Thursday, 2 April 2015

Kayel Brewery Supplies Invoice Attached I32230.doc sales@kayel.co.uk

Kayel Brewery Supplies Invoice Attached sales@kayel.co.uk emails with an attached I32230.doc word document containing a macro.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.


Message Header::
From: "Kayel Brewery Supplies" {sales@kayel.co.uk}
Subject: Invoice Attached
Message Body:
Dear Sirs ,

Many Thanks for order for Hydraulic Springs [ Invoice Attached ]

Payment has already been made by card .

Springs will be sent this week .

Many Thanks

Gary Laker

 Attachment:
I32230.doc
Sha256 Hashes:
352a6804f3bdade9f620e33ed79c7340530ee3254a223d2061a8240c4443c624 [1]
7fef88dfa4fbdd7c5373aa88a4289790527c7098db94ea6f9de2b2cbc20ecb9d [2]
9e4f52260353f3bdaa1e44bf166ecb0bbd57b907f05df8fe2077204e2ca33a24 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection 2/57)
VirusTotal Report: [2] (Detection 2/57)
VirusTotal Report: [3] (Detection 2/57)

Malwr Report: [1]
Malwr Report: [2]
Malwr Report: [3]

Hybrid Analysis Report: [1]
Hybrid Analysis Report: [2]
Hybrid Analysis Report: [3]


NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

3 comments:

Anonymous said...

Steve
I work for Kayel Brewery Supplies and can confirm we did not send this email. We have had over 36000 undelivered mail bounce-backs today together with numerous calls.
Our emails are no longer coming through as I think the quantity we have received has caused our mailbox to crash.
Who are the emails sent to? We have had calls from schools, hospitals and accountants to name but a few. We even had a messages from one of the breweries we supply to say that the message has been sent to all their pubs and their directors!! We don't have all these email addresses so how are the email addresses generated?
Thus has caused a real problem. Any advise would be appreciated.
Many thanks
Mike Laker

Steve Basford said...

Hi Mike, your own email address was used to send out an email containing a virus. The email wasn't sent from you, your company servers but from a huge botnet (hijacked pcs) and was sent out to totally random email addresses, most of which you won't ever have dealt with. You've done all you can really, put a notice on your website/social media explaining the situation and that your company was just an innocent bystander.

Anonymous said...

Hi Steve
Many thanks for your reply. We will continue to display a message on our website until the calls from concerned recipients end. We may even direct them to this page for more information.
Am I right in thinking that now this botnet has our email address it is possible it might be used again in the future or do they only use in once and then move on to the next innocent victim?
The reason for asking is if it may be used again, should we change our email address?
Thanks again
Mike