Tuesday, 10 November 2015

Mark Singleton PO99631 Gilkes Pumping Systems

Description:


Mark Singleton PO99631 Gilkes Pumping Systems 99631 RBE.xls macro malware.

Headers:

From: Mark Singleton {m.singleton@gilkes.com}
Subject: PO99631

Message Body:

Please find PO99631 attached.

Kind Regards

Mark SingletonSourcing Specialist

Gilkes Pumping SystemsDirect:     +44 (0) 1539 790051
Tel:   +44 (0) 1539 720028
Fax:  +44 (0) 1539 732110


Gilbert Gilkes & Gordon Ltd Kendal Cumbria LA9 7BZUnited Kingdom______________________________________________________

Registered Office: Gilbert Gilkes & Gordon Ltd. Kendal, Cumbria, LA9 7BZ
Registration No:    173768 England & Wales

Attachment filename(s):

99631 RBE.xls

Sha256 Hashes:


89f5ad1914f34c192f93d72db0e0f98befd5e55ee862e66ccc621dd0d0b61af9 [1]
7ed7feccd807e45bfb151d81f3e0848f8149f45ac8f4344298f07799791d2c28 [2]
dccf90597aac765c63d0de59b421664f303ff6347546343bd6a95425bd159c3f [3]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection6/55)
VirusTotal Report: [2] (detection 6/55)
VirusTotal Report: [3] (detection 6/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.XlsM.003.

Important notes:

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple, Android and Blackberry mobiles/tablets that open these attachments will be safe

The auto-downloaded/payload is normally a Windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple, Android or Blackberry user... and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

18 comments:

Anonymous said...

Looks like they're using the same URL's for the payloads as the last one.
Maybe trying to get past people filtering on subject or sender.

Ross Putman said...

Just had the same email come in, I'm getting a lot of messages, 2 a day, when I Google them it always brings me to your site where they have the same macros on them. Does this mean I'm being targeted?

Anonymous said...

just got three in aswell - scum!

Anonymous said...

No, you are not being targeted. The world is being targeted.
I suspect they buy email lists or trade them on the dark web,
then pump emails out each day with their latest strain of Dridex as the payload.
Someone should kill their command and control centre or find
a way to unzombie the botnet participants.
Microsoft ? Cisco ?

Anonymous said...

These types of emails are looking very genuine these days.

Thanks for putting this info up to confirm my suspicions.

Anonymous said...

Reused the same Excel spreadsheets in the second run! (same hashes)
That's just lazy!

Swift too said...

comes up clean on Avira virus checker...

Swift too said...

came up clean on Avira virus checker....

Anonymous said...

Just had this same email - the scary thing is that ot looks so real.

On a positive note, it could be a potential customer lol

Anonymous said...


>came up clean on Avira virus checker....

What are you scanning ? The Excel spreadsheet ?
It's what the Excel spreadsheet downloads that is the problem (Dridex)

TiMS said...

Their website looks an authentic website too - I thought the company may have been real and just hit with malware/virus but looks like the whole Gilkes company is fake and been setup to try and authenticate their email.

Anonymous said...

Dito to all the above, looks so real. Double checked first and came up with this site. well done and thank you

Anonymous said...

> Anonymous Anonymous said...
> just got three in aswell - scum!

Just got 677 in :-) All rejected!

Anonymous said...

> Their website looks an authentic website too

The website is real.
The email is fake.
*sigh*
Please read *ALL* of the description, particularly where it says do not try to phone or email them and the part where it says it is from a botnet.
They are simply spoofing the sender address as being from m.singleton@gilkes.com
The email has nothing to do with the legitimate company.
They may as well have put your email in the sender address, then you would have received an email from yourself by your logic.

Anonymous said...

Thank you for your help! I have been tricked by this email and i have opened this up and enabled macros!!! But I am running a mac with Microsoft office 2011. Could I be infected or am I protected because of using a mac? Your urgent advice is much appreciated! Many thanks!

Anonymous said...

Thanks! Double check the mail address with the Google and pop out to be scam mail. Quickly dump it. Anyone can stop the pumping system send the scam out?!

Anonymous said...

The downloaded executable only runs on Microsoft windows.
You should be OK on a Mac.

Anonymous said...

Getting a lot of these type too .. but thanks to ur heads up im aware of each and every one of them thanks again