Monday, 9 November 2015

OUTSTANDING INVOICES Steve McDonnell

Description:


OUTSTANDING INVOICES Steve McDonnell Invoices001396,1406-11.2015.xls macro malware.

Headers:

From: "Steve McDonnell" {stevem@resimac.co.uk}
Subject: OUTSTANDING INVOICES

Message Body:

Dear,

Please find attached invoices 1396 & 1406 which are now outstanding.

I should be grateful if you would let me know when they are going to be paid.

Kind Regards
Steve McDonnell
Company Secretary

Resimac Ltd
Unit 11, Poplars Industrial Estate
Wetherby Road, Boroughbridge
North Yorkshire, YO51 9HS
UNITED KINGDOM
Tel: +44 (0) 1423 325073

Attachment filename(s):

Invoices001396,1406-11.2015.xls

Sha256 Hashes:


bdf5f53ade62928e5647a58cd1b0e54307c72f998a8e6ea32cf9b2c6a5374943 [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 3/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.XlsM.003.

Important notes:

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-downloaded/payloadis normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this email and any link(s) or attachment in the email. normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.



Cheers,
Steve

22 comments:

Keith Barker-Main, London said...

received these. legit company by the looks of it but did not open attachments

Fred said...

I have just received an identical email to this one. Clearly malware.

Anonymous said...

Today's trash email just arrived and deleted.

karen ivey said...

Had the same email 5 times today! Fortunately don't like paying bills so didn't open!

karen ivey said...

Had the same email 5 times today.....didn't recognise the company so deleted with the attachments - it did look very professional though...

Anonymous said...

4 so far today to my .gov.uk email

LynX_01 said...

I've opened mine! I know stupid!
Does anyone know what I do now?

Anonymous said...

Same here. Received two of these emails apparently from Resimac Ltd with attached excel files. Didn't open them. Tried calling them to tip them off that this was happening but their line is permanently engaged - presumably lots of other people calling them to complain etc...

Anonymous said...

I have received 10 from this person ( well not him obviously) today alone along with countless others the past week , if I don't recognise the person the email gets deleted , it is difficult as a business to know every client or supplier who may email you but at the end of the day if I really did owe them money they would soon telephone.

Anonymous said...

Just received this email which seems to be targeting small business owners - forwarded to my anti virus people and deleted.

Anonymous said...

Snap and when you try to call the firm the phone is constantly engaged as above.

Robert Pearce said...

I received one today.

NOTE- it says Dear, Its not personal in any way. If from a genuine company would have been personal .

Robert Pearce said...

Received one myself today.

You will note that the email is addressed to "Dear" - no name - that is a giveaway.

Anonymous said...

Yep, same here and as said above the 'phone is constantly engaged.

Anonymous said...

Here is the payload address hxxp://bbofilinc.com/~builder2012/87yte55/6t45eyv.exe
Check in process viewer if you have 6t45eyv.exe running, if so, end process.
Update antivirus signatures and scan.
DO NOT CALL THEM ON THE PHONE, THEY DID NOT SEND THIS.
These (and the ones before) are all being sent by organised criminals using a botnet.
They are not targetting 'small business users'. I received one in to my personal email and government organisations are getting these. They have a list with millions of email addresses and just keep pumping them out. There will no doubt be a new one tomorrow.


DavidH Leeds said...

from DavidH Leeds:
Received the email today November 9, and forwarded to ActionFraud.

Anonymous said...

I responded and let them know the invoices will be paid when the following occurs. Then I attached a link to Youtube video of a monkey coming out of a guys butt from Bruce Almighty.

Anonymous said...

It's not just businesses being targeted, my student daughter just got one... It's actually hilarious, they're not trying very hard, are they, what with the 'Dear' and the clumsy text. Still, it's easy to click on it if you're tired or just not paying enough attention. As for the company itself, they've now posted a warning.

Anonymous said...

Yes It even got through to my NHS e-mail address!! I have had lots from various recently - some must have been opened (we hot desk in a GP surgery) I had over 3600 malware issues. Installed 'Malware' to action all - seems to have worked. Free s/ware demo for 28 days.

Anonymous said...

Hi, Unfortunately I have opened the excel file and enabled the macros. How can I check if I am infected? Thanks.

Anonymous said...

THIS IS NOT A COMPANY SENDING THE EMAILS
Look up spoof email on the internet.
This is an organised cybercrime ring sending emails to millions of email addresses using a botnet

YOU ARE JUST COUNFOUNDING THE PROBLEM
DO NOT REPLY TO EMAILS OR PHONE THEM

READ THE ORIGINAL ARTICLE PEOPLE

Anonymous said...

Anonoymous said:
> Hi, Unfortunately I have opened the excel file and enabled the macros. How can I
> check if I am infected? Thanks.

Read the comment from 9 November 2015 at 14:35
Yeesh!