Monday, 19 October 2015

Stephanie Greaves COS007202.doc Bombardier Transportation

Stephanie Greaves COS007202.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: "Stephanie Greaves" {sgreaves@btros.co.uk}
Subject: COS007202
Message Body:
Good morning,
Please see attached purchase order.


Kind regards,

Stephanie Greaves


Administration Apprentice
Bombardier Transportation (Rolling Stock) UK Ltd
Electronics, Cabling, & Interior Division
Litchurch Lane, Derby, DE24 8AD



Attachment:
COS007202.doc
Sha256 Hashes:
357807e192b591045f47e75eb8bf90ffd836334896975cead383459fabf05cf7 [1]
44805663bb4a9593cef0aa693f363dbd60ccf4ce50fe04ed9ce6e96f1ff57212 [2]
843fa344144221549eb5f11619601a5af465debf701d5ca8c65c0de997f1d3e5 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 3/56)
VirusTotal Report: [2] (detection 3/56)
VirusTotal Report: [3] (detection 3/56)

Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.Doc.CreObj

NOTE

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

5 comments:

Anonymous said...

So what happens if you open file? and what can you do to clean computer

Anonymous said...

Would also like to know best course of action got duped by this today...

Anonymous said...

don't open attachment and delete mail;
if you opened attachment.
run virus scans.
A the one you have installed
B panda house call or simular from McAffee or Symantec or any other well know AV compagny

Anonymous said...

I was silly enough to open this on my iPhone! What do I do now? :(

Anonymous said...

i do some work for bombardier and also got this mail which i opened, it was a blank word document, is this right? ive scanned and rescanned and can find nothing, are these documents usually blank?