New Word malware: British Gas – A/c No. 602131633 – New Account


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “British Gas – A/c No. 602131633 – New Account”.

This email is send from the spoofed address “trinity <trinity@topsource.co.uk>” and has the following body:

Hi ,

Please refer to the attached invoice from British Gas, the account number on it is different from all the account numbers that we currently have in the system. Can you confirm if this is a new account so that we will create this in system.

Thanks & Regards,
Pallavi Parvatkar

Trinity Restaurants Accounts Team | TopSource Global Solutions | 020 3002 6203
4th Floor | Marlborough House | 10 Earlham Street | London WC2H 9LN | www.topsource.co.uk
Disclaimer:
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system.

Internet communications cannot be guaranteed to be timely, secure, error or virus-free. TopSource does not accept liability for any errors or omissions.

“SAVE PAPER – THINK BEFORE YOU PRINT!”

The attached file British Gas.doc is a Word file with malicious macro.

The malware is detected as Macro.Trojan-Downloader.Agent.KF or heur.macro.download.cc by 2 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: d9aa3c139abf6da8365fc4328ae80f9c03bab41807ff352d271b0bc6c1f6abca

The macro will download the paylod from the following host:

weddingme.net/786h8yh/87t5fv.exe

This seems to be an English variant on the previous reported malware campaign New Word malware in fake email “Lieferschein” from Textilreinigung Klaiber.

The executable 87t5fv.exe is detected as HW32.Packed.9634, QVM07.1.Malware.Gen or PE:Malware.RDM.13!5.13 [F] by 3 of the 54 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: fea8e081c2a162f1b8084691ae086ec1a9d78848bc805c574bb9a38dbf159641

One thought on “New Word malware: British Gas – A/c No. 602131633 – New Account

Comments are closed.