Frederico Kessler Deposit Payment Payments Deposit.xls macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.
It's not advised to ring them as there won't really be anything they can do to help you.
|
Header:
From: Frederico Kessler {Frederico.Kessler@Gamesys.co.uk}
Subject: Deposit Payment |
Message Body:
Attached is receipt of transfer regarding the deposit increase for our new
contract to the Cherry Tree Cottage.
Let me know if its all sorted.
Frederico Kessler
Product Owner | Games
Platform
4th
Floor, 10 Piccadilly
London,
W1J 0DD
|
|
|
|
Attachment:
Payments Deposit.xls
Sha256 Hashes:
5f0834b2328845691ee7b14dc1b26ad5e0d02621a7d13501755a8c54bab95de1 [1]
909ace5da2a2549eafde6d39b25dbfef2850993d0aa94e8dde795ceaceb17543 [2]
a13a8719b93ba4593ae85d98c9e5764897698eb2ab28cdb2ae69be134b7ab0a3 [3]
b4d603221a9431e3a42ad7adbfe3657e8652c572b856dee4ae5735413782c8ca [4]
b61ef064039299ac551d02a06e33c08c2665c196af7a827c4d0314d392a05681 [5] |
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 1/56)
VirusTotal Report: [2] (detection 1/56)
VirusTotal Report: [3] (detection 1/56)
VirusTotal Report: [4] (detection 1/56)
VirusTotal Report: [5] (detection 1/56)
|
Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.XlsM.003
Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Malware.25723.MacroHeurGen.ht |
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.
Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.
The auto-download file is normally a windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.
Currently these attachments try to auto-download Dridex, which is designed to
steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste)) |
Cheers,
Steve
13 comments:
Received such an email today. It did look like malware but found your confirmation; very useful.
How does one scan for this malware and get rid of it. I just opened this attachment.
How does one scan for this malware and get rid of it. I just opened this attachment.
Rowan, next time be more alert/suspicious!
Run your existing anti-malware programme and, if you do not have it, install and run Malwarebyte's Antimalware software (free version is ok).
PS. in worst-case scenario scrub your computer with multiple overwrites and then reformat the HDD. Make sure you have a good data *backup*!
I got this email today. Thanks for the info on your site.
@Rowan
You really need to download an anti-virus & anti-malware program if you don't already have one and do a full scan on your entire computer.
Opened by accident on iphone - do i need to do anything or will it only work on Windows PCs?
If you've opened on an iphone/android, you'll be ok
Received this email today. Almost opened it as have booked into a cherry cottage!! Last second noticed other people in group not CC'd and googled message. Thanks for the info on the site, hope this doesn't catch anyone!
Steve, even Android? I thought Android *was* susceptible to malware.
My organization received a total of 280 separate messages from this sender, 36 of which evaded our email firewall and had real recipients. Macro-enabled/embedded .xls.
Received exactly the email you describe above - caught my attention because of the name of the property (a family member lives in just such!) but the wording made me suspicious - binned it!!
Thank you for your very useful comments!
Just seen an article on the BBC news website about malicious Microsoft Office documents being used to steal bank details and realized this email could potentially be linked to it.
Thought someone might be interested.
http://www.bbc.co.uk/news/technology-34527439
Post a Comment