I am quite impressed with the level of Social Engineering with this malware delivery Malspam campaign. With Brexit fast approaching and the likelihood of no deal between UK and Europe, many companies are increasingly trying to build a relationship with companies in China. This scam email pretending to be a Circular on New China Import/ Export Regulation Effective February 28th, 2019 spoofing firstname.lastname@example.org with lots of detail in the email is likely to be a surprisingly effective avenue of infection in both small and larger Business. This malware word doc is actually a RTF file that contains 70 odd pages that are either blank or look like absolute garbage. It uses one of the Microsoft Equation Editor exploits, most likely CVE-2017-11882
There are various spelling mistakes and grammatical errors in the email, but everybody expects that when dealing with China or any other non English speaking country.
They are using email addresses and subjects that will scare, shock, persuade or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
You can now submit suspicious sites, emails and files via our Submissions system
The Chinese Government has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
The email looks like:
Date: Fri 22/02/2019 22:58
Subject: Circular on New China Import/ Export Regulation Effective February 28th, 2019
Attachment: Circular on New China Import Export Regulation Effective Februay 28th.doc
RE: Circular on New China Import/ Export Regulation Effective Februay 28th 2019.
In consideration of continued import/export security and manifest screening,
new regulations have been introduced by the Chinese government and will
commence effective from February 28th, 2019.
With the new regulations additional shipper/consignee/notify party information is required
and must be submitted prior to cut off.
This additional information is required for both the Air and Sea modes as displayed on Master (MAWB / MBL)
and House (HAWB / HBL) bills of lading.
Please be advised failure to comply with these new regulations will result in delays with import clearance/ export booking in China.
The new requirements as explained in the cicular cover three areas:
Additional information for the Shipper, Consignee and Notify Party
Unified Social Credit Identifier (USCI) information
Detailed description of goods
1. Shipper, Consignee & Notify details
Please note all AWB/BL documents must now contain the following additional information in order to comply with new regulations:
Country ISO code (US for United States)
Contact details using following codes: TE – phone; FX – fax, EM – email
Consignee’s whole name Consignees
Country ISO code (CN for China)
Contact details using following codes: TE – phone; FX – fax, EM – email
Notify Party (if applicable) Consignee’s whole name and address
2. Unified Social Credit Identifier (USCI)
The AWB/BL documents must also state USCI identifiers for countries of export: example,
United States of America – US – EIN or CIK
Australia – ABN or ACN
United Kingdom – GB – COMPANY NUMBER or VAT NUMBER
New Zealand – NZ – COMPANY NUMBER
South Africa – ZA – VAT NUMBER or ENTERPRISE NUMBER
3. Description of goods Information included in the description of the goods must be specific, generic will not be acceptable.
Some examples of this include: “Car parts” will not be acceptable and must state for example “windshield, brake pads, etc.” “Clothing” will not be acceptable and must state for example “100% cotton t shirts, etc.”
Copy of the Circular is attached for vast explanation and your steady reference.
Where this information is missing from the SLI, our Export team will be in contact with you to obtain the required information.
Thank you for your attention and cooperation. If you have any questions, please contact your nearest JJB representative.
