MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “British Gas – A/c No. 602131633 – New Account”.
This email is send from the spoofed address “trinity <firstname.lastname@example.org>” and has the following body:
Please refer to the attached invoice from British Gas, the account number on it is different from all the account numbers that we currently have in the system. Can you confirm if this is a new account so that we will create this in system.
Thanks & Regards,
Trinity Restaurants Accounts Team | TopSource Global Solutions | 020 3002 6203
4th Floor | Marlborough House | 10 Earlham Street | London WC2H 9LN | www.topsource.co.uk
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system.
Internet communications cannot be guaranteed to be timely, secure, error or virus-free. TopSource does not accept liability for any errors or omissions.
“SAVE PAPER – THINK BEFORE YOU PRINT!”
The attached file British Gas.doc is a Word file with malicious macro.
The malware is detected as Macro.Trojan-Downloader.Agent.KF or heur.macro.download.cc by 2 of the 55 AV engines at Virus Total.
Use the Virus Total or Malwr for more detailed information.
The macro will download the paylod from the following host:
This seems to be an English variant on the previous reported malware campaign New Word malware in fake email “Lieferschein” from Textilreinigung Klaiber.
The executable 87t5fv.exe is detected as HW32.Packed.9634, QVM07.1.Malware.Gen or PE:Malware.RDM.13!5.13 [F] by 3 of the 54 AV engines at Virus Total.
Use the Virus Total for more detailed information.