Email “BP Fuel Card E-bill” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “BP Fuel Card E-bill 5307630 for Account B842155” (note that the ebill and account number will change).

The email is send from the spoofed address “Fuel Card Services <adminbur-noreply@fuelcard-group.com>” and has the following body:

Please note that this message was sent from an unmonitored mailbox which is unable to accept replies. If you reply to this e-mail your request will not be actioned.

Please find your e-bill attached.

To manage you account online please click http://eservices.fuelcardservices.com

If you would like to order more fuel cards please click http://www.fuelcard-group.com/cardorder/bp-burnley.pdf

If you have any queries, please do not hesitate to contact us.

Regards

Cards Admin.
Fuel Card Services Ltd

T 01282 310701
F 0844 840 9839
Supplied according to our terms and conditions. (see http://www.fuelcardservices.com/ebill.pdf).

Please also note that if you cannot open this attachment and are using Outlook Express
to view your mail you should select Tools / Options / Security Tab and deselect the
option marked “Do not allow attachments to be opened that potentially may be a virus”.
All of our outgoing mail is fully virus scanned but we recommend this facility is

The attached ZIP file has the name FuelCard-ebill2920753.PDF.zip and contains the 32 kB large file FuelCard-ebill7640027.PDF.exe.

The trojan is known as TR/Gamarue.EL.1, Trojan.Generic.KD.886611, Win32/TrojanDownloader.Wauchos.I, Trojan:W32/Agent.DUJL, Trojan-Ransom.Win32.Blocker.auzk, Trojan.Ransom.ED, Troj/Agent-AAHY.

At the time of writing, 19 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 4670284ea406a60b2d53ac4dba2343cb5d6cb7986abe6ea9056ae3a5484a7793

2 thoughts on “Email “BP Fuel Card E-bill” contains trojan

    • The hyperlinks are safe in the email so I haven’t disabled the http request. The threat is attached as a zip file.

Comments are closed.