Friday, 6 November 2015

Invoice #00004232; From Timber Solutions ESale.xls

Description:


Invoice #00004232; From Timber Solutions ESale.xls macro malware.

Headers:

From: "Kes" {kerryadamson@bigpond.com}
Subject: Invoice #00004232; From Timber Solutions

Message Body:

Hi, please find attached our invoice for goods ordered under Order
No. 11146, which will be delivered tomorrow.  Please pay into the
account, details of which are at the foot of the invoice.  Kes

Attachment filename(s):

ESale.xls

Sha256 Hashes:


33b6af7a8c8b67214321bca81e8952a1f20b5668ccfd9d2366a41c8f879d5dee [1]
4a001abcd9d398526778b39165650e0a4338b464cfaac7cf7336c8ea292a5828 [2]
c1bf646fd00b4e82341c1f3f436d0584bc9ff65167f72e4691e91259de0af132 [3]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 5/55)
VirusTotal Report: [2] (detection 5/55)
VirusTotal Report: [3] (detection 5/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.XlsM.003.

Important notes:

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-downloaded/payloadis normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this email and any link(s) or attachment in the email. normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.



Cheers,
Steve

11 comments:

Alan Scoones said...

I received 6 of these emails this morning - spread across 3 email addresses on my own domain. The attachment looks like just an ordinary spreadsheet file (rather than the obvious dodgy executable) so the temptation is there to just open it and have a look. Had it just been a single email I might have done so. Glad I decided to "google" it first and your blog was top of the list. The work people like you do to help and warn others online is appreciated. Thank you.

Drew James said...

8 received here today as well. Obviously some serious numbers being sent out overnight

Leather Les said...

I also received on of these this am but I was using my Blackberry Q10 phone when, bleary eyed, I opened it! The spreadsheet is blank so obviously used as a vehicle to get the bug in. Q Will it affect my phone? I have deleted it on my Windows PC. Just shows the value of these blogs for putting the word out. Thanks very much.

Richard Brown said...

I received this this morning, luckily I opened it on my Ipad and not my PC. Hopefully this will be OK (now rejected as spam). thanks for your blog!

Anonymous said...

These have now changed into "Subject: Payment Notification "
They are using the same Excel spreadsheets which have the same URL's for the payload.
Payload URL's are:
hxxp://skredman.webz.cz/334g5j76/897i7uxqe.exe
hxxp://novyzeland2013.webzdarma.cz/334g5j76/897i7uxqe.exe
hxxp://advancedgroup.net.au/~incantin/334g5j76/897i7uxqe.exe

Anonymous said...

I have just got this and opened it as we had ordered wood locally! Opened on an iPad but it has x cel for Apple on it. What do I need to do? Now spammed it. Thanks sam

Anonymous said...

Thank you for posting this blog, didn't open the attachment and reported to spam having read your blog. Grateful.

Anonymous said...

The macro downloads an executable file which can only run on a Windows PC

Anonymous said...

Just received this email today. Thanks to this site I did not open it, even though the temptation was there since it just looked like a spreadsheet. Thanks Again!!

Anonymous said...

Thanks so much for posting this! You saved me a world of trouble.

Anonymous said...

Oh no! Opened this on my iPad, I'm such an idiot.
iPad virus scanners seem to be non existent too....