MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “12/16 A Invoice”.

This email is send from the spoofed address “Araceli Garcia <GarciaAraceli911@latinbienes.com>” and has the following body:

Hi,
Please find attached a recharge invoice for your broadband.

Many thanks,
Araceli Garcia

The attached file invoice84576872.doc is a Word file with malicious macro.

The malware is detected as CXmail/OleDl-A by 1 of the 56 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: b5aad3a01e99bcf07c671c7551c2bc2e3445964206cf8ca66ca2e3125128176f

An malicious executable will be downloaded from hxxp://178.33.200.139/chicken/bacon.php by the macro.

The malware is detected as HW32.Packed.BC8B, UDS:DangerousObject.Multi.Generic or BehavesLike.Win32.Downloader.cc by 3 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: a92650e85ad41e246a59a1eeae52a8bd311e7a5a1b7bb7bcb84c4a0d9169b57d

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Email from Transport for London”.

This email is send from the spoofed address “noresponse@cclondon.com” and has the following body:

Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to
read or download this attachment.

If you require Adobe Acrobat Reader this is available at no cost from
the Adobe Website http://www.adobe.com

Thank you for contacting Transport for London.

Business Operations
Customer Service Representative

In our mail client, the email wasn’t correctly parsed and the email coding was visible making the attached file less accessible. The attached is displayed as:

–=_5670F60323811420E10080000A82A3EC
Content-Disposition: attachment;
filename=”FR7000609906.DOC”
Content-Type: application/msword;
name=”FR7000609906.DOC”
Content-Transfer-Encoding: base64
Content-Description: FR7000609906.doc

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAIgAAAAAA
AAAAEAAAJAAAAAEAAAD+////AAAAACEAAAB+AAAA////////////////////////////////
////////////////////////////////////////////////////////////////////////

Again, this campaign is also a malware campaign and the Word file contains a macro so if your email reader allows you to click on the attached Word file, please do not and remove the email.

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Mededeling: Openstaande facturen”.

This email is send from the spoofed address “”Intrum Justitia Incasso.” <incasso@justitia.nl>” and has the following body (company names and amount may vary with each email):

Mail Attachment.png

Behandeld door : GymStudio NL
Direct tel. nr. : 088 – 45271125

Geachte info@*********.be,

In de bijgevoegde factuur verwijzen wij u naar de eerder ontvangen herinnering(en). Wij stellen u hierbij
de gelegenheid om het verschuldigde bedrag van €105,75 met rente binnen 12 dagen te voldoen op
ons IBAN-rekeningnummer t.n.v. St. Derdengelden Intrum Justitia Nederland B.V.
onder vermelding van het referentienummer.

Blijft betaling uit, dan zijn wij genoodzaakt cliënt te adviseren om over te gaan tot het opstarten van een
gerechtelijke procedure. De kosten die hieruit voortvloeien zullen geheel voor uw rekening komen.
Voor directe betaling en meer informatie over deze vordering gaat u naar onze website http://www.intrum.nl
U kunt hiervoor de gegevens gebruiken die op de factuur staan vermeld. U kunt hier
ook terecht voor overige vragen.

Hoogachtend,

Intrum Justitia

De buitengerechtelijke incassokosten kunnen zijn verhoogd met btw in het geval dat de schuldeiser een niet
btw-plichtige ondernemer is in de zin van art. 4 en 12 van de Wet op de omzetbelasting 1971

Intrum Justitia Nederland BV Handelend onder de naam Intrum Justitia
Postbos 84096 25125 AB Den Haag H.R. Den Haag 271345125
BTW nr. NL008487125B01 Lid van NVI

WORK2093-

The attached file Factuur9008442.zip contains the 705 kB large file Factuur9008442.pdf.exe.

The malware is detected as Gen:Variant.Zusy.173330, TR/Injector.701182, a variant of Win32/Injector.COOQ.

A full Virus Total report wasn’t available due to an error but we have more information on Malwr.
SHA256: 24ee08ed5ec955267077321deec7163906cfcc752eb6ebb36d6d396c51af10c9

Analysis shows that this trojan is installing a CTB-Locker – ransomware – and will encrypt some files.

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Bestellung”.

