Remittance Advice from Anglia Engineering Solutions Ltd [ID 4264G]


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Remittance Advice from Anglia Engineering Solutions Ltd [ID 4264G]”. This campaign has all the characteristics from the previous campaign email “Remittance Advice for 245.58 GBP” contains malicious XLS file.

This email is send from the spoofed addresses and has the following body:

Dear ,

We are making a payment to you.

Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.

If you have any questions regarding the remittance please contact us using the details below.

Kind regards
Krista Velazquez
Anglia Engineering Solutions Ltd
Tel: 01469 135823

This XLS, when opened, gives us the warning that it will use macros and the XLS has three empty tabs with Russian or cyrilic characters (see screenshot).

The attached file is named ID_4264G.xls (numbersused inthe subject and file name number may vary) which will use macros to download a malicious binary that could infect your computer with a trojan.

The macro will download a binary from the following two places:

hxxp://217.174.240.46:8080/stat/lld.php
hxxp://187.33.2.211:8080/stat/lld.php

The trojan is known as Trojan.FakeMS.

This file is downloaded as test.exe and will be installed to %TEMP%\LNUDTUFLKOJ.exe, several Windows registry modifications will be made and will make connectiosn with the IPs:

194.146.136.1
84.92.26.50
87.106.246.201

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: c92200fd311abe6f1e8422781f3eefec7ef2791ab0f43e4552bd27488091da94

MX Lab recommends not to open the attached XLS and to remove it from your mailbox. If you open XLS from foreign sources, please make sure that you disable macro and only run macro from trusted authors.

 

16 thoughts on “Remittance Advice from Anglia Engineering Solutions Ltd [ID 4264G]

  1. Hi,
    Yep, got one of these this morning, tried to contact Anglia Engineering Solutions to let them know but there web site and sales email are not functioning at present, can do nothing but harm to this British engineering firm.

    Here is the body of the message I received..
    Dear ,

    We are making a payment to you.

    Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.

    If you have any questions regarding the remittance please contact us using the details below.

    Kind regards
    Juliana Olson
    Anglia Engineering Solutions Ltd
    Tel: 01469 735816

  2. Same here:

    Dear ,

    We are making a payment to you.

    Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.

    If you have any questions regarding the remittance please contact us using the details below.

    Kind regards
    Rosalie Galloway
    Anglia Engineering Solutions Ltd
    Tel: 01469 862378

  3. Hi

    Just got the same, I am based in Mallorca so it is a world wide virus. Thanks goodness I checked on here first!

    Kind regards
    Francine Atkinson
    Anglia Engineering Solutions Ltd
    Tel: 01469 154358

  4. We’ve got hundreds of these in.
    Doesn’t matter who it says it came from or the email address, they’re randomly generated.
    My payload lives at hxxp://41.0.5.138:8080/stat/lld.php

  5. Oh and the Watkins campaign has just started up again. Hundreds more of those being rejected by our email firewall 🙂 That and we’re being bombarded by emails from fake .de addresses saying Your order/Payment Confirmation/Payment info/Order info/Order/Payment Status/Shipping Confirmation. All being quarantined because of the attachment (zip in a zip containing a .scr file)

  6. I opened the file. I am not a smart man.

    I downloaded it to my PC first as a zip. Scanned it, nothing. Extracted the .xls and then scanned this, nothing found. (Using avast)

    I then opened the .xls using OpenOffice calc. 3 blank pages, but no prompts about macros (at least not that I can remember :/). I then closed it and went about my day.

    How can I tell if I am infected? If I am, how can I fix the problem? I’ve unhooked my PC from the internet and I’m running a full scan now, but I don’t have faith in avast since it didn’t pick it up originally…I looked in l/local/temp directory and didn’t see the .exe mentioned in the post.

    Thanks for the help!

  7. Yesterday I received this:

    “Dear ,
    We are making a payment to you.
    Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
    If you have any questions regarding the remittance please contact us using the details below.
    Kind regards
    Reid Hurley
    Anglia Engineering Solutions Ltd
    Tel: 01469 872941”

    Of course I have not opened …

Comments are closed.