New Word malware: Remittance advice from Sky Group: Account No. 914611


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Remittance advice from Sky Group: Account No. 914611” (number will vary with each email).

This email is send from the spoofed addresses and has the following body:

From: AccountsPayable-Ariba@sky.uk [mailto:AccountsPayable-Ariba@sky.uk]
Sent: 02 February 2016 23:14
To: Accounts Department
Subject: Remittance advice from Sky Group: Account No. 841479

PLEASE DO NOT RESPOND TO THIS EMAIL, THIS MAILBOX IS NOT MONITORED

Please find attached the payment advice from the Sky Group.

Please note that payments can take up to three days to clear into your bank account, dependent on payment method.

Should you need to contact Accounts Payable at SKY, contact details are below. Please note that we operate via a helpdesk system, once you have emailed the team, you will be advised of a unique Service Request (SR) number which will allow you to track updates on your request. Please respond directly to these emails to ensure all the information is attached to your query and we can assist you.

Office Hours are: Mon – Fri 8:30am – 5pm

Accounts Payable:
Email APhelpdesk@sky.uk or alternatively please telephone 0333 100 1212 and select option 4.

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence. Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, please notify the sender and delete all copies from your system. In addition, if you are not the intended recipient, you must not copy this email or attachment or disclose the contents to any other person. This footer also confirms that this e-mail message has been scanned for the presence of computer viruses. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of European Tour. Scanning of this message and addition of this footer is performed by Barracuda Spam Firewall in conjunction with virus detection software. European Tour Registered office: European Tour Building, Wentworth Drive, Virginia Water, Surrey, GU25 4LX Registered in England No. 1867610. ­­

The attached file iRemittance_CoNo21311_AccNo830597_PaymentNo7929540.doc (numbers in the filename will vary) is a Word file with malicious macro.

The malware is detected as W97M/Dloader.A, Trojan-Downloader:W97M/Dridex.S, Macro.Trojan-Downloader.Donoff.AF, W2KM_DLOADR.BYX or Troj/DocDl-BC by 8 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: f96b9c3edb0b6378cdb64872893992def2966b6729b32c8377066f1f019d307f

 

2 thoughts on “New Word malware: Remittance advice from Sky Group: Account No. 914611

  1. It is most likely associated with the Locky virus. It has been popping up via Word Doc macros recently, and this is most likely another change in the e-mail to throw users off.

Comments are closed.