Invoice #00004232; From Timber Solutions ESale.xls macro malware.
Headers:
From: "Kes" {kerryadamson@bigpond.com}
Subject: Invoice #00004232; From Timber Solutions
Subject: Invoice #00004232; From Timber Solutions
Message Body:
Hi, please find attached our invoice for goods ordered under Order
No. 11146, which will be delivered tomorrow. Please pay into the
account, details of which are at the foot of the invoice. Kes
No. 11146, which will be delivered tomorrow. Please pay into the
account, details of which are at the foot of the invoice. Kes
Attachment filename(s):
ESale.xls
Sha256 Hashes:
33b6af7a8c8b67214321bca81e8952a1f20b5668ccfd9d2366a41c8f879d5dee [1]
4a001abcd9d398526778b39165650e0a4338b464cfaac7cf7336c8ea292a5828 [2]
c1bf646fd00b4e82341c1f3f436d0584bc9ff65167f72e4691e91259de0af132 [3]
4a001abcd9d398526778b39165650e0a4338b464cfaac7cf7336c8ea292a5828 [2]
c1bf646fd00b4e82341c1f3f436d0584bc9ff65167f72e4691e91259de0af132 [3]
Malware Virus Scanner Report(s):
VirusTotal Report: [1] (detection 5/55)
VirusTotal Report: [2] (detection 5/55)
VirusTotal Report: [3] (detection 5/55)
VirusTotal Report: [2] (detection 5/55)
VirusTotal Report: [3] (detection 5/55)
Sanesecurity Signature detection:
badmacro.ndb: Sanesecurity.Badmacro.XlsM.003.
Important notes:
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.
Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe
The auto-downloaded/payloadis normally a windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.
These word/excel attachments normally try to download either...
Dridex banking trojan,
Shifu banking trojan
... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)
Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe
The auto-downloaded/payloadis normally a windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.
These word/excel attachments normally try to download either...
Dridex banking trojan,
Shifu banking trojan
... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)
It's
also worth remembering that the company itself may not have any
knowledge of this email and any link(s) or attachment in the email. normally won't have
come from their servers or IT systems but from an external bot net.
These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.
These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.
Cheers,
Steve
11 comments:
I received 6 of these emails this morning - spread across 3 email addresses on my own domain. The attachment looks like just an ordinary spreadsheet file (rather than the obvious dodgy executable) so the temptation is there to just open it and have a look. Had it just been a single email I might have done so. Glad I decided to "google" it first and your blog was top of the list. The work people like you do to help and warn others online is appreciated. Thank you.
8 received here today as well. Obviously some serious numbers being sent out overnight
I also received on of these this am but I was using my Blackberry Q10 phone when, bleary eyed, I opened it! The spreadsheet is blank so obviously used as a vehicle to get the bug in. Q Will it affect my phone? I have deleted it on my Windows PC. Just shows the value of these blogs for putting the word out. Thanks very much.
I received this this morning, luckily I opened it on my Ipad and not my PC. Hopefully this will be OK (now rejected as spam). thanks for your blog!
These have now changed into "Subject: Payment Notification "
They are using the same Excel spreadsheets which have the same URL's for the payload.
Payload URL's are:
hxxp://skredman.webz.cz/334g5j76/897i7uxqe.exe
hxxp://novyzeland2013.webzdarma.cz/334g5j76/897i7uxqe.exe
hxxp://advancedgroup.net.au/~incantin/334g5j76/897i7uxqe.exe
I have just got this and opened it as we had ordered wood locally! Opened on an iPad but it has x cel for Apple on it. What do I need to do? Now spammed it. Thanks sam
Thank you for posting this blog, didn't open the attachment and reported to spam having read your blog. Grateful.
The macro downloads an executable file which can only run on a Windows PC
Just received this email today. Thanks to this site I did not open it, even though the temptation was there since it just looked like a spreadsheet. Thanks Again!!
Thanks so much for posting this! You saved me a world of trouble.
Oh no! Opened this on my iPad, I'm such an idiot.
iPad virus scanners seem to be non existent too....
Post a Comment