Sponsored by..

Friday, 5 December 2014

"K J Watking & Co" fake Remittance Advice spam

This fake remittance advice spam has been hammering my inbox this morning. It uses randomly generated sender names but has a consistent fake company name of K J Watking & Co which is very close to a legitimate firm K J Watkin & Co who have nothing to do with this.

The spam comes with an Excel spreadsheet which contains a malicious macro.

Some sample spams are as follows:

From:     Brenton Glover
Date:     5 December 2014 at 07:20
Subject:     Remittance Advice for 430.57 GBP


Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Brenton Glover
Senior Accounts Payable Specialist
K J Watking & Co


================

From:     Reba Fletcher
Date:     5 December 2014 at 08:23
Subject:     Remittance Advice for 520.60 GBP


Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Reba Fletcher
Senior Accounts Payable Specialist
K J Watking & Co

================

From:     Jennifer Copeland
Date:     5 December 2014 at 07:36
Subject:     Remittance Advice for 866.73 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Jennifer Copeland
Senior Accounts Payable Specialist
K J Watking & Co

================

From:     Tia Maddox
Date:     5 December 2014 at 07:33
Subject:     Remittance Advice for 539.99 GBP


Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Tia Maddox
Senior Accounts Payable Specialist
K J Watking & Co

================

From:     Weston Martinez
Date:     5 December 2014 at 08:33
Subject:     Remittance Advice for 248.65 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Weston Martinez
Senior Accounts Payable Specialist
K J Watking & Co

================

From:     Reva Morgan
Date:     5 December 2014 at 08:17
Subject:     Remittance Advice for 649.39 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Reva Morgan
Senior Accounts Payable Specialist
K J Watking & Co
The Excel attachments have random names such as BAC_0577719P.xls or BAC_581969Q.xls. So far I have seen two versions of these, neither of which are detected as malicious by any vendors [1] [2].

Each spreadsheet contains a different but similar malicious macro [1] [2] [pastebin] which then download a binary from the following locations:

http://79.137.227.123:8080/stat/lld.php
http://124.217.199.218:8080/stat/lld.php


This file is downloaded as test.exe and is then moved to %TEMP%\EWSUVRXTBUU.exe. It has a VirusTotal detection rate of just 2/52. According to the Malwr report this then drops a DLL with another low detection rate which is identified as Dridex. The ThreatExpert report [pdf] indicates that the malware attempts to communicate with the following IPs:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50
(PlusNet, UK)

Recommended blocklist:
194.146.136.1
84.92.26.50

79.137.227.123
124.217.199.218

UPDATE 2014-12-10:

Another spam run is in progress, with a slightly different payload. Again, there are two different XLS files both of which are undetected [1] [2] by AV vendors and containing one of two macros [1] [2] [pastebin] which download from the following locations:

http://41.0.5.138:8080/stat/lld.php
http://217.174.240.46:8080/stat/lld.php

The file is downloaded as test.exe and is saved as %TEMP%\LNUDTUFLKOJ.exe and is the same payload as found in this attack.



8 comments:

AndresDoe said...

How can I know if I have this trojan in my system, and do you know any way to remove it.

Cheers

AndresDoe said...
This comment has been removed by the author.
Unknown said...

it's inject his self to explorer.exe. And start it's self as service all the time

OlieMitchell said...

Hi guys,

I opened the attachment (I know I shouldn't have but I double-clicked out of habit).

What does this mean? I'm guessing they now have access to my PC.

Any remediation advice?

Cheers,
Olie

Unknown said...

Surey this can only load if you have Macros enabled in Excel? If you don't then I can't see how it can run.

Unknown said...

I also had this email

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Kim Marquez
Senior Accounts Payable Specialist
K J Watking & Co
Tel: 01469 604703

unknown said...

......

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Murray Farrell
Senior Accounts Payable Specialist
K J Watking & Co
Tel: 01469 455159

Unknown said...

I have just received this same email from a Max Chandler KJ Watking & Co. and I, too, stupdily tried to open the .xls attachment, which didn't open. I looked up the address, which led me here! WHAT DO I DO NOW??!! Thanks.