Friday, 30 October 2015

Clare Harding Purchase Order 0000035394 customer 09221 Purchase Order 0000035394.DOC

Description:


Clare Harding Purchase Order 0000035394 customer 09221 Purchase Order 0000035394.DOC macro malware.

Headers:

From: "Clare Harding"
Subject: Purchase Order 0000035394 customer 09221

Message Body:

Purchase Order 0000035394 to Alligata
Dear ,
Please find attached a copy of our order (reference 0000035394), your reference .
If you have any questions regarding the purchase order please contact us using the details below.

http://email.carterspackaging.com/signatures/carters_sig_70px.jpg
CLARE HARDING
Purchasing Manager
Carters Packaging Ltd, Packaging House, Wilson Way, Pool, Redruth, Cornwall, TR15 3RT
Fax: +44 (0) 1209 315 600
www.carterspackaging.com

Attachment filenames:

Purchase Order 0000035394.DOC

Sha256 Hashes:

23591022541ce84821f0cafe47ac2b819bf51689fb5eec86f677d1e661ee2659 [1]
155e4783714df49822e8b59978e1391ed25e781641277c71483bea7a8eac2b54 [2]
57e7eb6c8a742767101ed847d9697fc17cdbea9dc129b99aefe67276ad346957 [3]
b5fed55e96cd9bec63c7c68e3fd990eea7d36194d8c8c280a6fe10cf6268f564 [4]

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 4/55)

Sanesecurity Signature detection:

badmacro.ndb: anesecurity.Badmacro.Wsc.New
phish.ndb: Sanesecurity.Malware.24819.MacroHeurGen.Hp

Important notes:

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-downloaded/payloadis normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this email and any link(s) or attachment in the email. normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.



Cheers,
Steve

Thursday, 29 October 2015

Your eBay Invoice is Ready

Description:


Your eBay Invoice is Ready ebay_591278156712819_291015.zip malware.

Headers:

From: "eBay" {ebay@ebay.com}
Subject: Your eBay Invoice is Ready

Message Body:

LEASE DO NOT RESPOND - Emails to this address are not monitored or responded to.

Dear Customer,

Please open the attached file to view invoice.

If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download this attachment. If you require Adobe Acrobat Reader this is available at no cost from the Adobe Website www.adobe.com

Attachment filenames:

ebay_591278156712819_291015.zip


Inside Zip attachment:

ebay_591278156712819_291015.exe

Sha256 Hashes:

 0a0818d1893eb92fb6535408d5a9b482960b62629492962f688917c9206d79f3 [1]

Malware Virus Scanner Reports:

VirusTotal Report: [1] (detection 3/56)

Sanesecurity Signature detection:

phish.ndb: Sanesecurity.Malware.25726.ZipHeur


It's also worth remembering that the company itself  may not have any knowledge of this email and any link(s) or attachment in the email. normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.



Cheers,
Steve

Heather Crawford Your Invoice I0000040777.doc

Description:


Heather Crawford Your Invoice I0000040777.doc macro malware.

Headers:

From: "Heather Crawford" {h.crawford@barclaycomms.com}
Subject: Your Invoice I0000040777

Message Body:

Dear Customer. Please find attached your Invoice.

Invoice Number: 0000040777

Invoice Date: 28/10/2015

Invoice Total: 78.40

Invoice Description: Barclay Fresh Direct Debit 1 V (x1.00000)

This e-mail, and any attachment, is confidential. If you have received it in error, please delete it from your system, do not use or disclose the information in any way, and notify me immediately. The contents of this message may contain personal views which are not the views of Barclay Communications, unless specifically stated.

Attachment filenames:

I0000040777.doc

Sha256 Hashes:

b6a1c2e867e62cbdf614de7fa5f25d75789dd67efaad860bf657ce780818c232 [1]
044ea5d5039e561c57a4b88bff5949d5640a26fcb2f1d6cd1b663c36e3e010bb [2]
8f8bbc433b58ca1440943b640f35cb15d3e3e011e11377fb48c7f414ce5357e6 [3]
9ce753830ba981debb6aad08bf1564acce910607848687b99ac3b3c3657a0b75 [4]
a793aef1bbcdef406c90a4166cc5a42032c703aaf485b00027c24a63dee602af [5]

Malware Virus Scanner Reports:

VirusTotal Report: [1] (detection 3/56)
VirusTotal Report: [2] (detection 3/56)
VirusTotal Report: [3] (detection 3/56)
VirusTotal Report: [4] (detection 3/56)
VirusTotal Report: [5] (detection 3/56)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.Xls.Wshell.G

Important notes:

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-downloaded/payloadis normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this email and any link(s) or attachment in the email. normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.



