Mark Singleton PO99631 Gilkes Pumping Systems 99631 RBE.xls macro malware.
Headers:
From: Mark Singleton {m.singleton@gilkes.com}
Subject: PO99631
Subject: PO99631
Message Body:
Please find PO99631 attached.
Kind
Regards
Tel:
+44 (0) 1539 720028
Fax: +44 (0) 1539 732110 Gilbert Gilkes & Gordon Ltd ・Kendal ・Cumbria ・LA9 7BZ・United Kingdom______________________________________________________
Registered
Office: Gilbert Gilkes & Gordon Ltd. Kendal, Cumbria, LA9
7BZ
Registration No: 173768 England & Wales |
Attachment filename(s):
99631 RBE.xls
Sha256 Hashes:
89f5ad1914f34c192f93d72db0e0f98befd5e55ee862e66ccc621dd0d0b61af9 [1]
7ed7feccd807e45bfb151d81f3e0848f8149f45ac8f4344298f07799791d2c28 [2]
dccf90597aac765c63d0de59b421664f303ff6347546343bd6a95425bd159c3f [3]
7ed7feccd807e45bfb151d81f3e0848f8149f45ac8f4344298f07799791d2c28 [2]
dccf90597aac765c63d0de59b421664f303ff6347546343bd6a95425bd159c3f [3]
Malware Virus Scanner Report(s):
VirusTotal Report: [1] (detection6/55)
VirusTotal Report: [2] (detection 6/55)
VirusTotal Report: [3] (detection 6/55)
VirusTotal Report: [2] (detection 6/55)
VirusTotal Report: [3] (detection 6/55)
Sanesecurity Signature detection:
badmacro.ndb: Sanesecurity.Badmacro.XlsM.003.
Important notes:
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.
Apple, Android and Blackberry mobiles/tablets that open these attachments will be safe
The auto-downloaded/payload is normally a Windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple, Android or Blackberry user... and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.
These word/excel attachments normally try to download either...
Dridex banking trojan,
Shifu banking trojan
... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)
Apple, Android and Blackberry mobiles/tablets that open these attachments will be safe
The auto-downloaded/payload is normally a Windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple, Android or Blackberry user... and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.
These word/excel attachments normally try to download either...
Dridex banking trojan,
Shifu banking trojan
... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)
It's
also worth remembering that the company itself may not have any
knowledge of this faked email and any link(s) or attachment in the email normally won't have
come from their servers or IT systems but from an external bot net.
These bot-net emails normally have faked email headers/addresses.
It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.
These bot-net emails normally have faked email headers/addresses.
It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.
Cheers,
Steve
18 comments:
Looks like they're using the same URL's for the payloads as the last one.
Maybe trying to get past people filtering on subject or sender.
Just had the same email come in, I'm getting a lot of messages, 2 a day, when I Google them it always brings me to your site where they have the same macros on them. Does this mean I'm being targeted?
just got three in aswell - scum!
No, you are not being targeted. The world is being targeted.
I suspect they buy email lists or trade them on the dark web,
then pump emails out each day with their latest strain of Dridex as the payload.
Someone should kill their command and control centre or find
a way to unzombie the botnet participants.
Microsoft ? Cisco ?
These types of emails are looking very genuine these days.
Thanks for putting this info up to confirm my suspicions.
Reused the same Excel spreadsheets in the second run! (same hashes)
That's just lazy!
comes up clean on Avira virus checker...
came up clean on Avira virus checker....
Just had this same email - the scary thing is that ot looks so real.
On a positive note, it could be a potential customer lol
>came up clean on Avira virus checker....
What are you scanning ? The Excel spreadsheet ?
It's what the Excel spreadsheet downloads that is the problem (Dridex)
Their website looks an authentic website too - I thought the company may have been real and just hit with malware/virus but looks like the whole Gilkes company is fake and been setup to try and authenticate their email.
Dito to all the above, looks so real. Double checked first and came up with this site. well done and thank you
> Anonymous Anonymous said...
> just got three in aswell - scum!
Just got 677 in :-) All rejected!
> Their website looks an authentic website too
The website is real.
The email is fake.
*sigh*
Please read *ALL* of the description, particularly where it says do not try to phone or email them and the part where it says it is from a botnet.
They are simply spoofing the sender address as being from m.singleton@gilkes.com
The email has nothing to do with the legitimate company.
They may as well have put your email in the sender address, then you would have received an email from yourself by your logic.
Thank you for your help! I have been tricked by this email and i have opened this up and enabled macros!!! But I am running a mac with Microsoft office 2011. Could I be infected or am I protected because of using a mac? Your urgent advice is much appreciated! Many thanks!
Thanks! Double check the mail address with the Google and pop out to be scam mail. Quickly dump it. Anyone can stop the pumping system send the scam out?!
The downloaded executable only runs on Microsoft windows.
You should be OK on a Mac.
Getting a lot of these type too .. but thanks to ur heads up im aware of each and every one of them thanks again
Post a Comment