From "UUSCOTLAND" [UUSCOTLAND@uuplc.co.uk]So far I have seen three different versions of the attachment, all named 22 October 2015 Invoice Summary.doc with detection rates of about between 4/55 and 7/55 at VirusTotal [1] [2] [3] containing one of these malicious macros [1] [2] [3].
Date Thu, 22 Oct 2015 19:30:13 +0700
Subject Water Services Invoice
Good Morning,
I hope you are well.
Please find attached the water services invoice summary for the billing period of
22 September 2015 to 22 October 2015.
If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at uuscotland@uuplc.co.uk.
Kind regards
Melissa
Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)
Melissa.lears@uuplc.co.uk
Unitedutilitiesscotland.com
EMGateway3.uuplc.co.uk made the following annotations
---------------------------------------------------------------------
The information contained in this e-mail is intended only
for the individual to whom it is addressed. It may contain
legally privileged or confidential information or otherwise
be exempt from disclosure. If you have received this Message
in error or there are any problems, please notify the sender
immediately and delete the message from your computer. You
must not use, disclose, copy or alter this message for any
unauthorised purpose. Neither United Utilities Group PLC nor
any of its subsidiaries will be liable for any direct, special,
indirect or consequential damages as a result of any virus being
passed on, or arising from the alteration of the contents of
this message by a third party.
United Utilities Group PLC, Haweswater House, Lingley Mere
Business Park, Lingley Green Avenue, Great Sankey,
Warrington, WA5 3LP
Registered in England and Wales. Registered No 6559020
www.unitedutilities.com
www.unitedutilities.com/subsidiaries
Analysis of the documents is pending, but one key indicator is that the file appears to be saved as %TEMP%\bluezone3.exe. Check back later for updates.
UPDATE 1:
This VirusTotal report also identifies the following download locations:
beauty.maplewindows.co.uk/t67t868/nibrd65.exe
dtmscomputers.co.uk/t67t868/nibrd65.exe
namastetravel.co.uk/t67t868/nibrd65.exe
This file has a VirusTotal detection rate of 2/54 and that report indicates network traffic to:
198.74.58.153 (Linode, US)
Further analysis is pending, in the meantime I suggest that you block traffic to the above IP.
MD5s:
782a72da42da3fe9bd9e652dd08b968a
5dad04118f9f26e1d5fcc457c52aeebb
6c7e84f91bd27b7252e0eccfb00b896d
7be71a7317add5bff876a9e5a04fcba1