This email is send from the spoofed address “”Krell, Jürgen” <jkrell@berges.de>” and has the following body:

Mit freundlichen Grüßen
BERGES Antriebstechnik/Einkauf
i.A. Jürgen Krell
Leiter Einkauf

Tel: +49 2264 17-145
Fax: +49 2264 17-144
E-Mail:jkrell@berges.de
——————————————–
BERGES Antriebstechnik GmbH & Co. KG
Industriestr. 13, 51709 Marienheide
Tel.: +49 2264 17 0, Fax: +49 2264 17 125
E-Mail: info_ban@berges.de
Internet: http://www.berges.de
——————————————————————————————————
USt ID-Nr.: DE122 546 223
Handelsregister: Registergericht Köln HRA 16990
Komplementär: BERGES Antriebstechnik GmbH
Handelsregister: Registergericht Köln HRB 38484
Geschäftsführer: Dipl.-Kfm. Dietmar Sarstedt, Karl-Heinz Georg
—————————————————————————————————–

BERGES_Email_Abbinder_ISO

The attached file 13042092.doc is a Word file with malicious macro.

The malware is detected as LooksLike.Macro.Malware.gen!d3 (v), Trojan:W97M/MaliciousMacro.GEN or Macro.Trojan-Downloader.Agent.KF by 5 of the 52 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: b1a2901812c8680dce41c13e6c6b98997af0e4f9140064792cdefdee1b41e080

The macro will download more files from hxxp://simplyslim.com.sg/87tf6d45/90u7f65d.exe

The malware is detected as W32/Agent.XL.gen!Eldorado, HEUR/QVM10.1.Malware.Gen or UDS:DangerousObject.Multi.Generic by 4 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 932f595f1ccce5b48218613348357f190a6efc0e4931d9b40bb4f4473ff9367c

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Lieferschein”.

This email is send from the spoofed address “Textilreinigung Klaiber <lieferschein@textilreinigung-klaiber.de> and has the following body:

Sehr geehrte Damen und Herren,

in der Anlage erhalten Sie wie gewünscht den aktuellen Lieferschein.

Bei Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen

Textilreinigung Klaiber
Gewerbestrasse 39
78054 VS – Schwenningen
Telefon 07720 / 33238
Telefax 07720 / 33641
service@textilreinigung-klaiber.de

The attached file 11815–113686.doc is a Word file with malicious macro.

The malware is detected as Macro.Trojan-Downloader.Agent.KF by 1 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: a6ba0b22cdd4b44501bd74fcc15aad4683d0fe7ce3175bb37ce5260a2a665179

The macro will download the payload from the following location:

198.12.153.134/~webfrecuencia/786h8yh/87t5fv.exe

The executable 87t5fv.exe is detected as HW32.Packed.9634, QVM07.1.Malware.Gen or PE:Malware.RDM.13!5.13 [F] by 3 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: ea38ea05084135bf6852bd2473c045a5944e4758e023d1d7d47a380ab8d7d9ed

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “British Gas – A/c No. 602131633 – New Account”.

This email is send from the spoofed address “trinity <trinity@topsource.co.uk>” and has the following body:

Hi ,

Please refer to the attached invoice from British Gas, the account number on it is different from all the account numbers that we currently have in the system. Can you confirm if this is a new account so that we will create this in system.

Thanks & Regards,
Pallavi Parvatkar

Trinity Restaurants Accounts Team | TopSource Global Solutions | 020 3002 6203
4th Floor | Marlborough House | 10 Earlham Street | London WC2H 9LN | www.topsource.co.uk
Disclaimer:
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system.

Internet communications cannot be guaranteed to be timely, secure, error or virus-free. TopSource does not accept liability for any errors or omissions.

“SAVE PAPER – THINK BEFORE YOU PRINT!”

The attached file British Gas.doc is a Word file with malicious macro.

The malware is detected as Macro.Trojan-Downloader.Agent.KF or heur.macro.download.cc by 2 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: d9aa3c139abf6da8365fc4328ae80f9c03bab41807ff352d271b0bc6c1f6abca

The macro will download the paylod from the following host:

weddingme.net/786h8yh/87t5fv.exe

This seems to be an English variant on the previous reported malware campaign New Word malware in fake email “Lieferschein” from Textilreinigung Klaiber.

The executable 87t5fv.exe is detected as HW32.Packed.9634, QVM07.1.Malware.Gen or PE:Malware.RDM.13!5.13 [F] by 3 of the 54 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: fea8e081c2a162f1b8084691ae086ec1a9d78848bc805c574bb9a38dbf159641

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “CWIH8974 PAYMENT RECEIVED”.

