We have had a break from Trickbot hitting the UK in last week or so, that generally means that the criminals are experimenting with new delivery systems. The reappearance on Monday 25 June 2018 confirms this. I am not sure how successful this new system will be because it uses an exploit CVE-2018-8174 ( which only affected Internet Explorer) which was fixed in May 2018 windows updates, so I doubt there are enough vulnerable systems around that makes this worthwhile continuing with the campaign. Instead of the usual word docs with either macros, embedded ole objects or using the Microsoft equation editor exploits, they have switched to a multi-faceted download system, with several redirects & roadblocks that involves directly delivering a VBS delivered via a look-a-like or typo-squatted site that imitates a genuine HMRC site.
I am quite surprised that they are still sticking to this method of infection, but there must be enough low hanging fruit to make it cost effective.
This example is an email containing the subject of “Important : Outstanding Amount ” pretending to come from HMRC but actually coming from a look-a-like or typo-squatted domain “email@example.com” with link in the email body is today’s latest spoof of a well-known company, bank or public authority eventually delivering Trickbot banking Trojan
Today we start with a fake HMRC Email, that has a link to “https://firstname.lastname@example.org&?n2389890KJBDS*(@WWWW” that will eventually download or automatically run a VBS file. which downloads the Trickbot binary ( see malware section below)
This is only designed to work in Internet Explorer and the criminals have set up the delivery chain to specifically exclude any recipient using Google Chrome or Firefox browsers, where you get this message when following the link in the email.
Unfortunately you are using an old browser or version that is unsupported by our platform, HM Revenue & Customs recommends use the latest version of Internet Explorer.
When I tried to use Internet Explorer I got a simple page saying “is IE ” and nothing else. But after seeing the naming convention yesterday, I now know how to get the malware & payload chain.
You can now submit suspicious sites, emails and files via our Submissions system
From: HM Revenue & Customs <email@example.com>
Date: Tue 26/06/2018 11:47
Subject: Important : Outstanding Amount
Outstanding Amount £31,369.64
Date 26 June 2018
Our ref 2389890:00041273:002
You do not appear to have paid the full amount due as shown on the attached Statement of Liabilities.
Please follow this link for more details.
About this notice
If you agree the amount is due , then you need to pay in full now. Go to www.hmrc.gov.uk/payert/index.htm
It is possible that this E-mail has been received by you in error. If so, please note that it may contain confidential information, and we ask that you notify the author by replying to it, then delete it immediately, and take no further action as a result of receiving it. Although we take care by ensuring that any files attached to E-mails sent from our office have been checked with up-to-date virus detection software, you should carry out your own virus check before opening any attachment. We accept no liability for any loss or damage which may be caused by software viruses.
All content is available under the Open Government Licence v3.0.
HMRC has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there is one newly registered domain using 4 separate IP addresses and servers to send the emails that imitate Companies House, HMRC, another Government department, a Bank, file hosting service or a message sending service that can easily be confused with the genuine organisation in some way. Some days however we do see dozens or even hundreds of fake domains.
Today’s examples of the spoofed domains are, as usual, registered via Godaddy as registrar .
- hmrcmailgov.uk hosted on & sending emails via 126.96.36.199 hosted-by.spectraip.net Sneek Friesland NL AS62068 SpectraIP B.V. | 188.8.131.52 nld-net-ip.as51430.net Amsterdam North Holland NL AS51430 AltusHost B.V|184.108.40.206 NL AS60781 LeaseWeb Netherlands B.V. | 220.127.116.11 Edmond Oklahoma US AS20454 SECURED SERVERS LLC
Update for a change Godaddy are on the ball and the domains are all coming up as suspended ( or at least the DNS are being directed to ns1.suspended-for.spam-and-abuse.com and ns2.suspended-for.spam-and-abuse.com which should help to prevent any more users being infected. However there will still be several hours where the DNS has been cached and the sites are still available.
Today we start with a fake Barclays Bank Email, that has a link to https://firstname.lastname@example.org&?n2389890KJBDS*(@WWWW which redirects to https://payert-gov.uk/second.html which then redirects to https://payert-gov.uk/script.vbs VirusTotal | Anyrun |
This encoded vbs downloads the Trickbot binary from one of these 2 sites http://zicombd.com/mar.bin | http://woodbeei.com/mar.bin via an encoded powershell script embedded in the VBS. VirusTotal
Note the exploit is actually contained within the VBS. I am pretty sure that the vbs autoruns when visiting the site in a vulnerable version of Internet Explorer with no user interaction whatsoever, except following g the original link in the email.
They have also changed to C:\Users\User Name\AppData\Roaming\mspainter as the folder location to run the malware and store the config files. Today we have Gtag ser 0626