OUTSTANDING INVOICES Steve McDonnell Invoices001396,1406-11.2015.xls macro malware.
Headers:
From: "Steve McDonnell" {stevem@resimac.co.uk}
Subject: OUTSTANDING INVOICES
Subject: OUTSTANDING INVOICES
Message Body:
Dear,
Please find attached invoices 1396 & 1406 which are now
outstanding.
I should be grateful if you would let me know when they are
going to be paid.
Kind
Regards
Steve
McDonnell
Company
Secretary
Resimac
Ltd
Unit 11, Poplars Industrial
Estate
Wetherby Road,
Boroughbridge
North Yorkshire, YO51
9HS
UNITED
KINGDOM
Tel: +44 (0) 1423
325073
Attachment filename(s):
Invoices001396,1406-11.2015.xls
Sha256 Hashes:
bdf5f53ade62928e5647a58cd1b0e54307c72f998a8e6ea32cf9b2c6a5374943 [1]
Malware Virus Scanner Report(s):
VirusTotal Report: [1] (detection 3/55)
Sanesecurity Signature detection:
badmacro.ndb: Sanesecurity.Badmacro.XlsM.003.
Important notes:
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.
Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe
The auto-downloaded/payloadis normally a windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.
These word/excel attachments normally try to download either...
Dridex banking trojan,
Shifu banking trojan
... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)
Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe
The auto-downloaded/payloadis normally a windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.
These word/excel attachments normally try to download either...
Dridex banking trojan,
Shifu banking trojan
... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)
It's
also worth remembering that the company itself may not have any
knowledge of this email and any link(s) or attachment in the email. normally won't have
come from their servers or IT systems but from an external bot net.
These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.
These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.
Cheers,
Steve
22 comments:
received these. legit company by the looks of it but did not open attachments
I have just received an identical email to this one. Clearly malware.
Today's trash email just arrived and deleted.
Had the same email 5 times today! Fortunately don't like paying bills so didn't open!
Had the same email 5 times today.....didn't recognise the company so deleted with the attachments - it did look very professional though...
4 so far today to my .gov.uk email
I've opened mine! I know stupid!
Does anyone know what I do now?
Same here. Received two of these emails apparently from Resimac Ltd with attached excel files. Didn't open them. Tried calling them to tip them off that this was happening but their line is permanently engaged - presumably lots of other people calling them to complain etc...
I have received 10 from this person ( well not him obviously) today alone along with countless others the past week , if I don't recognise the person the email gets deleted , it is difficult as a business to know every client or supplier who may email you but at the end of the day if I really did owe them money they would soon telephone.
Just received this email which seems to be targeting small business owners - forwarded to my anti virus people and deleted.
Snap and when you try to call the firm the phone is constantly engaged as above.
I received one today.
NOTE- it says Dear, Its not personal in any way. If from a genuine company would have been personal .
Received one myself today.
You will note that the email is addressed to "Dear" - no name - that is a giveaway.
Yep, same here and as said above the 'phone is constantly engaged.
Here is the payload address hxxp://bbofilinc.com/~builder2012/87yte55/6t45eyv.exe
Check in process viewer if you have 6t45eyv.exe running, if so, end process.
Update antivirus signatures and scan.
DO NOT CALL THEM ON THE PHONE, THEY DID NOT SEND THIS.
These (and the ones before) are all being sent by organised criminals using a botnet.
They are not targetting 'small business users'. I received one in to my personal email and government organisations are getting these. They have a list with millions of email addresses and just keep pumping them out. There will no doubt be a new one tomorrow.
from DavidH Leeds:
Received the email today November 9, and forwarded to ActionFraud.
I responded and let them know the invoices will be paid when the following occurs. Then I attached a link to Youtube video of a monkey coming out of a guys butt from Bruce Almighty.
It's not just businesses being targeted, my student daughter just got one... It's actually hilarious, they're not trying very hard, are they, what with the 'Dear' and the clumsy text. Still, it's easy to click on it if you're tired or just not paying enough attention. As for the company itself, they've now posted a warning.
Yes It even got through to my NHS e-mail address!! I have had lots from various recently - some must have been opened (we hot desk in a GP surgery) I had over 3600 malware issues. Installed 'Malware' to action all - seems to have worked. Free s/ware demo for 28 days.
Hi, Unfortunately I have opened the excel file and enabled the macros. How can I check if I am infected? Thanks.
THIS IS NOT A COMPANY SENDING THE EMAILS
Look up spoof email on the internet.
This is an organised cybercrime ring sending emails to millions of email addresses using a botnet
YOU ARE JUST COUNFOUNDING THE PROBLEM
DO NOT REPLY TO EMAILS OR PHONE THEM
READ THE ORIGINAL ARTICLE PEOPLE
Anonoymous said:
> Hi, Unfortunately I have opened the excel file and enabled the macros. How can I
> check if I am infected? Thanks.
Read the comment from 9 November 2015 at 14:35
Yeesh!
Post a Comment