General Administration of
Customs of the People’s Republic of China
Address: No.6. Jianguomennei Avenue,
Beijing, China Postcode: 100730
Website: http:// customs.gov.cn/
This malware doc downloads from http://garagehaltinner.ch/old/File_60137.jpg ( VirusTotal) which of course is not any sort of image file but a renamed .exe
Update 25 February 2019: another run of this
|18.104.22.168||saudiqtech.com||Provo||Utah||US||AS46606 Unified Layer|
|22.214.171.124||Hockessin||Delaware||US||AS40676 Psychz Networks|
Received: from saudiqtech.com ([126.96.36.199]:47624 helo=sau.saudiqtech.com) by my email server with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <email@example.com>) id 1gx4Ia-0003Xu-0Y for firstname.lastname@example.org; Fri, 22 Feb 2019 06:27:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=saudiqtech.com; s=default; h=Content-Type:MIME-Version:Message-ID:Date: Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=PccfsafjRYba9Q3FKSf3TrEnrePW/0Mxqxq6aCYFzWg=; b=1zLL04mqMBk1BXg+9hL7JEgZ80 ljJhtWsdWjUxJzPPJLihzxluT9ZgB7YxoE+tNgC1kGB8IwdVb1HAMoZqLTaa9OadtnMRwwkH3oacO bMQ6FQH9nYPLKk4SmFgJtnsXS9As0t0VKdKuN7WvXU2F4OwLtwCy2UZl4a35YiuWdO4jonUOOh/jE IncRUYLBXn6DKpgBoz5K+DGdSh2eLBeCdHVXv9qVGAT/ap0TqUUYL8RooXW3sPdk3jA56U8UnrOKv XNa5OZEHzyrTVRliZgdHPL/c5RWDybUV89Bk7IZ+SaDzeVGlm2aBNR79AT4jtGtHzDyHY1E9OMzj0 jhSQC2bw==; Received: from [188.8.131.52] (port=57998 helo=yandex.com) by sau.saudiqtech.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <email@example.com>) id 1gx4IX-0005F0-9v for firstname.lastname@example.org; Thu, 21 Feb 2019 23:27:01 -0700 From: email@example.com To: firstname.lastname@example.org Subject: Circular on New China Import/ Export Regulation Effective February 28th, 2019 Date: 22 Feb 2019 14:57:39 -0800 Message-ID: <20190222120718.1043EBD686ECB5D1@customs.gov.cn> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_FC212FCA.2D57B5DD" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sau.saudiqtech.com X-AntiAbuse: Original Domain - myonlinesecurity.co.uk X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - yandex.com X-Get-Message-Sender-Via: sau.saudiqtech.com: authenticated_id: email@example.com X-Authenticated-Sender: sau.saudiqtech.com: firstname.lastname@example.org X-Source: X-Source-Args: X-Source-Dir:
All the alleged senders, companies, names of employees, phone numbers, amounts, reference numbers etc. mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found . The bad guys choose companies, Government departments and other organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.
This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you.
Modern versions of Microsoft office, that is Office 2010, 2013, 2016 and Office 365 should be automatically set to higher security to protect you.
By default protected view is enabled and macros are disabled, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you. Definitely DO NOT follow the advice they give to enable macros or enable editing to see the content.
Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365. Some versions pretend to have a digital RSA key and say you need to enable editing and Macros to see the content. Do NOT enable Macros or editing under any circumstances.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. It might be a simple message saying “look at this picture of me I took last night” that appears to come from a friend. It might be a scare ware message that will make you open the attachment to see what you are accused of doing. Frequently it is more targeted at somebody ( small companies etc.) who regularly receive PDF attachments or Word .doc attachments or any other common file that you use every day, for example an invoice addressed to email@example.com.
The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family love to send us pictures of them doing silly things, or even cute pictures of the children or pets. Many of us routinely get Word, Excel or PowerPoint attachments in the course of work or from companies that we already have a relationship with.
Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. A lot of malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball”, an invoice or receipt from some company for a product or service or receive a Word doc or Excel file report that work has supposedly sent you to finish working on at the weekend, you can easily see if it is a picture or document & not a malicious program. If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.
With these malformed infected word, excel and other office documents that normally contain a vba macro virus, the vital thing is do not open any office document direct from your email client or the web. Always save the document to a safe location on your computer, normally your downloads folder or your documents folder and scan it with your antivirus. Many Antiviruses do not natively detect vba macro-viruses in real time protection and you need to enable document or office protection in the settings. Do not rely on your Anti-Virus to immediately detect the malware or malicious content. DO NOT enable editing mode or enable macros
All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is word docs, excel files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document until you are 100% sure that it is a safe document. If the protected mode bar appears when opening the document DO NOT enable editing mode or enable macros the document will look blank or have a warning message, but will be safe.
