‘Attached Tracker For Your Records’ Macro Malware Emails

‘Urgent’ emails purporting to be from various companies claim that you can open an attached file to find a ‘tracker for your records’.

Brief Analysis:
The emails were not sent by the companies they name and the attachment does not contain a ‘tracker’.  Instead, the attached Microsoft Word document contains a malicious macro that, if enabled, can download and install malware that can steal personal information such as Internet banking passwords.

Subject: Urgent: F590483 LITEBULB GROUP LTD/ HPE

Please find the attached tracker for your records.
Gaylord Sargent
2819 I Street, NW, Suite 300 Washington D.C. 51845
O: (556) 165 2527 | F: (228) 379 0259
ISO9001:2008 | li4160 Rev C | 2CF-E11-240 | Core QPL | QAM-001, Sec. 5.3
This email may contain Technical Data the export of which is subject to the International Traffic in Arms Regulations (22 C.F.R. Parts 120 – 130) or the Export Administration Regulations (15 C.F.R. Parts 730 – 774).
Export controlled information, in any form, shall not be disclosed to a foreign person whether in the United States or abroad (including foreign persons employed in the U.S.) without authorization under the applicable U.S. Government export control regulations and the express written authorization of STRAN Technologies. This document may contain STRAN Technologies’ Proprietary Information and is to be used only for the purposes for which it has been supplied and is not to be duplicated or disclosed in whole or in part without written permission from a duly authorized representative of STRAN Technologies. If you feel you have received this email in error, please contact the sender at (556) 165 2527.

Attached Tracker Malware Email
Attached Tracker Malware Email

Detailed Analysis:
These emails, which are marked as ‘Urgent’, suggest rather obscurely that you can find a ‘tracker for your records’ in an attached file. The emails include the name and address of the company that supposedly sent them along with an apparent legal clause suggesting that the messages ‘may contain Technical Data the export of which is subject to the International Traffic in Arms Regulations or the Export Administration Regulations’.  Several companies are named in different versions of the emails.  Other details, including the reference number in the subject line and the name of the attachment may also vary. The attachments are  .doc or .rtf files that can be opened in Microsoft Word.

However, while the named companies are real, they did not send the emails. And the attachments do not contain a tracker for your records.

If you attempt to open one of the attachments using Microsoft Word, you will be prompted to enable macros, ostensibly so that the contents of the document can be correctly displayed. If you enable macros as requested, a malicious macro will then run. The macro can download and install a version of the Dridex trojan. Once installed, this trojan can harvest banking credentials by harvesting information entered during online banking sessions.

A macro is a set of commands and instructions that can be grouped as a single command in order to quickly and automatically accomplish a task.

Macros can help create more efficient workflows by automating some tasks. But, macros can also be used with malicious intent.  In the past, macro viruses were common computer security threats. Later versions of Microsoft Office disabled macros by default, thereby significantly decreasing the threat posed by macro viruses. But, criminals are again using macros, this time by using simple social engineering to trick users into enabling them.

It is wise to leave macros disabled if you do not use them and and are unfamiliar with their potential security risks. And, do not believe any message that claims that you must enable macros in order to view a document.

Last updated: March 23, 2016
First published: March 23, 2016
By Brett M. Christensen
About Hoax-Slayer

New malware: Urgent: F590483 LITEBULB GROUP LTD/ HPE
Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
Loads Of Macro Malware ‘Invoice’ Emails Hitting Inboxes