Sponsored by..

Monday, 12 October 2015

Malware spam: "Water Services Invoice" / "UUSCOTLAND@uuplc.co.uk"

(Note, an updated version of this spam run happened on 22nd October)

This fake financial email is not from United Utilities but is instead a simple forgery with a malicious attachment:

From     "UUSCOTLAND" <UUSCOTLAND@uuplc.co.uk>
Date     Mon, 12 Oct 2015 17:12:12 +0530
Subject     Water Services Invoice

Good Morning,

I hope you are well.

Please find attached the water services invoice summary for the billing period of
12 September 2015 to 12 October 2015.

If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at uuscotland@uuplc.co.uk<mailto:uuscotland@uuplc.co.uk>.

Kind regards


Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)

EMGateway3.uuplc.co.uk made the following annotations
The information contained in this e-mail is intended only
for the individual to whom it is addressed. It may contain
legally privileged or confidential information or otherwise
be exempt from disclosure. If you have received this Message
in error or there are any problems, please notify the sender
immediately and delete the message from your computer. You
must not use, disclose, copy or alter this message for any
unauthorised purpose. Neither United Utilities Group PLC nor
any of its subsidiaries will be liable for any direct, special,
indirect or consequential damages as a result of any virus being
passed on, or arising from the alteration of the contents of
this message by a third party.

United Utilities Group PLC, Haweswater House, Lingley Mere
Business Park, Lingley Green Avenue, Great Sankey,
Warrington, WA5 3LP
Registered in England and Wales. Registered No 6559020


Attached to the email is a file 12 October 2015 Invoice Summary.doc which comes in at least four different versions (VirusTotal results: [1] [2] [3] [4]) which contain a macro that looks like this example. Download locations spotted so far are:


All those download locations are on UK sites, but there are three apparently unrelated IP addresses in use:

This is saved as %TEMP%\gicage.exe and has a VirusTotal detection rate of just 1/56.  That VirusTotal report and this Malwr report indicate traffic to: (TransIP BV, Netherlands) (Data Net SRL, Romania)

I would recommend blocking traffic to both those IPs. The payload is the Dridex banking trojan.

Recommended blocklist:



Riba Noor said...
This comment has been removed by a blog administrator.
Aaron Nobel said...
This comment has been removed by the author.
Ebel said...
This comment has been removed by a blog administrator.
Dominic said...

Goodness! Three deleted comments, makes me wonder what these people were saying.

Dominic said...

Oh, and thanks for the site.