Be aware that there are a lot of dodgy word docs spreading that WILL infect you with no action from you if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version. The risks in using older version are now seriously starting to outweigh the convenience, benefits and cost of keeping an old version going.
I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.
Main object- “Circular on New China Import Export Regulation Effective Februay 28th.doc”
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\File_60137.jpg fdb8a16106e8bebf7015aebcbd52f323d0b5821a9d78881fc152fc3f617a46a5
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll 44f6df4280c8ecc9c6e609b1a4bfee041332d337d84679cfe0d6678ce8f2998a
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dll 96898930ffb338da45497be019ae1adcd63c5851141169d3023e53ce4c7a483e
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll c310cc91464c9431ab0902a561af947fa5c973925ff70482d3de017ed3f73b7d
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll 94a5df1227818edbfd0d5091c6a48f86b4117c38550343f780c604eee1cd6231
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dll c4f60f911068ab6d7f578d449ba7b5b9969f08fc683fd0ce8e2705bbf061f507
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dll a97dcca76cdb12e985dff71040815f28508c655ab2b073512e386dd63f4da325
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dll bb33a9e906a5863043753c44f6f8165afe4d5edb7e55efa4c7e6e1ed90778eca
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll 90fae0e7c3644a6754833c42b0ac39b6f23859f9a7cf4b6c8624820f59b9dad3
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll 945cc64ee04b1964c1f9fcdc3124dd83973d332f5cfb696cdf128ca5c4cbd0e5
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dll 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll bb25ccf8694d1fcfce85a7159dcf6985fdb54728d29b021cb3d14242f65909ce
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dll 7ea06b7050f9ea2bcc12af34374bdf1173646d4e5ebf66ad690b37f4df5f3d4e
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll f7d450a0f59151bcefb98d20fcae35f76029df57138002db5651d1b6a33adc86
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dll 7670fdede524a485c13b11a7c878015e9b0d441b7d8eb15ca675ad6b9c9a7311
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll 5dd4ccd63e6ed07ca3987ab5634ca4207d69c47c2544dfefc41935617652820f
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll 4b704b36e1672ae02e697efd1bf46f11b42d776550ba34a90cd189f6c5c61f92
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dll 8eb5270fa99069709c846db38be743a1a80a42aa1a88776131f79e1d07cc411c
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll 2257fea1e71f7058439b3727ed68ef048bd91dcacd64762eb5c64a9d49df0b57
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dll 9dab884071b1f7d7a167f9bec94ba2bee875e3365603fa29b31de286c6a97a1d
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll deccd75fc3fc2bb31338b6fe26deffbd7914c6cd6a907e76fd4931b7d141718c
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dll 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll c03124ba691b187917ba79078c66e12cbf5387a3741203070ba23980aa471e8b
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll 66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll 65ded8d2ce159b2f5569f55b2caf0e2c90f3694bd88c89de790a15a49d8386b9
sha256 C:\Users\admin\AppData\Local\Temp\2fda\freebl3.dll 393ae7f06fe6cd19ea6d57a93dd0acd839ee39ba386cf1ca774c4c59a3bfebd8
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
sha256 C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
sha256 C:\Users\admin\AppData\Local\Temp\2fda\mozglue.dll 830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
sha256 C:\Users\admin\AppData\Local\Temp\2fda\nss3.dll f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
sha256 C:\Users\admin\AppData\Local\Temp\2fda\msvcp140.dll 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
sha256 C:\Users\admin\AppData\Local\Temp\2fda\nssdbm3.dll 541a293c450e609810279f121a5e9dfa4e924d52e8b0c6c543512b5026efe7ec
sha256 C:\Users\admin\AppData\Local\Temp\2fda\ucrtbase.dll 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9
sha256 C:\Users\admin\AppData\Local\Temp\2fda\softokn3.dll 9a7f11c212d61856dfc494de111911b7a6d9d5e9795b0b70bbbc998896f068ae
sha256 C:\Users\admin\AppData\Local\Temp\2fda\vcruntime140.dll c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d