Cheers,
Steve

Wednesday, 28 October 2015

eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200

eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200 FAX_20151028_1445421437_89.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: "eFax"
Subject: eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200
Message Body:
Fax Message [Caller-ID: 031207944200]
You have received a 1 page fax at 2015-10-28 08:57:17 GMT.
* The reference number for this fax is lon1_did14-1445421403-1407880525-89.
View this fax using your Microsoft Word.
Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Attachment:
FAX_20151028_1445421437_89.doc
Sha256 Hashes:
246ec2f4cdf0e18dc874644a09c369232ec70821a4b11a40dd7c133afb2ad70d [1]
2c2a2e955767384df23fce53a7b5a07b5cf968bbd39d2d8c086d527d448e3bbe [2]
92f733da9ba440f0632b495a32742d47a5cb296f49127f210e14de412e371bf8 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 4/56)
VirusTotal Report: [3] (detection 4/56)

Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments try to download either...


... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Thank you for your order! IKEA receipt stats

The earlier report fake Ikea receipt containing word macro malware, was instantly blocked with Sanesecurity ClamAV signatures phish.ndb and badmacro.ndb.

What's interesting is the graph of the first wave of this... started at 9.20-ish am and finished at just after 9.45am-ish... but look at the numbers, peaking at 18.5k...


No doubt after a few hash changes to the document, it'll be back for another run shortly and you can see that traditional AV's don't have a lot of time between bot-runs to get detection updated.

 Updated graph:




Cheers,

Steve
Sanesecurity.com

DoNotReply@ikea.com Thank you for your order! IKEA receipt 607656390.doc

DoNotReply@ikea.com Thank you for your order! IKEA receipt 607656390.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: DoNotReply@ikea.com
Subject: Thank you for your order!
Message Body:

Order acknowledgement:


To print, right click and select print or use keys Ctrl and P.
Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost:
£122.60
Delivery date:
30-10-2015
Delivery method:
Parcelforce
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number:
607656390
Order time:
8:31am GMT
Order/Invoice date:
30-10-2015
 
Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return Policy
 

Attachment:
IKEA receipt 607656390.doc
Sha256 Hashes:
03626c8036299e08b705f193337d44934ee45ddc373a368c71e8ef073ec674e8
92f733da9ba440f0632b495a32742d47a5cb296f49127f210e14de412e371bf8
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 4/56)
VirusTotal Report: [2] (detection 4/56)

Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments try to download either...


... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Tuesday, 27 October 2015

A quick summary of zipped malware this morning.

A quick summary of zipped malware this morning... Sanesecurity database: foxhole_filename.cdb are detecting them...

Headers:
From: "donotreply_invoices@verifone.com" {donotreply_invoices@verifone.com}
Subject: VeriFone Services UK and Ireland Ltd
=======================================================
From: "credbills@denbighshire.gov.uk" {credbills@denbighshire.gov.uk}}
Subject: Cyngor Sir Ddinbych - Taliad BACS / Denbighshire CC - BACS Remittance
=======================================================
From: "World First Payments" {payments@worldfirst.com}
Subject: World First - Supplier Payment Notification
Message body:
Please see attached Invoice(s).


Thanks and Regards,
VeriFone Services UK and Ireland Ltd

=======================================================

Gweler manylion taliad BACS yn atodedig

Please see attached Bacs Remittance

=======================================================

Dear Customer 
We're emailing to let you know that a payment is scheduled to be made to you by World First on behalf of DPI (UK) Ltd. 
This payment is scheduled to be made on 27 Oct 2015. Please see the attached PDF for further details on the payment (ID:3656763). 
Please note this notification is not meant to act as a binding confirmation and the payment may be subject to cancellation or amendment by our customer without further notification to you.
If any of the payment information is incorrect, please contact DPI (UK) Ltd. 
Kind Regards,
World First