This email is send from the spoofed address “Avril Sparrowhawk <Avril.Sparrowhawk@lescaves.co.uk>” and has the following body:

Good afternoon

Thanks very much for your payment we recently from you, however there was a missed invoice. Can you just confirm this will be included in the next payment run, or whether there were any queries with this particular invoice?

I have attached the invoice for your reference.

Kind regards
Avril

Avril Sparrowhawk
Credit Controller
Les Caves De Pyrene
Pew Corner
Old Portsmouth Road
Artington
Guildford
GU3 1LP

‘ +44 (0)1483 554784
6 +44 (0)1483 455068
Email Signature

The attached file CWIH8974.doc is a Word file with malicious macro.

The email is a variant on the previous campaigns that has been reported:

New Word malware: British Gas – A/c No. 602131633 – New Account

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Rechnung 2015-18637”.

This fake email is send from the spoofed address “mpsmobile GmbH <info@mpsmobile.de>” and has the following body:

Sehr geehrte Damen und Herren,

anbei erhalten Sie das Dokument ‘Rechnung 2015-18637′ im DOC-Format. Um es betrachten und ausdrucken zu können, ist der DOC Reader erforderlich. Diesen können Sie sich kostenlos in der aktuellen Version aus dem Internet installieren.

Mit freundlichen Grüssen
mpsmobile Team

___________________________________

Dear Ladies and Gentlemen,

please find attached document ”Rechnung 2015-18637’ im DOC-Format. To view and print these forms, you need the DOC Reader, which can be downloaded on the Internet free of charge.

Best regards
mpsmobile GmbH
mpsmobile GmbH
Brühlstrasse 42
88416 Ochsenhausen
Tel: +49 7352 923 23 0
Fax: +49 7352 923 23-29
Email: info@mpsmobile.de

Handelsregister Amstgericht ULM HRB 727290
Sitz der Gesellschaft: Ochsenhausen
UStIDNr: DE 281079008

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

The attached file 19875_Rechnung_2015-18637_20151222.doc is a Word file with malicious macro

The malware is detected as HEUR.VBA.Trojan, Macro.Trojan-Downloader.Agent.KF or heur.macro.download.cc by 3 of the 55 AV engines at Virus Total.

Use the Virus Total or HybridAnalysis for more detailed information.
SHA256: 6bb25dfb7dddda3652e0b42f6f4a4793fb74bdd752c85f19329c207d70a8adca

The payload is downloaded by the macro from one of the following host:

realcorretora.net/87tf65/987tr4d.exe
ezcontribution.net/87tf65/987tr4d.exe
ezcontribution.net/87tf65/987tr4d.exe

The malware is detected by 0 of the 53 AV engines at Virus Total.

Use the Virus Total or HybridAnalysis for more detailed information.
SHA256: fdb1520c53f9a20e9c0fd7d139395f5247d728c1603b7f25db18e86fb8042f06

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “FW: Meridian (Acc. No. 10072180) – Professional Fee Invoice”.

This email is send from the spoofed address “Tamika Leblanc <LeblancTamika48874@rambock.org>” and has the following body:

GDear Sir/Madam,

Re: Meridian Professional Fees

Please find attached our fee note for services provided, which we trust meets with your approval.

Payment should be made to Meridian International VAT Consulting Ltd. within the agreed payment terms.

We look forward to your remittance in due course.

Yours sincerely
Tamika Leblanc
Financial CEO

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________
The information in this email and any attachments are the property ofALTAVIA or its affiliates and may contain proprietary and confidential information that is intended for the addressee(s) only. If you are not the intended recipient, please refrain from any disclosure, copying, distribution, retention or use of this information. You are hereby notified that such actions are prohibited and could be illegal. If you have received this e-mail in error, please immediately contact the sender and delete the e-mail. We appreciate your cooperation. Email transmissions being not guaranteed, ALTAVIA and its affiliates decline their liability due to this email transmission, specifically when altered, modified or falsified.
Les informations contenues dans cet e-mail ainsi que les fichiers joints sont la propriété d’ALTAVIA et / ou ses filiales et peuvent être des informations confidentielles et privées qui sont adressées à l’attention de leur destinataire uniquement. Si vous n’êtes pas le destinataire du message merci de ne pas divulguer, copier, diffuser, conserver ou utiliser ces informations. Vous êtes par la présente notifié que ces agissements sont interdits et peuvent être illégaux. Si vous avez reçu cet e-mail par erreur, merci de prendre contact immédiatement avec l’expéditeur et de détruire cet e-mail. Nous vous remercions de votre coopération. La correspondance en ligne n’étant pas un moyen entièrement sécurisé, ALTAVIA et ses filiales déclinent toute responsabilité au titre de cette transmission, notamment si son contenu a été altéré, déformé ou falsifié.

