Email “Remittance Advice for 245.58 GBP” contains malicious XLS file


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Remittance Advice for 245.58 GBP” (amount and filename of attachment may vary).

This email is send from the spoofed addresses and has the following body:

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Molly Weber
Senior Accounts Payable Specialist
K J Watking & Co

The attached file is named BAC_6978393S.xls. This XLS, when opened, gives us the warning that it will use macros and the XLS has three empty tabs with Russian or cyrilic characters.

At the time of writing, 0 of the 51 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: 367b3c188d2dc322c03de0204c66d4c7217a998c879c9ad471ba8e1f8db6a2c4.

43 thoughts on “Email “Remittance Advice for 245.58 GBP” contains malicious XLS file

  1. Just had a similar e-mail alladly from from KJ Watking & Co ( no address ) and presumably no connection with KJ Watkin & Co ( no “g” at end ).
    This is headed “Remittance Advive for 871.39 GBP” and message reads :

    “Please find attached a remittance advice for recent BACS payment
    Any queries please contact us

    Hilda Mayo
    Senior Accounts Specialist
    K J Watking & co”Please find attached a remittance advice for recent BACS payment”

    There was no atttachment, nor was there any link to click on.
    Without these, how could it infect any computer?
    Very strange.
    Have just run a Kaspersky “Quick check” which reported no problems.
    Now running a full check, but this will take an hour or so.

    • The amount in the title seems to be differing, the names also. My amount was 130.77 GBP, the name was Rickey Bass, Senior Accounts Payable Specialist. When I looked at the properties it suggest the e-mail is from (well, the return address is) erin0f23@ad.liu.se but that could have been spoofed, I don’t know. Needless to say I am not expecting a refund and there is not enough detail in the e-mail to make me think it’s legit, so I didn’t open the attachment. Received 8.59am (UK time) 5th December 2014

  2. Just received the exact same email from lina gibbs be wary. Where do they get our details from. This is beyond a joke. Had one similar perporting to be from tax office. Looks totally legitimate. Problem is it wasnt. Tax office aware and say it is our responsibility to know these are scams/malicious emails etc. These are not always easy to spot. Great someone actually tells us when this happens. Pity sites like hotmail, gmail etc all the way to government sites do nothing other than make you aware these things happen. Why cant they with their millions in revenue stop or filter these out then prosecute. We have enough on our plates, we shouldnt have to become a computer genius just to go about your business safely online. And since everyone is doing their damnedest to make everything we do computerised, then they should sort out our safety first instead of expecting us to know about online threats that change daily and having to buy a new pc, and or change passwords. Just look at the notification we were given about ensuring we only went on sites with the lock in the address because that was shown to be a secure site… Not really secure are they? This didnt happen with pen and paper. Worst you got was chainletters or written death threats from disturbed people. Guess what happened? These people were either ignored or arrested and we went about our daily lives with no real interuption or added costs. And we didnt get blamed for being ignorant.

  3. Follow-up top previous e-mail
    Please excuse typo’s.
    Meant to say:
    in first line … e-mail ALLEGEDLY from ….
    in the third line …Remittance ADVICE for …

    Full Kaspersky virus scan now completed, and reported no problems.

  4. me too 05.12.2014

    From: Carlton Richards
    Reply-To: Carlton Richards
    Date: Friday, December 5, 2014 10:20 AM
    To: Janet Gruber
    Subject: Remittance Advice for 888.77 GBP

    Please find attached a remittance advice for recent BACS payment.

    Any queries please contact us.

    Carlton Richards
    Senior Accounts Payable Specialist
    K J Watking & Co
    This e-mail is solely for use by the intended recipient(s). Information contained in this e-mail and its attachments may be confidential, privileged or copyrighted. If you are not the intended recipient you are hereby formally notified that any use, copying, disclosure or distribution of the contents of this e-mail, in whole or in part, is prohibited. Also please notify immediately the sender by return e-mail and delete this e-mail from your system. Thank you for your co-operation.

  5. Several users have reported receiving same this morning. If there’s a harmful payload it’s not clear yet what it does. Any information on this would be handy as it bypassed Kaspersky and a few of our users have owned up to opening it.