Attached to the message is a Zip file (various names):
New_Cardholder_Application_Twila_Mccann.zip
SF-20151027-3656763-20151027102459.zip
World_First_Trade_Confirmation_-_Ref_20151027102632_on_27-Oct-2015.zip
Inside the Zip file is a Windows Executable file (various names)
Various exe and scr names
Sha256 Hashes: (various)
1dda68b78e84caf63bb32cae2dc1bd82111e49db85d127a36cb715e2e4ef3b16
4cb8b4959fbcc883a6e7f7ea9254acda3034b8d5dd93996cb9f709aef1104847
717e2d316ef1e98aa10b4d850c32a5f93281166b2913bcbd5e16b82a77d63034
7c5cf8ecf12a05555f6e9ab4948c3d9aaea7ea780f803a5ea200549d035d73ce
c6a11c16722b6772807559a05c8d12b2b3776482208f8efface34876351a3122
ec7c8a14d7da104f6fd81ee8d99b92f3b117b5593f343fbd0ba8295de7e3995d

Cheers,
Steve
Sanesecurity.com

Monday, 26 October 2015

PHSOnline Your new PHS documents are attached

PHSOnline Your new PHS documents are attached macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: "PHSOnline" {documents@phsonline.co.uk}
Subject: Your new PHS documents are attached
Message Body:
Delivery of new PHS document(s)
 
 
Dear Customer
 
Due to a temporary issue with delivering your document(s) via your online account, please find the attached in DOC format for your convenience.
 
We apologize for you being unable to view your accounts and documents online in the usual manner. Please note that, in the interim, we will continue to deliver documents in this manner until the issue is fully resolved.
 
Regards
 
PHS Group
 
To ensure that you continue receiving our emails, please add documents@phsonline.co.uk to your address book or safe list.



Attachment:
G-A0287580036267754265.doc
Sha256 Hashes:
11d137631d43b731e633ebf8dfecbd41bd5ca16f93be48678789a3fd275f3d50 [1]
8448dce775043e0fe09bf0dadaf7c7dabf901c129c503ef7f2668e4e2b6766aa [2]
e66201d2899796e2bedfffedd2f70aa58afa06af546d92fa41e2604a284d3af7 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 5/56)
VirusTotal Report: [2] (detection 5/56)
VirusTotal Report: [3] (detection 5/56)


Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments try to download either...


... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Norwich Camping Your Norwich Camping Order has shipped! invoice-2425.doc

Norwich Camping  Your Norwich Camping Order has shipped! invoice-2425.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: "Norwich Camping" {sales@norwichcamping.co.uk}
Subject: #NC-242455-Zmj Your Norwich Camping Order has shipped!
Message Body:
You Norwich Camping & Leisure order "#NC-242455-Zmj" has now been shipped. Your chosen payment method has now been charged.

Kind regards,
The Norwich Camping & Leisure
Attachment:
invoice-2425.doc
Sha256 Hashes:
11d137631d43b731e633ebf8dfecbd41bd5ca16f93be48678789a3fd275f3d50 [1]
8448dce775043e0fe09bf0dadaf7c7dabf901c129c503ef7f2668e4e2b6766aa [2]
e66201d2899796e2bedfffedd2f70aa58afa06af546d92fa41e2604a284d3af7 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 5/56)
VirusTotal Report: [2] (detection 5/56)
VirusTotal Report: [3] (detection 5/56)


Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments try to download either...


... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Friday, 23 October 2015

Scan Data from FX-D6DBE1 DocuCentre-V C6675 T2 22102015160213-0001.doc

Scan Data from FX-D6DBE1 DocuCentre-V C6675 T2 22102015160213-0001.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
Subject: Scan Data from FX-D6DBE1
From: "DocuCentre-V C6675 T2"{reception@
Message Body:
Number of Images: 1
Attachment File Type: DOC

Device Name: DocuCentre-V C6675 T2
Device Location:
Attachment:
22102015160213-0001.doc
Sha256 Hashes:
2e2afd4f2eab5514eff15e62ccd1d1610a137419caa15eca8383417843ba716f [1]
4554fd639d5fe714dd65894af6fe5f96805f5da26bd0a8437ddb7d8e5c93df7b [2]
d8259073a5f3f0019bd5047fcb5149c0450ff8a6743f3e415db491389edc5344 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 5/56)
VirusTotal Report: [2] (detection 5/56)
VirusTotal Report: [3] (detection 5/56)


Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments try to download either...


... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Thursday, 22 October 2015

UUSCOTLAND Water Services Invoice 22 October 2015 Invoice Summary.doc

UUSCOTLAND Water Services Invoice 22 October 2015 Invoice Summary.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: "UUSCOTLAND" {UUSCOTLAND@uuplc.co.uk}
Subject: Water Services Invoice
Message Body:
Good Morning,

I hope you are well.

Please find attached the water services invoice summary for the billing period of 22 September 2015 to 22 October 2015.

If you would like any more help, or information, please contact me on 0345 0726077. Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to help you. Alternatively you can email me at uuscotland@uuplc.co.uk.

Kind regards

Melissa

Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)
Unitedutilitiesscotland.com



Attachment:
22 October 2015 Invoice Summary.doc
Sha256 Hashes:
1b6986910dfefedc753fcec76d00c8e5e13464c6e00af4b73286437a04f11222 [1]
7349036e7e92f4468aa35d1207d5e1c646818bbec60a933b5798b295515a4787 [2]
ab229e22f51cac1cc62c676f44839f12e75f7ca70b86c92f036c979172730a21 [3]

Later Run:

3f3baaefba7dfdb7b54727e03d60c2de365c1b426885f1e9f79ad7f895d67793 [4]
df4155671632cb0c265c5c558df05490e5e54eeeb8fad1a11260b42a51b6c56e [5]
f8013369d58fbaaf15ebd320ce18510705b9462bfa0d0cf71892311d376b9cf5 [6]
Malware Virus Scanner Reports:
VirusTotal Report: [4] (detection 4/56)
VirusTotal Report: [5] (detection 4/56)
VirusTotal Report: [6] (detection 4/56)

Malwr Report: [3]
Payload: h t t p: / / namastetravel.co.uk/t67t868/nibrd65 DOT exe


Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments try to download either...


... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

ben.capass Your MF Communications bill for WIN001 [79549775 995412 82267] WIN001_02972.doc

Your MF Communications bill for WIN001 [79549775 995412 82267]  ben.capass@mfcomm.co.uk WIN001_02972.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: ben.capass@mfcomm.co.uk
Subject: Your MF Communications bill for WIN001 [79549775 995412 82267]
 Body:

Please find attached your latest bill dated 21/10/2015

This email is generated automatically. Please do not reply to this email.



Attachment:
WIN001_02972.doc
Sha256 Hashes:
1b6986910dfefedc753fcec76d00c8e5e13464c6e00af4b73286437a04f11222 [1]
7349036e7e92f4468aa35d1207d5e1c646818bbec60a933b5798b295515a4787 [2]
ab229e22f51cac1cc62c676f44839f12e75f7ca70b86c92f036c979172730a21 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 0/56)
VirusTotal Report: [2] (detection 0/56)
VirusTotal Report: [3] (detection 0/56)

Malwr Report: [3]
Payload: h t t p: / / namastetravel.co.uk/t67t868/nibrd65 DOT exe

Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments try to download either...


... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Wednesday, 21 October 2015

Shifu Banking Trojan

Most of the macro nasties of late have been trying to download the Dridex banking trojan, however
the last couple of days it appears these payloads have switched over to the Shifu Banking Trojan.

"The Trojan is designed to steal a wide range of banking related information such as usernames and passwords to financial accounts, credentials that users key into HTTP forms, private certificates, and even external authentication tokens used by some banks, researchers say...

...Shifu also is capable of stealing data from smartcards if it discovers a smartcard reader attached to the compromised endpoint. The malware can search for and steal from cryptocurrency wallets on infected systems and can detect if it has landed on a point-of-sale system, in which case it proceeds to steal payment card data as well."

Source: http://www.darkreading.com/vulnerabilities---threats/new-shifu-banking-trojan-an-uber-patchwork-of-malware-tools/d/d-id/1322039
An additional key point is that Shifu also wipes the local System Restore point on infected machines :(

Whitehead, Lyn INVOICE FOR PAYMENT - 7500005791 Invoice 7500005791.doc

Whitehead, Lyn INVOICE FOR PAYMENT - 7500005791 Invoice 7500005791.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note

It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: "Whitehead, Lyn" {Lyn.Whitehead@lancashire.pnn.police.uk}
Subject: INVOICE FOR PAYMENT - 7500005791
 Body:
Hello

Please find attached an invoice that is now due for payment.

