New Excel malware: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016”.

This email is send from the spoofed address “Fuel Card Services” <adminbur@fuelcardgroup.com>” and has the following body:

Please note that this message was sent from an unmonitored mailbox which
is unable to accept replies. If you reply to this e-mail your request
will not be actioned. If you require copy invoices, copy statements,
card ordering or card stopping please e-mail
support@fuelcardservices.com quoting your account number which can be
found in the e-mail below. If your query is sales related please e-mail
info@fuelcardservices.com.

E-billing

From: adminbur@fuelcardservices.com

Sent: Thu, 04 Feb 2016 04:29:24 -0700
To: [redacted]
Subject: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016

Account: B216552

Please find your e-bill 0200442 for 31/01/2016 attached.

To manage you account online please click
http://eservices.fuelcardservices.com

If you would like to order more fuel cards please click
http://www.fuelcard-group.com/cardorder/bp-burnley.pdf

If you have any queries, please do not hesitate to contact us.

Regards

Cards Admin.
Fuel Card Services Ltd

T 01282 410704
F 0844 870 9837
E support@fuelcardservices.com

Supplied according to our terms and conditions. (see
http://www.fuelcardservices.com/ebill.pdf).

The attached file ebill0200442.xls is a Word file with malicious macro.

The malware is detected as HEUR.VBA.Trojan.d, X2KM_DRIDEX.AW or W97M/Downloader.awq by 4 of the 50 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 9f00071ae7f799e1c4dd6f4b7b0f3a5ec65697c8ec72eda50d114cb056b40445

Malware will be downloaded by the malicious macro from the following locations:

hxxp://www.trulygreen.net/43543r34r/843tf.exe
hxxp://www.mraguas.com/43543r34r/843tf.exe

The malware is detected as Uds.Dangerousobject.Multi!c, Artemis!BBA6C087E282, BehavesLike.Win32.Sality.dc, PE:Malware.Generic(Thunder)!1.A1C4 [F] or TSPY_DRIDEX.BYX by 7 of the 52 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 859614dd3d47190860bbcaca7f1998808f0c541dc5d17cc1a770a1ab4578bc6d

New Word malware: Invoice 9210


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice 9210”.

This email is send from the spoofed address “Dawn Salter <dawn@mrswebsolutions.com>” and has the following body:

Good afternoon

I hope all is good with you.

Please see attached invoice 9210.

Kind regards
Dawn
Dawn Salter
Office Manager
Tel: +44 (0)1252 616000 / +44 (0)1252 622722
DDI: +44 (0)1252 916494
Web:  www.mrswebsolutions.com

1 Blue Prior Business Park, Church Crookham, Fleet, Hants, GU52 0RJ

The attached file 9210.DOC is a Word file with malicious macro.

The malware is detected as HEUR.VBA.Trojan.d or WM/TrojanDownloader.4D52!tr by 2 of the 53 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: d7cefbfcfc5af2529683b156f7afe5c88cac653009f9b30fd7663f9a27dabcc3

Malware will be downloaded by the malicious macro from the following locations:

hxxp://www.cityofdavidchurch.org/54t4f4f/7u65j5hg.exe
hxxp://www.hartrijders.com/54t4f4f/7u65j5hg.exe
hxxp://grudeal.com/54t4f4f/7u65j5hg.exe

The malware is detected as BehavesLike.Win32.PWSZbot.dc by 1 of the 53 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: aaf789d10a3e643d1f808e2a5de084461b1f0625e88d4e800e75043b1b8d9f0d

Outlook Web App phishing email with subject Email Migration


MX Lab, http://www.mxlab.eu, started to intercept a new phishing campaign by email with the subject “Email Migration” targetting customers of Outlook Web App.

This email is send from the spoofed address “Microsoft Online Exchange <exchange@outlook.com>” and has the following body:

We are upgrading our email system to Microsoft Outlook Webaccess 2015. This service creates more space and easy access to email. Please update your account by clicking on the link below and fill information for activation.

CLICK HERE
Inability to complete the information will render your account inactive.
Thank you.
IT Admin Desk.

Screenshot of the body:

The embedded URl leads in this case to hxxp://sayılıinşaat.com/.https/controlpanel.msoutlookonline.net/asp/MManager/Login.asp/CookieAuthdllGetLogoncurlZ2Fowareason0formdir1/index.php?umail=Y29udGFjdEBldXJvbmljcy5iZQ== and shows the following screen:

After completing the form, users are redirected to the official login web site of Office 365.

MX Lab recommends not to use the URL when receiving and similar email. Upgrades to a system are always done on the server side and never requires interaction from a user.

New Word malware: Gompels Healthcare Ltd Invoice


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Gompels Healthcare Ltd Invoice”.

This email is send from the spoofed address “Gompels Healthcare ltd <salesledger@gompels.co.uk>” and has the following body:

Hello
Please see attached pdf file for your invoice
Thank you for your business

The attached file fax00375039.DOC is a Word file with malicious macro.

