Wednesday, 13 January 2016

JOHN RUSSELL Order 0046/033777 [Ref. MARKETHILL CHURCH]

Description:


JOHN RUSSELL Order 0046/033777 [Ref. MARKETHILL CHURCH] macro malware.

Headers:


From: JOHN RUSSELL {John.Russell@yesss.co.uk}
Subject: Order 0046/033777 [Ref. MARKETHILL CHURCH]

Message Body:

John Russell
Branch Manager

Yesss Electrical
44 Hilsborough Old Road

Lisburn
BT27 5EW

T: 02892 606 758
M:
07854362314
F:
02892 606 759
E: John.Russell@yesss.co.uk

Attachment filename(s):

Order 0046/033777 [Ref. MARKETHILL CHURCH].doc


Sha256 Hashes:


31417465fe166a9dcfcac7ff0d63c40dda49892792fd4d573be3b3aad945af3b [1]
0260b14732d8688346a82cb69f6af8593a2be9e737cf18e92c8280481c2d5191
0c228706fbfe14496bfe03d384cce6e23a52400adf7abd4fcfc194b2c822556f
20629f8e00097ea27e1b76ea03102cc7247932b346f60c461b4cd72f63d1dca0
24faf9083ee619c4c1fda3473a53c301162a159bd80312de0078c1afbfb4fc82
336889b274f843808fa57bf1fcc56cbae83165d2fb8c4ae902c9fe1827fc642e
337161c79c5c1f51e3f756812aca860d177adafffef7ad0ff3049bd60412b831
35441db1b19e66d57f4e7d140bf92ffd27fb14287cd951634428e597edacdb1f
3e4e6e5d1c58f8d91096c49b313ef8aa02dba8024918ec74fa4ca7e027af22a3
40016856d9e5134f59cb9380f072c2c7a1aca1c44e949ab1c23e1daabc6fe49f
4ddea9a08d5c5c308f019c83a19da92069380bad8c04dd93c7a248adb29dc35c
54734d999e989540d6ae5d2ef2662d9dedaa1258d684c2150189889d607f8ddd
68fce75207b37c5ebe2e84a0a0f849c96692f9395e04f5d7e431e73786053a29
69a3ea0ed7fee395ade3765cba2cb0a32a7c8d340a324e82274aae46cc20d52e
81e2d9b7860d3e1ed56fd200aa1cddff2aa4bed5f39b9bd19b1b849df9561943
8b4d2b39ccc59a2bb7ed788c3c628d39bb3ce1f44e52683877396794251a82b5
8e4c88cfbbd19da8cf5a9ee35a1eb066145b707de374415223fa44199bb2e144
901601b84261708dae07ed3dbd42e796f4c55b332907e521a005a5fa68dff517
b153993a6df22f9a5b67337a44b97c6afdd3e54bf18893cea37df3e9b9c4c847
e752c7c195acf47dfd7d9e15720d8cbb76ef42324bef53979e8602a48867a29c
f57a646cb5e16bd00e1d52edc43fb7513d140507a47e60976b02422f1590bf61

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 6/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.Doc.httpobj

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

2 comments:

Andrew Harris said...

Thank you for this. I received the e-mail but, according to Kaspersky and Malwarebytes, no damage has been done.

dave russell said...

The document contains a Macro that will run in word when you open the doc so don't open the attachment. If you have then it could be zero day and not be picked up by AV