Sponsored by..

Thursday, 4 February 2016

Malware spam: "BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016" / "Fuel Card Services" [adminbur@fuelcardgroup.com]

This fake financial spam does not come from Fuel Card Services Ltd but is instead a simple forgery with a malicious attachment:

From     "Fuel Card Services" [adminbur@fuelcardgroup.com]
Date     Thu, 04 Feb 2016 04:29:24 -0700
Subject     BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016

Please note that this message was sent from an unmonitored mailbox which
is unable to accept replies. If you reply to this e-mail your request
will not be actioned. If you require copy invoices, copy statements,
card ordering or card stopping please e-mail
support@fuelcardservices.com quoting your account number which can be
found in the e-mail below. If your query is sales related please e-mail


From: adminbur@fuelcardservices.com

Sent: Thu, 04 Feb 2016 04:29:24 -0700
To: [redacted]
Subject: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016

Account: B216552

Please find your e-bill 0200442 for 31/01/2016 attached.

To manage you account online please click

If you would like to order more fuel cards please click

If you have any queries, please do not hesitate to contact us.


Cards Admin.
Fuel Card Services Ltd

T 01282 410704
F 0844 870 9837
E support@fuelcardservices.com

Supplied according to our terms and conditions. (see

Please also note that if you cannot open this attachment and are using
Outlook Express
 to view your mail you should select Tools / Options / Security Tab and
deselect the
option marked "Do not allow attachments to be opened that potentially
may be a virus".
 All of our outgoing mail is fully virus scanned but we recommend this
facility is
re-enabled if you do not use virus scanning software.
I have only seen one sample with an attachment named ebill0200442.xls which contains this malicious macro [pastebin] which is different to recent Dridex macros, and is similar to one first seen yesterday. According to this Malwr report it downloads an executable from:


also reported is as a download location is:


If you look at the details of the Malwr report, it seems that the the script does creates a LOT of files all over the place. The dropped executable has a detection rate of 4/52 and according to this Hybrid Analysis shows that it phones home to: (Clodo-Cloud / IT-House, Russia)

This is the same IP address as seen earlier, put the payload has now changed. Blocking that IP would be wise, and I would suggest that blocking is probably worth considering too.

No comments: