Wednesday, 25 March 2015

Hitec Ltd Payment 1142 James Dudley

Hitec Ltd Payment 1142 James Dudley emails with an attached word document containing a macro.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header::
From: James Dudley {James.Dudley@hitec.co.uk}
Subject: Payment 1142
Message Body:
Payment sheet attached.

James

T    01353 624023
F    01353 624043

Hitec Ltd
23 Regal Drive
Soham
Ely
Cambs
CB7 5BE


This message has been scanned for viruses and malicious content by Green Duck SpamLab

 Attachment:
Payment 1142.doc
Sha256 Hashes:
e1494833e7b06f6d6a145103c741b786c3dce787a6ef423516471482d7001e63 [1]
b4470a74c07438336eee8450a839410971570aeb57334d19e7053a31c459d3a2 [2]
4ad0b509b232dc0fc1704552de614849f1ddc63dbd5c9f3cf9fc2490c6abcba8 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection Ratio: 2/57)
VirusTotal Report: [2] (Detection Ratio: 2/57)
VirusTotal Report: [3] (Detection Ratio: 2/57)

Malwr Report [1]
Malwr Report [2]
Malwr Report [3]

Hybrid Analysis Report [1]
Hybrid Analysis Report [2]
Hybrid Analysis Report [3]
Sanesecurity detects these as: Sanesecurity.Malware.24787.MacroHeurGen.Bp

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

23 comments:

Anonymous said...

Thanks for sharing! Just got one of this!

TMS said...

Ditto. Exact same email and content. Seem to be going through a spate of very similar emails with payments, invoices, receipts, whatever. All with .doc or .xls attachments

Anonymous said...

Here's the details Received: from [122.176.228.56] (helo=abts-north-dynamic-091.223.176.122.airtelbroadband.in)

Anonymous said...

got one at 8.41, but always check here. big thanks

Anonymous said...

We've had the same email this morning g.
Thanks for the heads up!

Anonymous said...

I've also received one, even though I didn't recognise the name I thought it could be genuine.

Anonymous said...

Me too! - exactly the same, thanks for the heads up!

Anonymous said...

Yep just got this, using anti-virus to scan for it and hopefully delete!

John Spray said...

Thanks Have just recieved one also another similar from
harrisongeorge@wdh.co.uk

All spammed and deleted unopened

Anonymous said...

Yes -many thanks - it's reached top of UK too - funny thing with these things, one deals with people called James and with companies trading as something else / or " MAKE PAYMENTS TO....another Name Co. "

So easy to get sooked in by these scammers

Andy Watts said...

Thanks for this just got it !!!! . Idiots

Anonymous said...

Thanks, your blog is v useful! Juste got that message and thought I'd check online before opening the attachment, phew!

Anonymous said...

Likewise thanks for sharing....just got THREE!!!!

Sean Durrant said...

Yep - Still around at March 2015

peasantswife said...

Thank you - just got it.

Anonymous said...

Very useful, thanks Steve.

Anonymous said...

So as this is attempted theft (I was going to say fraud but it is theft)why aren't the police more interested?

Anonymous said...

Received today in our business account. I've grown suspicious of everything lately, so googled Payment 1142 and you popped up. Thanks for letting people know about this.

Anonymous said...

i got this today, was expexting a payment from unknown company so didnt think anything of it. Saved attcahment, ran antivirus which came up cleanso i tried to open and couldnt. Am I in any danger, running antivrus as we speak

Anonymous said...

Received today, thanks for this valuable information saved a lot of hassle. I think the police should be doing something about this as they are using genuine addresses and phone number. This surely is fraud, using someone elses identity.

Anonymous said...

I got 3 on the 25th all in quick succession. Mind you at least this spam/malware made an attempt to create an good looking e-mail normally I get several a day through which contain a subject line and the attachment.

abigel ch said...

I am happy that I found your post while searching for informative posts. It is really informative and quality of the content is extraordinary.
Stock Trading Tips

Anonymous said...

Thanks for this - I got one too earlier this week