    • The XLS contains one or more hidden macros. So, make sure that when XLS opens such files, it doesn’t run macro’s directly. Disable macros on XLS is recommended or only run macros from trusted authors (can be defined in MS Excel and OpenOffice environments).

  6. Received this email this morning to my work account, no idea where they got my email address, but I suppose it is an easy one to guess

    Please find attached a remittance advice for recent BACS payment.
    Any queries please contact us.

    Erin Crane
    Senior Accounts Payable Specialist
    K J Watking & Co

    email address is:

    Erin Crane

    File name: 692200Y.xls (253KB)

  7. We’ve had a bunch of these this morning. They got through our Barracuda email filter, however they are now being blocked so the definitions must have been updated. I’ve had several users open the excel sheet and it just has 3 tabs with “funny” text on which must be in Russian as described. Our security on Excel is to disable all macro’s and notify the user which is the default when installing office. The strange thing is there was no notification of a macro on the excel sheet and nothing happened when opening the sheet. I’ve scanned this with MSE, Malwarebytes and via various online file scanners and it doesn’t find anything malicious. I’m hoping this was the dummy run with a standard excel sheet before they tried again later on with the macro enabled sheet to infect us, but if anyone else has any other ideas then that would be very helpful!

  8. Anyone got any update on the possible payload in the Excel? has anyone actually confirmed what this does if no scanners are detecting malicious content???

  9. Possibly useful information:

    http://blog.dynamoo.com/2014/12/k-j-watking-co-fake-remittance-advice.html

    Quote:
    The Excel attachments have random names such as BAC_0577719P.xls or BAC_581969Q.xls. So far I have seen two versions of these, neither of which are detected as malicious by any vendors [1] [2].

    Each spreadsheet contains a different but similar malicious macro [1] [2] [pastebin] which then download a binary from the following locations:

    hxxp://79.137.227.123:8080/stat/lld.php
    hxxp://124.217.199.218:8080/stat/lld.php

    This file is downloaded as test.exe and is then moved to %TEMP%\EWSUVRXTBUU.exe. It has a VirusTotal detection rate of just 2/52. According to the Malwr report this then drops a DLL with another low detection rate which is identified as Dridex. The ThreatExpert report [pdf] indicates that the malware attempts to communicate with the following IPs:

    194.146.136.1 (PE “Filipets Igor Victorovych”, Ukraine)
    84.92.26.50 (PlusNet, UK)

    Recommended blocklist:
    194.146.136.1
    84.92.26.50
    79.137.227.123
    124.217.199.218

  10. Got this same email with virus. Here are the details of mine:

    From: Marc Long [mailto:Bonnie.f71f@data.advpolytech.com]
    Sent: Friday, December 5, 2014 3:14 AM
    To: me
    Subject: Remittance Advice for 265.29 GBP

    Please find attached a remittance advice for recent BACS payment.

    Any queries please contact us.

    Marc Long
    Senior Accounts Payable Specialist
    K J Watking & Co

  11. It appears one of the macros actually writes the others.

    It has a self referential character set and writes this to the other macros in a certain order to produce the malicious code. this is why no virus guards are detecting it. Because it basically comes in as friendly code. not even code. just a character set that opens in other macro sheets.

    It then protects the macros it creates and hey presto, the perfect trojan.

    That’s all I have at the moment.

    🙂

  12. Has anyone had experience of opening one of the .XLS files and it actually containing a macro? I was under the impression that all marcro enabled excel sheets need to be saved with the .xlsm file format?? Some of my users have opened the .xls files and there was no warning of any marco’s which would normally happen if there were any form of marcos in the sheet.

  13. I was meaning some of my users had opened the file before I sent out a warning NOT to open the file. I know myself not to open it but unfortunately not all my users are particularly I.T savvy.

  14. I work K J Watkin & Co. We are aware of the Trojan emails today. They are nothing to do with our company. We would advise that you do not call the 0845 number quoted on the internet as this is not our number.

    We are investigating and will post if we have any further information.

  15. We’ve had some people open it here. I’ve testing it on a sheepdip machine, Excel 2010 first prompts you to enable editing then to enable macros before it actually does anything, so depending on your local settings/policies for office just opening the file alone will not do any harm.

    You have to be a special kind of moron to accept the 2 security prompts to enable the macro.

