From "Fuel Card Services" [firstname.lastname@example.org]I have only seen one sample with an attachment named ebill0200442.xls which contains this malicious macro [pastebin] which is different to recent Dridex macros, and is similar to one first seen yesterday. According to this Malwr report it downloads an executable from:
Date Thu, 04 Feb 2016 04:29:24 -0700
Subject BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016
Please note that this message was sent from an unmonitored mailbox which
is unable to accept replies. If you reply to this e-mail your request
will not be actioned. If you require copy invoices, copy statements,
card ordering or card stopping please e-mail
email@example.com quoting your account number which can be
found in the e-mail below. If your query is sales related please e-mail
Sent: Thu, 04 Feb 2016 04:29:24 -0700
Subject: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016
Please find your e-bill 0200442 for 31/01/2016 attached.
To manage you account online please click
If you would like to order more fuel cards please click
If you have any queries, please do not hesitate to contact us.
Fuel Card Services Ltd
T 01282 410704
F 0844 870 9837
Supplied according to our terms and conditions. (see
Please also note that if you cannot open this attachment and are using
to view your mail you should select Tools / Options / Security Tab and
option marked "Do not allow attachments to be opened that potentially
may be a virus".
All of our outgoing mail is fully virus scanned but we recommend this
re-enabled if you do not use virus scanning software.
also reported is as a download location is:
If you look at the details of the Malwr report, it seems that the the script does creates a LOT of files all over the place. The dropped executable has a detection rate of 4/52 and according to this Hybrid Analysis shows that it phones home to:
220.127.116.11 (Clodo-Cloud / IT-House, Russia)
This is the same IP address as seen earlier, put the payload has now changed. Blocking that IP would be wise, and I would suggest that blocking 18.104.22.168/21 is probably worth considering too.