Amazon

Monday 8 February 2016

crosswater Accounts Documentation - Invoices

Description:


crosswater Accounts Documentation - Invoices javascript malware.

Headers:

From: {CreditControl@crosswater.co.uk}
Subject: Accounts Documentation - Invoices

Message Body:

Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.

If you have any queries please do not hesitate to contact the Credit Controller who deals with your account.
Alternatively if you do not know the name of the Credit Controller you can contact us at:

Accounts@crosswater-holdings.co.uk

or call us on 0845 873 8840

Please do not reply to this E-mail as this is a forwarding address only.

Attachment filename(s):


~13190.js

Sha256 Hashes:


2ec49eae0c0aa7b0b9e50a71a00627f7c716ef038fc65b30e9bcf2d3c69e1917
02cf2db86004fc507a9c276bdee187919ca83cb0625f6e64dc3b8b3a170545fc
0b04548b0a4167600a7764cfc747957d12da5249959eb65ce2b017958eba2c99
0ec6e87b09d639ca50507349974a95d9b695b67e0456a1c4a32419753d478e15
1475e116878a83e7b3a208b547df8bcab351ad97a74dd88cce5041360828af9a
3317b1744819a1e458c8a06928762a9664386a6960499bf6ad2a2f2c6b4e56d2
3d223db58c4a3c3ac7799faa4a64555197d136d66c25c8ffbd634440dc20c4f4
65bfbb31293855f7a2d869575aa71020d0362dbd67d42966829d416b8d43894c
681f63e319229f82b625c629bf4890208cbab03b247763e854b2ecfc8dc6ca21
6e09805b01e3434c76bfb13d0dc57f5e8548ca0692bb9a3ffb730543ef838db5
7a16f3d7440fe27ca9bd0c7f02e270ba3a6fc055e9eedd12c9e49426f72b8f2c
7d9ed7cc7cbc6e36070e4f9e76591cfb2482abe2705589d39e4fa54c7b49dd53
ac4bb9c83ddc71796bfb52010d19fccfee3322e83a8689c79a5c398cf6654ca6
b05daf28bc0b246ce6163e01a352dc8bd8cc0d03ce23f363898f682c686ec34b
c047813d5eb2b83e6d6d4f67c8bccee441ec8ef3a64aa531679271c6e68b4bc6
c66f97158c069e4ad27948b453985395ee7b39242daf7f7e467873b4c132bf71
cf8371ffacd2e7e569670d341ae807f60cb2dbabf27dfc8ea7096b5505886355
d48e19711fe2c3e62686a2234d7f8416c6846d8f07172d3d457fa017d02505b3
e558ff9fbce1da8057f90df83b89e6b79ccf8ac403117e1b7e14090dd91bdefe
e9bcacfd12ecd5405f388ade06811a332e5ae8797369c115d9df8b76a8728a52
fcf1f35adb267655d6fbaf014ba51ec07480d2f80a0a78de940e215879a30290

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 1/55)

Sanesecurity Signature detection:

phish.ndb: Sanesecurity.Malware.25968.JsHeur

Important notes:


Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

No comments: