make sure you have a good data *backup*!

Anonymous said...

I got this email today. Thanks for the info on your site.

@Rowan
You really need to download an anti-virus & anti-malware program if you don't already have one and do a full scan on your entire computer.

100booksbychristmas said...

Opened by accident on iphone - do i need to do anything or will it only work on Windows PCs?

Steve Basford said...

If you've opened on an iphone/android, you'll be ok

Matthew Traherne said...

Received this email today. Almost opened it as have booked into a cherry cottage!! Last second noticed other people in group not CC'd and googled message. Thanks for the info on the site, hope this doesn't catch anyone!

DAS1951 said...

Steve, even Android? I thought Android *was* susceptible to malware.

Anonymous said...

My organization received a total of 280 separate messages from this sender, 36 of which evaded our email firewall and had real recipients. Macro-enabled/embedded .xls.

Anonymous said...

Received exactly the email you describe above - caught my attention because of the name of the property (a family member lives in just such!) but the wording made me suspicious - binned it!!
Thank you for your very useful comments!

Anonymous said...

Just seen an article on the BBC news website about malicious Microsoft Office documents being used to steal bank details and realized this email could potentially be linked to it.
Thought someone might be interested.
http://www.bbc.co.uk/news/technology-34527439