Wednesday, 18 March 2015

NWN Media Ltd Confirmation of Booking della.richards

NWN Media Ltd Confirmation of Booking della.richards being spammed with a word document.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header::

From: "della.richards835@nwn.co.uk" {della.richards@nwn.co.uk}
Subject: Confirmation of Booking
Message Body:
This booking confirmation forms a binding contract between yourselves and NWN Media Ltd.
If you do not agree with any of the details above then please contact the named sales representative on the above number immediately.


Yours sincerely,

Della
NWN Media Ltd

 Attachment:
NWN Confirmation Letter.doc
Sha256 Hashes:
9287de2ab48184af406cbf51d9e95a137a8071a5149f1640091b8557fe167702 [1]
75fd55da996bf800d3e6f517e1045bdf3f434768328bad344910a79fa81abead  [2]
4e07444af5611b7f895fa1511e7ab4109d5f0041fda494a431d8f3950b4c0c59 [3]

Malware Macro document information:
VirusTotal Report [1] (Detection ratio 3 /57)
VirusTotal Report [2] (Detection ratio 3 /57)
VirusTotal Report [3] (Detection ratio 3 /57)

Malwr Report [1]
Malwr Report [2]
Malwr Report [3]

Hybrid Analysis Report [1]
Hybrid Analysis Report [2]
Hybrid Analysis Report [3]

Payload: [1] : http://deosiibude.de/js/bin.exe

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

25 comments:

Anonymous said...

Thanks for posting this. When I got the email I did a quick google and the fact it was a real company really threw me off. Glad to know I should delete!

Anonymous said...

I have received one this morning

Anonymous said...

Hi
Just received same email so thanks for posting
Jen

365Drills said...

I just got it to 365Drills so thanks for the warning. I will delete message. GOOD WORK

Anonymous said...

Looks like a lot of these are going out today.
Thanks for the warning

Anonymous said...

Thanks for the quick work - not picked up by our spam filters, unusually, so I checked and found this page.

Anonymous said...

Yup, got one just a few minutes ago too so the perps are obviously doing a big mailshot today. SCUM...

Anonymous said...

One just arrived here, thank you for posting!

Anonymous said...

Got one of these today. We seem to be inundated by this type email at the moment none of which are being picked up by our virus/spam filters so your warnings are much appreciated

Anonymous said...

me too

Anonymous said...

Caught me off guard in the morning and I opened it (there were a few options from my email on how to open, view online, download etc and i clicked view online), it came up with a blank page, Help please?!?

Currently running virus scans...

Steve Basford said...

If you have macros enabled, on a windows machine and opened the attachment than it's working running one of the AntiVirus scanners from the online scanner tab at the top of the blog.

If these find nothing, it's worth doing the same scan a few hours later again, as they will have updated their signatures.

Anonymous said...

Unthinkingly opened attachment on Android smartphone. Have free antivirus app which doesn't seem to have picked it up. Have Facebook and email open on phone, but I don't use phone for online banking. Risks? Suggestions?

Steve Basford said...

Hi.. no risks on Android or Iphone only Windows.

Anonymous said...

Just received this email , didn't download the file but am on iPad anyway. Thanks!

Anonymous said...

Just got this one too! Appreciate the warning, great job.

Anonymous said...

Got it too. Spoke to NWN Media. They know they have been hacked and are acting

Anonymous said...

Yup - got it today (18/3/15)as well. Googled and came to this site. Thanks for the warning - will delete.
Al

Anonymous said...

yes go it too and thank for spottiing and posting
Liz

Anonymous said...

I received this email this morning and opened it, I am using a macbook and now im having problems getting into my emails, any advice please, have i been hacked?

Anonymous said...

Any idea of anyone that has a fix for infected machines yet please Steve ?

Eric Wafula said...

Thanks for posting this. I stupidly opened the attachment. How do I know whether my computer got infected. In case it is infected, what should I do to disinfect?

Anonymous said...

Try using a online virus scanner like http://www.bitdefender.co.uk/scanner/online/free.html

It will not infect a macbook so the person with email issues it has nothing to do with this.

Anonymous said...

Hi, Just received the same email yesterday but just checked it now. Was feeling a bit suspicious and googled it and found this web page. Thanks for the warning. Going to delete it now.

Anonymous said...

Many thanks.