2016-11-09 Locky "Fuel Card E-bill"

1. 2016-11-09 #locky email phishing campaign "Fuel Card E-bill"
2.  
3. Email sample:
4. ---------------------------------------------------------------------------------------------------------------
5. From: "ADELINE WILLETT" <adeline.willett@kapraeyc.com>
6. To: [REDACTED]
7. Subject: Shell Fuel Card E-bill 910934 for Account (rnd(B, S, F, H, A, D, C, N, M, L)}}920433 08/11/2016
8. Date: Wed, 09 Nov 2016 18:11:30 +0530
9.  
10. ADELINE WILLETT
11.  
12. Last & Tricker Partnership
13.  
14. 3 Lower Brook Mews
15. Lower Brook Street
16. Ipswich Suffolk IP4 1RA
17. T: 01473 252961 F: 01473 233709 M: 07778464004
18. email: adeline.willett@kapraeyc.com
19. This e-mail and any attachments may contain confidential and privileged
20. information and is intended only for the use of the individual or entity to
21. which it is addressed. If you are not the intended recipient, please notify
22. the sender immediately by return e-mail, delete this e-mail and destroy any
23. copies from your system; you should not copy the message or disclose its
24. contents to anyone. Any dissemination, distribution or use of this
25. information by a person other than the intended recipient is unauthorized
26. and may be illegal. We cannot accept liability for any damage sustained as a
27. result of software viruses and advise you to carry out your own virus checks
28. before opening any attachment.
29.  
30. Attachment: ebill910934.zip
31. ---------------------------------------------------------------------------------------------------------------
32. - sender varies between emails
33. - subject is "<BP|Shell> Fuel Card E-bill <number> for Account (rnd(B, S, F, H, A, D, C, N, M, L)}}920433 08/11/2016"
34. - attached file "ebill<number>.zip" contains file "<2 digits><2-7 letters><8 digits>.wsf", a JScript downloader
35.  
36. The URLs, malware etc ... are same as for campaign "Message from KMBT_C220" http://pastebin.com/aYyBzU0U