The malware is detected as HEUR.VBA.Trojan.d or virus.macos.gen.33 by 2 of the 53 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: adce8fddf3163cc79d7811ddb93408f60a95595f79d5ddadf7ca0da3e43244e7

Malware will be downloaded by the malicious macro from the following locations:

return-gaming.de/8h75f56f/34qwj9kk.exe
phaleshop.com/8h75f56f/34qwj9kk.exe
bolmgren.com/8h75f56f/34qwj9kk.exe

The malware is detected as UDS:DangerousObject.Multi.Generic by 1 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: ac424d8ef67dbb1ee98568f9a96376370ce0cf1f9d03403d928498a57c54abd9

New Word malware: Invoice / Credit Note Express Newspapers (S174900)


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice / Credit Note Express Newspapers (S174900)”.

This email is send from the spoofed address “georgina.kyriacoumilner@express.co.uk” and the following body content:

Please find attached Invoice(s) / Credit Note(s) from Express Newspapers.

If you have any queries with it, or to request that future documents get sent to a different email address for processing, please contact:

hannah.johns@express.co.uk or telephone 020 8612 7149.

N.B. Please do not reply to this email address as it is not checked.

Kind Regards,

Express Newspapers
Finance Dept – 4th Floor,The Northern & Shell Building
Number 10 Lower Thames Street, London EC3R 6EN

****************************************************************************
Any views or opinions are solely those of the author and do not necessarily represent those of Express Newspapers

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material.If you are not the intended recipient of this message please do not read ,copy, use or disclose this communication and notify the sender immediately. It should be noted that any review, retransmission, dissemination or other use of, or taking action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. E-mail communications may be monitored.
****************************************************************************
EXN2006

The attached file S174900.DOC is a Word file with malicious macro.

The malware is detected as HEUR.VBA.Trojan.d by 1 of the 54AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: cd2d4f9df7bb98d6d30c9b302b5e2e0089d838c45f68dfa0bed0e4b7c98245b3

The Word macro will download the payload from the following locations:

www.helios.vn/98jh6d5/89hg56fd.exe
202.191.112.60/~n02022-1/98jh6d5/89hg56fd.exe
www.lassethoresen.com/98jh6d5/89hg56fd.exe

The malware is detected as UDS:DangerousObject.Multi.Generic by 1 of the 54 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 89c73c42e8cd8d20aac5878c4585b9be2ce12447d6b201d3bd1407142dd60bbf

New Word malware: Message from local network scanner


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Message from local network scanner”.

This email is send from the spoofed addresses and has no body text.

The attached file Scann16011310150.doc (filename may vary) is a Word file with malicious macro.

The malware is detected as HEUR(high).VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN or heur.macro.download.cc by 4 of the 54AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: e87c827ea1bda3b3954ae9725b1f8343c18d563914311c477bfc2c279851d3b6

The Word macro will download the payload from the following locations:

www.willsweb.talktalk.net/786h5g4/9787g4fr4.exe

The malware is detected as Win32:Evo-gen [Susp], QVM20.1.Malware.Gen or PE:Malware.XPACK/RDM!5.1 [F] by 3 of the 55 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 944fe9e3e332c9399ce3954e4f00864552bf8b43f83f06dfa8b670529eaa0bc6

New Word malware: Order 0046/033777 [Ref. MARKETHILL CHURCH]


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Order 0046/033777 [Ref. MARKETHILL CHURCH]”.

This email is send from the spoofed address “ JOHN RUSSELL <John.Russell@yesss.co.uk>” and has the following body:

John Russell
Branch Manager

Yesss Electrical
44 Hilsborough Old Road
Lisburn
BT27 5EW

T: 02892 606 758
M: 07854362314
F: 02892 606 759
E: John.Russell@yesss.co.uk

EW Award winner 2015
Electrical Times Award winner 2014
EW Award winner 2014
YESSS gains all three BSI industry standards
Order a YESSS Book NOW!
Our YESSS motto
Visit the YESSS website      Visit the YESSS Facebook
page       Visit the YESSS Twitter page
Visit the YESSS Youtube page
Visit the YESSS Linkedin page
Visit the YESSS Pinterest page

The attached file 033777 [Ref. MARKETHILL CHURCH].doc is a Word file with malicious macro.

The malware is detected as LooksLike.Macro.Malware.gen!d1 (v), HEUR(high).VBA.Trojan or W97M/Downloader.auj by 6 of the 55 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: a6d258bec6ed045e79b9592aa2638452870e7f73ebacaf8adfca739aa413bac6

The Word macro will download the payload from the following locations:

amyzingbooks.com/l9k7hg4/b4387kfd.exe
webdesignoshawa.ca/l9k7hg4/b4387kfd.exe
powerstarthosting.com/l9k7hg4/b4387kfd.exe

The malware is detected as PE:Malware.Generic(Thunder)!1.A1C4 [F] or TSPY_DRIDEX.YYSQJ by 4 of the 55 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 37ccb1fc8c465f9ff028c172c2a424af61fd72322c91f9fe4c410225dec2c10d

Follow

Get every new post delivered to your Inbox.

Join 1,582 other followers