Dec 242013
 

20 Jan 2014: a new variation of this one with Notice of Underreported Income is An updated version of this is spreading today. They pretend to come from noreply@hmrc.gov.uk  or gateway.confirmation@gateway.gov.uk which of course they don’t
Updated 11 August 2014: back to standard zip attachment that is an upatre style downloader that downloads the usual Zbot & crpytowall. Virus total detections 4/54
Subjects include:

  • Your Online Submission for Reference 435/GB5771857 Could not process
  • Successful Receipt of Online Submission for Reference 6432627
  • Could not process Submission for Reference 495/RA2374742
  • Notice of Underreported Income
  • Gateway Registration Notification
  • Receipt of Online Submission for Reference

Email bodies are variations of these:

A new one on 3 March 2014 which is very similar to older ones but has links to Angler/Blackhole style exploit sites rather than an attachment

 

Thank       you for sending your VAT Return online. The submission for reference derek was       successfully received on Mon, 3 Mar 2014 13:31:18 +0100  and is       being processed. Make VAT Returns is just one of the many online services       we offer that can save you time and paperwork.

For the latest information on your VAT Return please click here or follow       the link bellow: – https://online.hmrc.gov.uk/registration/options?GAURI=derek.

The original of this email was scanned for viruses by the Government       Secure Intranet virus scanning service supplied by Cable&Wireless       Worldwide in partnership with MessageLabs. (CCTM Certificate Number       2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or       recorded for legal purposes.

CONFIDENTIAL NOTICE: The contents of       this message, including any attachments, are confidential and are       intended solely for the use of the person or entity to whom the message       was addressed. If you are not the intended recipient of this message,       please be advised that any dissemination, distribution, or use of the       contents of this message is strictly prohibited. If you received this       message in error, please notify the sender. Please also permanently       delete all copies of the original message and any attached documentation.       Thank you.

older ones said something like this:

The submission for reference 435/GB5771857 was successfully received and was not processed.
Check attached copy for more information.
This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.

======================================================================

Thank you for sending your VAT Return online. The submission for reference 6432627 was successfully received on Tue, 24 Dec 2013 16:39:55 +0700  and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
===================================================================================

Taxpayer ID: ufwsd-000003744506UK

Tax Type: Income Tax

Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax income statement on HM Revenue and Customs ( HMRC )

Please complete the attached form

HM Revenue and Customs
======================================================================================

There are a few different attachment names but all contain the same sort of malware

Names seen so far:

  • GB12242013.zip
  • Ref_6432627.zip
  • RA2374742.zip   < varying numbers>
  • ufwsd-000003744506UK.zip
  • VAT1391591.zip
  • GVNMT_Form.zip
  • Reference.zip

They are yet  another set from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

Attachment zip name: GB12242013.zip  Extracted file name: GB12242013.exe   Current Virus total detections: 1/46  |  MALWR Auto Analysis:

Updated Version 8 January 2014

Attachment zip name: RA2374742.zip  Extracted file name: RA08012014.exe   Current Virus total detections: 0/48  |  MALWR Auto Analysis:

20 Jan 2014: ufwsd-000003744506UK.zip extracts to ufwsd-0000020012014UK.exe Current Virus total detections: 0/49  is same upatre-Zbot malware as THIS

21 Jan 2014: VAT1391591.zip extracts to VAT21012014.exe Current Virus total detections: 3/48   MALWR analysis

23 Jan 2014: GB1575705.zip extracts to GB001231401.exe Current Virus total detections: 24/50

6 Feb  2014: reference.zip ( 9kb) extracts to reference.scr Current Virus total detections: 2/50

This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.

 

  5 Responses to “HMRC Successful Receipt of Online Submission for Reference 6432627 – fake PDF malware”

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

%d bloggers like this: