Sponsored by..

Wednesday 16 December 2015

Malware spam: "Your e-Invoice(s) from Barrett Steel Services Ltd" / "samantha.morgan@barrettsteel.com"

This fake financial spam does not come from Barrett Steel Services Ltd but is instead a simple forgery with a malicious attachment:

From:    samantha.morgan@barrettsteel.com
Date:    16 December 2015 at 09:44
Subject:    Your e-Invoice(s) from Barrett Steel Services Ltd

Dear Customer,

Please find attached your latest Invoice(s).

Kind Regards,
Samantha Morgan,
Barrett Steel Services Ltd,

Phone: 01274654248
Email: samantha.morgan@barrettsteel.com

Have you considered paying by BACS ?  Our details can be found on the attached invoice.

Please reply to this email if you have any queries.

You can use the link below to perform an Experian credit check.


Samantha Morgan
Credit Controller

Tel: 01274 654248 |  | Fax: 01274 654253
Email: Samantha.Morgan@Barrettsteel.com | Web: www.barrettsteel.com


The information contained in or attached to this e-mail is intended for the use of the individual or entity to which it is addressed. It may contain information which is confidential and/or covered by legal, professional or other privilege (or other similar rules or laws). If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it.  Nor should you take any action with reference to it. If you have received this communication in error, please return it with the title "received in error" to Barrett.Admin@Barrettsteel.com then delete the email and destroy any copies of it.

This email has been scanned for viruses, but no responsibility is accepted once this communication has been transmitted. You should scan attachments (if any) for viruses.

Registered Office:
Barrett House, Cutler Heights Lane, Dudley Hill, Bradford, BD4 9HU

This message has been scanned by iCritical.

Attached is a file e-Invoice Barrett Steel Services Ltd.doc which I have seen just a single variant of, with a VirusTotal detection rate of 4/54 which according to this Malwr analysis downloads a malicious binary from the following location:


This downloaded binary has a detection rate of 4/53 and according to this Malwr report it attempts to contact: (Megawire, Canada)

I strongly recommend that you block traffic to that IP. Other analysis is pending. The payload is almost definitely the Dridex banking trojan.

1 comment:

John said...

I got one the same and the strange thing is that it uses sender's message-id domain like if it is send to your organization xyz.com then it the message id of sender will be @xyz.com which is really highly skilled target to spoof messaging id.