New Excel malware: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016”.

This email is send from the spoofed address “Fuel Card Services” <adminbur@fuelcardgroup.com>” and has the following body:

Please note that this message was sent from an unmonitored mailbox which
is unable to accept replies. If you reply to this e-mail your request
will not be actioned. If you require copy invoices, copy statements,
card ordering or card stopping please e-mail
support@fuelcardservices.com quoting your account number which can be
found in the e-mail below. If your query is sales related please e-mail
info@fuelcardservices.com.

E-billing

From: adminbur@fuelcardservices.com

Sent: Thu, 04 Feb 2016 04:29:24 -0700
To: [redacted]
Subject: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016

Account: B216552

Please find your e-bill 0200442 for 31/01/2016 attached.

To manage you account online please click
http://eservices.fuelcardservices.com

If you would like to order more fuel cards please click
http://www.fuelcard-group.com/cardorder/bp-burnley.pdf

If you have any queries, please do not hesitate to contact us.

Regards

Cards Admin.
Fuel Card Services Ltd

T 01282 410704
F 0844 870 9837
E support@fuelcardservices.com

Supplied according to our terms and conditions. (see
http://www.fuelcardservices.com/ebill.pdf).

The attached file ebill0200442.xls is a Word file with malicious macro.

The malware is detected as HEUR.VBA.Trojan.d, X2KM_DRIDEX.AW or W97M/Downloader.awq by 4 of the 50 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 9f00071ae7f799e1c4dd6f4b7b0f3a5ec65697c8ec72eda50d114cb056b40445

Malware will be downloaded by the malicious macro from the following locations:

hxxp://www.trulygreen.net/43543r34r/843tf.exe
hxxp://www.mraguas.com/43543r34r/843tf.exe

The malware is detected as Uds.Dangerousobject.Multi!c, Artemis!BBA6C087E282, BehavesLike.Win32.Sality.dc, PE:Malware.Generic(Thunder)!1.A1C4 [F] or TSPY_DRIDEX.BYX by 7 of the 52 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 859614dd3d47190860bbcaca7f1998808f0c541dc5d17cc1a770a1ab4578bc6d

2 thoughts on “New Excel malware: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016

  1. I used my BP fuel card for the first time in over one two years and about one week later I get this spam email…more than a coincidence? My virus checker spotted it and quarantines it! (Feb 16)

Comments are closed.