Regards

Lyn

Lyn Whitehead (10688)
Business Support Department - Headquarters




Attachment:
Invoice 7500005791.doc
Sha256 Hashes:
194100b10159ad608ae111c69de9add3ff698bfaac3eb098bb5e88d103287440 [1]
8bb24ef0d0ae84455a8ac9f67c430168b9e8aa8ae0722e4a223cc6c8b8a840ad [2]
e96e3d8fe9a8509d638077ad06a147703352a3309be1e0a94438b6ca84328337 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 0/56)
VirusTotal Report: [2] (detection 0/56)
VirusTotal Report: [3] (detection 0/56)

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell

Hybrid Analysis Report: [1]
NOTE

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments try to download either...


... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Tuesday, 20 October 2015

invoice 11368 corrected distribution@unenormandealondres.co.uk inv 11368 corrected.doc

invoice 11368 corrected distribution@unenormandealondres.co.uk inv 11368 corrected.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: {distribution@unenormandealondres.co.uk}
Subject: invoice 11368 corrected
 Body:
Please Find attached your invoice 11368 corrected.
Regards
Accounts Service
Une Normande A Londres Ltd

Attachment:
inv 11368 corrected.doc
Sha256 Hashes:
9f598aa8751d9a7b5a6afe1d6e1e930d92c2131bd2f7c1839ba94307934b1e91 [1]
a8e2788f371decce59d5cf7f02b7cf187406ae277e370fea112b58a437a55577 [2]
be8966a576167b2b151e0515fc46f7952d9a616754214550961bbf95fde420f7 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 4/56)
VirusTotal Report: [2] (detection 4/56)
VirusTotal Report: [3] (detection 4/56)

Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24667.XlsHeur

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.Xls.Wshell.G

NOTE

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Shaun Buzzard Order lp22_20151013_164535.doc

Shaun Buzzard Order lp22_20151013_164535.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: Shaun Buzzard {shaunb@hubbardproducts.com}
Subject: Order
 Body:
Hi ,
Please find attached order.

Kind regards.
Shaun Buzzard
Hubbard Products Limited
Hillview, Church Road, Otley, Suffolk. IP69NP
Registered in England No. 6217134
Email: shaunb@hubbardproducts.com
DDI: 01473892216

Fax: 01473890687



Attachment:
lp22_20151013_164535.doc
Sha256 Hashes:
9f598aa8751d9a7b5a6afe1d6e1e930d92c2131bd2f7c1839ba94307934b1e91 [1]
a8e2788f371decce59d5cf7f02b7cf187406ae277e370fea112b58a437a55577 [2]
be8966a576167b2b151e0515fc46f7952d9a616754214550961bbf95fde420f7 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 4/56)
VirusTotal Report: [2] (detection 4/56)
VirusTotal Report: [3] (detection 4/56)

Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24667.XlsHeur

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.Xls.Wshell.G

NOTE

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

GOMEZ SANCHEZ FINAL NOTIFICATION FINAL NOTIFICATION.xls

GOMEZ SANCHEZ FINAL NOTIFICATION FINAL NOTIFICATION.xls macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: "GOMEZ SANCHEZ"{postmail@bellair.net}
Subject: FINAL NOTIFICATION
 Body:
Congratulations

Print out the attachment file fill it and return it back by fax or email


Yours Sincerely

GOMEZ SANCHEZ
Attachment:
FINAL NOTIFICATION.xls
Sha256 Hashes:
7f5fa44008064ca6cf59cf165770e4db8a7764bd14cf92586b8ecb65de756756 [1]
80ded7a1e98b524e7b4a123a741892a40b862d3f05d949ae88f401e94c4b1a6a [3]
c9602e7c64ea66b4a90f9ad6ccabcbba4243dd04cbb87554a056e97239900258 [4]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 4/56)
VirusTotal Report: [2] (detection 4/56)
VirusTotal Report: [3] (detection 4/56)

Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24667.XlsHeur

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.Xls.Wshell.G

NOTE

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve