This example is an email alleging to be a customer complaint with the subject of “FW: Case 27627831 ” pretending to come from Dun & Bradstreet but actually coming from “[email protected]” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan targeting the USA
You can now submit suspicious sites, emails and files via our Submissions system
Email Details
From: Dun & Bradstreet <[email protected]>
Date: Thu 26/07/2021 17:57
Subject: FW: Case 27627831
Attachment: case_27627831.doc
Body Content:
Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by July 27, 2018 Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Dun and BradStreet. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.
Dun & Bradstreet
103 JFK Parkway
Short Hills
NJ 07078
————————–
Recipient:[email protected]
Case: 27627831
To ensure delivery of Dun & Bradstreet Credibility Corp. emails to your inbox and to enable images to load in future mailings, please add [email protected] to your email address book or safe senders list.
Privacy and Unsubscribe Notice:To unsubscribe or modify your email alert settings, please login to your account, click “alerts”, select “alert settings”, and choose the email settings you wish to disable then click “save” to make the desired changes. Your privacy is important to us, please see our privacy policy. To view our terms of service, please click here If you have any questions, email us at [email protected]. Please do not reply to this email.
© 2018 Dun & Bradstreet Credibility Corp.Dun & Bradstreet Credibility Corp. 103 JFK Parkway, Short Hills, NJ 07078
Screenshot:
Dun & Bradstreet has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there is only newly registered domain that imitate Companies House, HMRC, another Government department, a Bank, file hosting service or a message sending service that can easily be confused with the genuine organisation in some way, that are hosted on & sending emails from 4 different servers.. Some days however we do see dozens or even hundreds of fake domains.
Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar. Because of new GDPR rules we cannot easily find the registrants name or any further details.
dnbcomplaint.com hosted on & sending emails via 191.101.26.35| 95.211.148.251 |91.218.124.27| 94.100.18.35|
Malware Details
Continuing with the behaviour we have been seeing recently with the macros on these word docs. They are using an Active X control to start & run the macro, so it needs an extra couple of clicks from the victim to get infected. The control is different today. I can’t work out exactly what control is being used. You actually have to enable ActiveX content then close the word doc & re-open it for the macro to fire off while using anyrun. I am not sure if this is the same behaviour in a real computer or only in the VM.
case_27627831.doc Current Virus total detections | Hybrid Analysis | Anyrun |
This malware doc file downloads from which is a renamed .exe file VirusTotal | Anyrun | Gtag Ser 0726us
The alternate Download location is
The folder for the files & configs is: C:\Users\[User]\AppData\Roaming\msdesk
In the same way as today’s earlier Trickbot campaign targeting the UK spoofing HSBC we see both of the compromised websites being used to distribute the Trickbot binary are on the same server 162.255.117.220 Namecheap, so that possibly indicates a compromise on the server rather than individual sites being compromised. So that is 4 different sites on the same server compromised today.
All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware, macros and DDE “exploit /Feature” and embedded ole objects from being displayed and running.
Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.
Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.
The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.
What Can Be Infected By This
At this time, these malicious macros only infect windows computers. They do not affect a Mac, IPhone, IPad, Blackberry, Windows phone or Android phone.
The malicious word or excel file can open on any device with an office program installed, and potentially the macro will run on Windows or Mac or any other device with Microsoft Office installed. BUT the downloaded malware that the macro tries to download is windows specific, so will not harm, install or infect any other computer except a windows computer. You will not be infected if you do not have macros enabled in Excel or Word. These Macros, embedded Oles or DDE do not run in “Office Online” Open Office, Libre Office, Word Perfect or any other office program that can read Word or Excel files.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them
I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.
IOC:
case_27627831.doc
MD5: d77a30343e57e344943dada272c20739
SHA-1: 8ca992a279faf88c53c49c9d5d4f22e917a98192
Download URLs
http://practicepillars.com/mov.ie 162.255.117.220
http://watchlifematters.com/mov.ie 162.255.117.220
MD5: c5ea63b4a3c39068c074cff74050f33b
SHA1: 00759706dc107793bd926448bcbd488e63cb895c
Email from: [email protected]
dnbcomplaint.com
191.101.26.35
95.211.148.251
91.218.124.27
94.100.18.35