    • “You have to be a special kind of moron to accept the 2 security prompts to enable the macro” – this made me chuckle. Unfortunately every user base has a few….

  16. My best guess is they are getting emails from our Linked In accounts. My email came from Elnora Cortez, Senior Accounts Payable Specialist, K J Watking & Co. Email address listed is: Deirdre.8c@doeba.com. Size of attachment is 253 KB. Message Reads: Please find attached remittance advice for recent BACS payment. Any queries please contact us.

    These persons/entities spending time and effort to create harmful files need to be strung up in front of thousands.

  17. I had this email come through about 20 minutes ago I opened it in my iPhone. What shall I do please?
    Thanks

  18. If you want to play with the excel spreadsheet, I’d suggest doing it on a sandboxed computer or a VM (Windows XP mode ?). First disable your network adapter(s), then open the excel spread sheet. It will try to connect and fail and you will get an error message. From there you can go into Macros, VBA editor, and play in obfuscation land. The things to look for or set breakpoints on are .createobject and .send
    The rest is just there to put you off.
    The latest ones are being password protected but you can get past that with AOPR (Advanced Office Password Recovery) and disabling VBA passwords.
    Usually these decode a URL, do an HTTP GET, save the received file in a user/temp folder and run the executable. A sensible thing for these files would be to contact a bot farm command & control centre, from where they can upload whatever they want to your computer.
    Never assume these things do nothing.

  19. I have received this on my Galaxy S5 today.
    Does anyone know if it affects android os?
    Thanks.

    Please find attached a remittance advice for recent BACS payment. Any queries please contact us. Sydney AbbottSenior Accounts Payable SpecialistK J Watking & CoTel: 01469 478342

  20. I had one this morning very similar to these, same supposed sending. It looks just like the many many remittance advices I receive from all over the place every day for work so I stupidly opened it. It had none of the usual spam indications. I
    I hoping this above is right for me too
    “The strange thing is there was no notification of a macro on the excel sheet and nothing happened when opening the sheet. I’ve scanned this with MSE, Malwarebytes and via various online file scanners and it doesn’t find anything malicious. I’m hoping this was the dummy run with a standard excel sheet before they tried again later on with the macro enabled sheet to infect us, but if anyone else has any other ideas then that would be very helpful!”

    Similarly nothing seemed to happen when I opened it. I have deleted it but am now worried it did something and will take all my information and passwords,. I am not knowledgeable enough to know how to go back to the last system restore and I would lose a lot of data if I did so so am hoping it will be okay. I am doing a virus scan now but it seems most programmes don’t pick it up so that is no guarantee.

    • HI Lydia,

      I’ve left it a few days and got a copy of the email we got from our SPAM filter. I opened the email but NOT the excel sheet and MSE detected a virus in the excel sheet through my Outlook.Content folder and deleted it for me. If I had opened that excel sheet it must have ran the macro. We got a lot of these emails so it might be the one I picked had the virus excel sheet attached or probably more likely is that MS updated their deifintions once they heard about the virus and now it detects it, whereas before it didn’t know what it was so presumed it was safe.

  21. Hi

    Are there anymore updates on this virus?

    I was working at the time and thought it was business related so opened it without paying attention grrrrr!!

    Did a full AVG Free scan and it picked nothing up (which is common from what I’ve reading) so I’m running the Malwarebytes Anti-Malware scan and its picked up 24 objects so far!

    Gutted really, whilst I’m not an expert in IT, I like to think I’m fairly savvy……..or not so it seems!!

    Is there anything else I should do please?

    Thanks

  22. Hi

    I also have been affected and just about manage to stop them getting to bank accounts in the nick of time.
    How can I get rid of the Virus from my computer, as I am getting repeated pop ups informing me that malware is blocking?

  23. I Received an email today from Bowen ( Alta.e71@ coast-connections.net).
    It shows 1 attachment. Download all as zip (24.7kb
    3858223IY.xls (24.7kb) view on line.
    Parts of this message have been blocked for your safety.
    Show content| I trust Alta.e71@ coast-connections.net. Always show content.
    Remittance details the payment of £411.72 made by BACSE.
    Like a fool I opened attachment which shows a blank xls spreadsheet with what looked like Russian figures at bottom of page.
    I use Word 2010 so should be in protected mode by default.

Comments are closed.