Sponsored by..

Tuesday, 22 December 2015

Malware spam: "British Gas - A/c No. 602131633 - New Account" / trinity [trinity@topsource.co.uk]

This fake financial email is not from TopSource, Trinity Restaurants or British Gas (the email seems a bit confused), but is instead a simple forgery with a malicious attachment.

From:    trinity [trinity@topsource.co.uk]
Date:    22 December 2015 at 10:36
Subject:    British Gas - A/c No. 602131633 - New Account

Hi ,

Please refer to the attached invoice from British Gas, the account number on it is different from all the account numbers that we currently have in the system. Can you confirm if this is a new account so that we will create this in system.

Thanks & Regards,
Pallavi Parvatkar

Trinity Restaurants Accounts Team | TopSource Global Solutions | 020 3002 6203
4th Floor | Marlborough House | 10 Earlham Street | London WC2H 9LN | www.topsource.co.uk
    cid:image001.jpg@01D071F6.5F7DAE30                                                               cid:image002.jpg@01D071F6.5F7DAE30
  cid:image003.png@01D071F6.5F7DAE30     cid:image004.png@01D071F6.5F7DAE30     cid:image005.png@01D071F6.5F7DAE30    cid:image006.png@01D071F6.5F7DAE30    cid:image007.png@01D071F6.5F7DAE30                                                       cid:image003.png@01D071F6.5F7DAE30     cid:image004.png@01D071F6.5F7DAE30    cid:image005.png@01D071F6.5F7DAE30    cid:image008.png@01D071F6.5F7DAE30    cid:image006.png@01D071F6.5F7DAE30    cid:image009.png@01D071F6.5F7DAE30

Disclaimer:
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system.

Internet communications cannot be guaranteed to be timely, secure, error or virus-free. TopSource does not accept liability for any errors or omissions.

"SAVE PAPER - THINK BEFORE YOU PRINT!"



British Gas.doc
92K

Attached is a file British Gas.doc with an MD5 a VirusTotal detection rate of 2/54. Analysis of the document is pending, however it will most likely drop the Dridex banking trojan.

UPDATE

These automated analyses [1] [2] show that the malicious document downloads from:

weddingme.net/786h8yh/87t5fv.exe

This has a VirusTotal detection rate of 3/54.  All those reports indicate malicious traffic to:

199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)

The payload looks like Dridex.

MD5s:
cacb79e05cf54490a7067aa1544083fa
c8694f1573a01b8b2cb7b1b502eb9372

Recommended blocklist:
199.7.136.88
151.80.142.33

Posted by at
Labels: , , , , , , ,

1 comment:

g-train said...

I received this email from trinity78@topsource.co.uk.

13 January 2016 at 14:00

Post a Comment

Subscribe to: Post Comments (Atom)