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

The attached file invoice10072180.doc is a Word file with malicious macro.

The malware is detected as HEUR(high).VBA.Trojan or CXmail/OleDl-A by 2 of the 54 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 9168bea52ed22fbf46bb690c793fccdfec7c78998c983e10cbb4072e24138ff5

This email is already a variant on the previous malware campaign New Word malware: UKSM Invoice 12959596.

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subjects like:

Du hast einen Videobeleg! obpmv
Il y a un message vidéo. vxam
Usted tuvo un documento auditivo cnhm

This email is send from the spoofed address “WhatsApp <****@*****.***>” and has the following body:

WhatsApp

Angeheftet:
Annelore Kromer (07:05 AM)

WhatsApp

Attaché:
Genest Rateau (05:59 AM)

WhatsApp

Anexo:
Francesca Mulet (10:52 PM)

Screenshot of one of the messages:

In one of our analyzed samples, the attached file jaylin58.zip contains the 360 kB large file albinson.exe.

The from address, subject, body of the email, filenames of the ZIP and extracted file will vary with each email. The email itself is stating that a video is present, according to the subject.

The malware is detected as Trojan.Kazy.DBF9D5, W32/Nivdort.F.gen!Eldorado, Gen:Variant.Kazy.784853 (B), Trojan.Tinba.cbd, Hacktool ( 655367771 ) or Troj/Nivdort-CZ by 24 the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 91150983cf71175fba9169b4489a7f9bd2a0bd212b223119f62a74a6634d60ff

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Order 0046/033777 [Ref. MARKETHILL CHURCH]”.

This email is send from the spoofed address “ JOHN RUSSELL <John.Russell@yesss.co.uk>” and has the following body:

John Russell
Branch Manager

Yesss Electrical
44 Hilsborough Old Road
Lisburn
BT27 5EW

T: 02892 606 758
M: 07854362314
F: 02892 606 759
E: John.Russell@yesss.co.uk

EW Award winner 2015
Electrical Times Award winner 2014
EW Award winner 2014
YESSS gains all three BSI industry standards
Order a YESSS Book NOW!
Our YESSS motto
Visit the YESSS website      Visit the YESSS Facebook
page       Visit the YESSS Twitter page
Visit the YESSS Youtube page
Visit the YESSS Linkedin page
Visit the YESSS Pinterest page

The attached file 033777 [Ref. MARKETHILL CHURCH].doc is a Word file with malicious macro.

The malware is detected as LooksLike.Macro.Malware.gen!d1 (v), HEUR(high).VBA.Trojan or W97M/Downloader.auj by 6 of the 55 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: a6d258bec6ed045e79b9592aa2638452870e7f73ebacaf8adfca739aa413bac6

The Word macro will download the payload from the following locations:

amyzingbooks.com/l9k7hg4/b4387kfd.exe
webdesignoshawa.ca/l9k7hg4/b4387kfd.exe
powerstarthosting.com/l9k7hg4/b4387kfd.exe

The malware is detected as PE:Malware.Generic(Thunder)!1.A1C4 [F] or TSPY_DRIDEX.YYSQJ by 4 of the 55 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 37ccb1fc8c465f9ff028c172c2a424af61fd72322c91f9fe4c410225dec2c10d

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Message from local network scanner”.

This email is send from the spoofed addresses and has no body text.

The attached file Scann16011310150.doc (filename may vary) is a Word file with malicious macro.

