From: invoices@ebillinvoice.com
Date: 18 July 2017 at 09:37
Subject: UK Fuels Collection
Velocity
ACCOUNT NO
******969
Dear CUSTOMER,
Your latest invoice for your fuel card account is now available for you to view online, download or print through our Velocity online management system.
How to view your invoices
Viewing your invoice is easy
1. Log into Velocity at velocityfleet.com
2. Select 'Invoices' from the menu option
3. Select the invoice you wish to view. You can also print or download a copy
We want to ensure we are protecting your information and providing you with a simple, straightforward and secure way to access your account information. Velocity could not be simpler to use, you will not only have access to download all of your invoices, you will also be able to order cards, run reports on transactions and get to view your PIN reminder online.
Your safety is our priority
Please do not reply to this email, it has been sent from an email address that does not accept incoming emails. Velocity will never ask you to supply personal information such as passwords or other security information via email.
If you are experiencing difficulties in accessing Velocity, please do not hesitate to call us on 0344 880 2468 or email us at admin@groupcustomerservices.com
Thank you for using this service.
Yours sincerely,
UK Fuels Limited Customer Services
Spam Policy | Customer Services: 0344 880 2468
This email does not come from UK Fuels or Velocity, but is in fact a simple forgery sent from the Necurs botnet.
In the sample I saw there were two attachments, one was a simple text file that looked like this:
The secondis a malicious Word document, in this case named 11969_201727.doc. Opening it comes up with a screen asking you to enable active content (not a good idea!). The VirusTotal detection rate is 10/59.Filetype: Microsoft Office Word Filename: 11969_201727.doc Creation date: Tue, 18 Jul 2017 14:07:26 +0530 Modification date: Tue, 18 Jul 2017 14:07:26 +0530 To: [redacted]
Automated analysis [1] [2] shows that the malicious document downloads a binary from dielandy-garage.de/56evcxv (although there are probably other locations), downloading a file proshuto8.exe which itself has a detection rate of 11/63. Additional automated analysis [3] [4] with the others shows potentialy malicious traffic to:
37.120.182.208 (Netcup, Germany)
186.103.161.204 (Telefonica , Chile)
194.87.235.155 (Mediasoft Ekspert, Russia)
195.2.253.95 (Sphere Ltd, Russia)
Malware delivered in this was is usually ransomware or a banking trojan. UPDATE: this is the Trickbot trojan.
Recommended blocklist:
37.120.182.208
186.103.161.204
194.87.235.155
195.2.253.95