Friday, 30 October 2015

Clare Harding Purchase Order 0000035394 customer 09221 Purchase Order 0000035394.DOC

Description:


Clare Harding Purchase Order 0000035394 customer 09221 Purchase Order 0000035394.DOC macro malware.

Headers:

From: "Clare Harding"
Subject: Purchase Order 0000035394 customer 09221

Message Body:

Purchase Order 0000035394 to Alligata
Dear ,
Please find attached a copy of our order (reference 0000035394), your reference .
If you have any questions regarding the purchase order please contact us using the details below.

http://email.carterspackaging.com/signatures/carters_sig_70px.jpg
CLARE HARDING
Purchasing Manager
Carters Packaging Ltd, Packaging House, Wilson Way, Pool, Redruth, Cornwall, TR15 3RT
Fax: +44 (0) 1209 315 600
www.carterspackaging.com

Attachment filenames:

Purchase Order 0000035394.DOC

Sha256 Hashes:

23591022541ce84821f0cafe47ac2b819bf51689fb5eec86f677d1e661ee2659 [1]
155e4783714df49822e8b59978e1391ed25e781641277c71483bea7a8eac2b54 [2]
57e7eb6c8a742767101ed847d9697fc17cdbea9dc129b99aefe67276ad346957 [3]
b5fed55e96cd9bec63c7c68e3fd990eea7d36194d8c8c280a6fe10cf6268f564 [4]

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 4/55)

Sanesecurity Signature detection:

badmacro.ndb: anesecurity.Badmacro.Wsc.New
phish.ndb: Sanesecurity.Malware.24819.MacroHeurGen.Hp

Important notes:

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-downloaded/payloadis normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this email and any link(s) or attachment in the email. normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.



Cheers,
Steve

9 comments:

ATate said...

Thanks, looked dubious.

Anonymous said...

Good I doubted about this mail and decided to search on google.

thanks for conferming my suspicious

Anonymous said...

good I did not open it... thanks for help

GrumpyGit said...

I just got the self same one. Smelt phishy.

Anonymous said...

Hi guys, Carters Packaging here. Unfortunately we have had our email address used as part of a huge scam today. We are not responsible for the email message, and our servers are not sending out the email. We thank everyone for their patience and understanding in this headache of a day. We hate SPAM and feel for anyone else who has felt the brunt of this malicious type of attack.

Anonymous said...

Yet again I receive these. I am obviously on a list somewhere. How I wish these people could be caught.

Anonymous said...

I have just had the same e mail . Thanks for the warning .
CB

Anonymous said...

Just for IT to be aware of.

Originating IP is 103.39.242.106, which is an Indian located address.

You (Carters Packaging) should really set up SPF records. And maybe DKIM too.

Anonymous said...

Got two of these today. Zapped them!