The malware is detected as HEUR(high).VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN or heur.macro.download.cc by 4 of the 54AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: e87c827ea1bda3b3954ae9725b1f8343c18d563914311c477bfc2c279851d3b6

The Word macro will download the payload from the following locations:

www.willsweb.talktalk.net/786h5g4/9787g4fr4.exe

The malware is detected as Win32:Evo-gen [Susp], QVM20.1.Malware.Gen or PE:Malware.XPACK/RDM!5.1 [F] by 3 of the 55 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 944fe9e3e332c9399ce3954e4f00864552bf8b43f83f06dfa8b670529eaa0bc6

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice / Credit Note Express Newspapers (S174900)”.

This email is send from the spoofed address “georgina.kyriacoumilner@express.co.uk” and the following body content:

Please find attached Invoice(s) / Credit Note(s) from Express Newspapers.

If you have any queries with it, or to request that future documents get sent to a different email address for processing, please contact:

hannah.johns@express.co.uk or telephone 020 8612 7149.

N.B. Please do not reply to this email address as it is not checked.

Kind Regards,

Express Newspapers
Finance Dept – 4th Floor,The Northern & Shell Building
Number 10 Lower Thames Street, London EC3R 6EN

****************************************************************************
Any views or opinions are solely those of the author and do not necessarily represent those of Express Newspapers

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material.If you are not the intended recipient of this message please do not read ,copy, use or disclose this communication and notify the sender immediately. It should be noted that any review, retransmission, dissemination or other use of, or taking action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. E-mail communications may be monitored.
****************************************************************************
EXN2006

The attached file S174900.DOC is a Word file with malicious macro.

The malware is detected as HEUR.VBA.Trojan.d by 1 of the 54AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: cd2d4f9df7bb98d6d30c9b302b5e2e0089d838c45f68dfa0bed0e4b7c98245b3

The Word macro will download the payload from the following locations:

www.helios.vn/98jh6d5/89hg56fd.exe
202.191.112.60/~n02022-1/98jh6d5/89hg56fd.exe
www.lassethoresen.com/98jh6d5/89hg56fd.exe

The malware is detected as UDS:DangerousObject.Multi.Generic by 1 of the 54 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 89c73c42e8cd8d20aac5878c4585b9be2ce12447d6b201d3bd1407142dd60bbf

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Gompels Healthcare Ltd Invoice”.

This email is send from the spoofed address “Gompels Healthcare ltd <salesledger@gompels.co.uk>” and has the following body:

Hello
Please see attached pdf file for your invoice
Thank you for your business

The attached file fax00375039.DOC is a Word file with malicious macro.

The malware is detected as HEUR.VBA.Trojan.d or virus.macos.gen.33 by 2 of the 53 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: adce8fddf3163cc79d7811ddb93408f60a95595f79d5ddadf7ca0da3e43244e7

Malware will be downloaded by the malicious macro from the following locations:

return-gaming.de/8h75f56f/34qwj9kk.exe
phaleshop.com/8h75f56f/34qwj9kk.exe
bolmgren.com/8h75f56f/34qwj9kk.exe

The malware is detected as UDS:DangerousObject.Multi.Generic by 1 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: ac424d8ef67dbb1ee98568f9a96376370ce0cf1f9d03403d928498a57c54abd9

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice 9210”.

This email is send from the spoofed address “Dawn Salter <dawn@mrswebsolutions.com>” and has the following body:

Good afternoon

I hope all is good with you.

Please see attached invoice 9210.

Kind regards
Dawn
Dawn Salter
Office Manager
Tel: +44 (0)1252 616000 / +44 (0)1252 622722
DDI: +44 (0)1252 916494
Web:  www.mrswebsolutions.com

1 Blue Prior Business Park, Church Crookham, Fleet, Hants, GU52 0RJ

The attached file 9210.DOC is a Word file with malicious macro.

The malware is detected as HEUR.VBA.Trojan.d or WM/TrojanDownloader.4D52!tr by 2 of the 53 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: d7cefbfcfc5af2529683b156f7afe5c88cac653009f9b30fd7663f9a27dabcc3

Malware will be downloaded by the malicious macro from the following locations:

hxxp://www.cityofdavidchurch.org/54t4f4f/7u65j5hg.exe
hxxp://www.hartrijders.com/54t4f4f/7u65j5hg.exe
hxxp://grudeal.com/54t4f4f/7u65j5hg.exe

The malware is detected as BehavesLike.Win32.PWSZbot.dc by 1 of the 53 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: aaf789d10a3e643d1f808e2a5de084461b1f0625e88d4e800e75043b1b8d9f0d

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016”.

This email is send from the spoofed address “Fuel Card Services” <adminbur@fuelcardgroup.com>” and has the following body:

Please note that this message was sent from an unmonitored mailbox which
is unable to accept replies. If you reply to this e-mail your request
will not be actioned. If you require copy invoices, copy statements,
card ordering or card stopping please e-mail
support@fuelcardservices.com quoting your account number which can be
found in the e-mail below. If your query is sales related please e-mail
info@fuelcardservices.com.

E-billing
–

From: adminbur@fuelcardservices.com

Sent: Thu, 04 Feb 2016 04:29:24 -0700
To: [redacted]
Subject: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016

Account: B216552

Please find your e-bill 0200442 for 31/01/2016 attached.

To manage you account online please click
http://eservices.fuelcardservices.com

If you would like to order more fuel cards please click
http://www.fuelcard-group.com/cardorder/bp-burnley.pdf

If you have any queries, please do not hesitate to contact us.

Regards

Cards Admin.
Fuel Card Services Ltd

T 01282 410704
F 0844 870 9837
E support@fuelcardservices.com

Supplied according to our terms and conditions. (see
http://www.fuelcardservices.com/ebill.pdf).

The attached file ebill0200442.xls is a Word file with malicious macro.

The malware is detected as HEUR.VBA.Trojan.d, X2KM_DRIDEX.AW or W97M/Downloader.awq by 4 of the 50 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 9f00071ae7f799e1c4dd6f4b7b0f3a5ec65697c8ec72eda50d114cb056b40445

Malware will be downloaded by the malicious macro from the following locations:

hxxp://www.trulygreen.net/43543r34r/843tf.exe
hxxp://www.mraguas.com/43543r34r/843tf.exe

The malware is detected as Uds.Dangerousobject.Multi!c, Artemis!BBA6C087E282, BehavesLike.Win32.Sality.dc, PE:Malware.Generic(Thunder)!1.A1C4 [F] or TSPY_DRIDEX.BYX by 7 of the 52 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 859614dd3d47190860bbcaca7f1998808f0c541dc5d17cc1a770a1ab4578bc6d

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Scanned file from Optivet Referrals”.

This email is send from the spoofed address “Optivet Referrals <reception@optivet.com>” and has the following body:

Dear Sir/Madam

Please find attached a document from Optivet Referrals.

Yours faithfully

The Reception Team at Optivet.

Optivet Referrals Ltd. Company Reg. No. 06906314. Registered office: Calyx House, South Road, Taunton, Somerset. TA1 3DU
Optivet Referrals Ltd. may monitor email traffic data and also the content of email for the purposes of security and staff training.
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.

The attached file 25082070268891.tiff.js is a malicious script.

The malware is detected as HEUR.JS.Trojan.b,Troj/JSDldr-DN or JS_NEMUCOD.XYZZ by 4 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: d1ee98273bc70d5b06196bce99dff7cb30283daf38a271eed860da2418d7abba

The malicious script will download other malware from the following location:

hxxp://zuhr-kreativ.com/98876hg5/45gt454h

The malware is detected as UDS:DangerousObject.Multi.Generic, Win32/Trojan.Multi.daf or TSPY_DRIDEX.JDB by 3 of the 53 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: dd6c0c628e124462a843cd1308e25937636df4e4dc48e0d0a19e3b1455f57033

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice #47865” (numbers will change with each email).

This email is send from the spoofed addresses and has the following bodies (only a few samples published below):

Hello,

Please find attached invoice #85666705 for your attention.

Regards,
Amelia Becker
Product Administrator
NOVA RESOURCES LTD

Hello,

Please find attached invoice #47865 for your attention.

Regards,
Bettye Swanson
Product Administrator
JARDINE LLOYD THOMPSON GROUP

Hello,

Please find attached invoice #16282 for your attention.

Regards,
Alexis Dorsey
Product Administrator
Firstsource

Hello,

Please find attached invoice #07485590 for your attention.

Regards,
Olive Vega
Product Administrator
ASOS

Hello,

Please find attached invoice #182 for your attention.

Regards,
Nannie Mullins
Product Administrator
ACTUAL EXPERIENCE PLC

Hello,

Please find attached invoice #790009 for your attention.

Regards,
Darius Stephenson
Product Administrator
SVG CAPITA

The attached file INVOICE-UK-UK0704-7382-JARDINE LLOYD THOMPSON GROUP.doc is a Word file with malicious macro. Please note that the filenmae will change in accordance with the company name that is being used in the email body.

The malware is detected as W97M/DLoader.A, Trojan-Downloader:W97M/Dridex.S, Trojan.Script.Agent.dowdin or CXmail/OleDl-A by 5 of the 54 AV engines at Virus Total.

The malicious file sanders.exe will be downloaded from the following host:

hxxp://apex.godreal.org/motoko/kusanagi.php

Use the Virus Total or Malwr for more detailed information.
SHA256: 78d1d34b14667a4aba12dccbd572f4b78cc1e59ad71517a683a4c5102496ebfa

The malware is detected as UDS:DangerousObject.Multi.Generic or HEUR/QVM07.1.Malware.Gen by 2 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: f011157459b16a7847680243100dcb7e1749da72350629904826a10079c5ae11

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Remittance advice from Sky Group: Account No. 914611” (number will vary with each email).

This email is send from the spoofed addresses and has the following body:

From: AccountsPayable-Ariba@sky.uk [mailto:AccountsPayable-Ariba@sky.uk]
Sent: 02 February 2016 23:14
To: Accounts Department
Subject: Remittance advice from Sky Group: Account No. 841479

PLEASE DO NOT RESPOND TO THIS EMAIL, THIS MAILBOX IS NOT MONITORED

Please find attached the payment advice from the Sky Group.

Please note that payments can take up to three days to clear into your bank account, dependent on payment method.

Should you need to contact Accounts Payable at SKY, contact details are below. Please note that we operate via a helpdesk system, once you have emailed the team, you will be advised of a unique Service Request (SR) number which will allow you to track updates on your request. Please respond directly to these emails to ensure all the information is attached to your query and we can assist you.

Office Hours are: Mon – Fri 8:30am – 5pm

Accounts Payable:
Email APhelpdesk@sky.uk or alternatively please telephone 0333 100 1212 and select option 4.

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence. Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, please notify the sender and delete all copies from your system. In addition, if you are not the intended recipient, you must not copy this email or attachment or disclose the contents to any other person. This footer also confirms that this e-mail message has been scanned for the presence of computer viruses. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of European Tour. Scanning of this message and addition of this footer is performed by Barracuda Spam Firewall in conjunction with virus detection software. European Tour Registered office: European Tour Building, Wentworth Drive, Virginia Water, Surrey, GU25 4LX Registered in England No. 1867610. ­­

The attached file iRemittance_CoNo21311_AccNo830597_PaymentNo7929540.doc (numbers in the filename will vary) is a Word file with malicious macro.

The malware is detected as W97M/Dloader.A, Trojan-Downloader:W97M/Dridex.S, Macro.Trojan-Downloader.Donoff.AF, W2KM_DLOADR.BYX or Troj/DocDl-BC by 8 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: f96b9c3edb0b6378cdb64872893992def2966b6729b32c8377066f1f019d307f

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Your Sage Pay Invoice INV00318132”. The message doesn’t originate from Sage Pay, the online payment system provider, but is a forgery with a malicious attachment.

This email is send from the spoofed address “Sagepay EU <accounts@sagepay.com>” and has the following body:

Please find attached your invoice.

We are making improvements to our billing systems to help serve you better and because of that the attached invoice will look different from your previous ones. You should have already received an email that outlined the changes, however if you have any questions please contact accounts@sagepay.com or call 0845 111 44 55.

Kind regards

Sage Pay

The attached file INV00318132_V0072048_12312014.xls is a Word file with malicious macro.

The malware is detected as HEUR.VBA.Trojan.d, VBA/TrojanDownloader.Agent.ASD, heur.macro.download.cc, X2KM_DRIDEX.AW or Troj/DocDl-AZU by 8 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 5ed7b6f362abbf470381d47282d58f58035cb60ae6a667c2709bd02ec68f6c36

The macro will get the payload from hxxp://www.phraseculte.fr/09u8h76f/65fg67n

The malware is detected as UDS:DangerousObject.Multi.Generic, BehavesLike.Win32.PackedAP.ch or PE:Malware.Generic(Thunder)!1.A1C4 [F] by x of the 54 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256:f 0f317116470f500a30e47fc3b4300e05609afa96d03f9ac311abf6dc29be9b2