This example is an email containing the subject of “Bill payment alert ” pretending to come from Natwest but actually coming from a look-a-like or typo-squatted domain “firstname.lastname@example.org” with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan
This version is probably using Threadkit which is an office doc exploit builder using the Microsoft Equation Editor Exploits CVE-2017-11882 and CVE-2017-8570 and other office exploits instead of Macros. I understand that one of the exploits being used possibly uses an exploit in Adobe flash that when run crashes word and allows the shell code. I am informed that even if you are fully updated in Microsoft Office but flash player is outdated, this exploit still runs and will infect you. I am not 100% certain if protected view in Microsoft Office stops this but I believe it does. This is one reason to add additional security and make sure you set RTF files to display only and not allow editing of RTF files at all. That will stop this and any other currently known exploit from running.
You can now submit suspicious sites, emails and files via our Submissions system
From: Natwest <email@example.com>
Date: Thu 03/05/2018 11:24
Subject: Bill payment alert
Bill payment alert
We’ve discovered an issue with your last payment. Please check attached document and verify transaction details. If you already updated your transaction details, please be aware that it may take up to 24 hours for your transaction status to be updated and this error message to be removed.
The new payee is PAYE2891.
Don’t hesitate to call us, go online or visit a branch if you have any queries about the new payee, but please do not reply to this email. You’ll find details for all of our services in the ‘Contact us’ section of our website.
Frequently Asked Questions about the alerts service can also be found online at the following location www.natwest.com/alertsfaqs.
Natwest Online and mobile banking team
About this email
This email is confidential and intended for the addressee only. Please delete if that is not you.
This is a service message designed to keep you informed of important information associated with your account.
Please do not reply to this email as the address is not monitored. Visit our Support Centre if you have any queries and we’ll be happy to help.
Important Security Information
NatWest will NEVER ask for your full PIN or Password when identifying you on the phone or online, and will NEVER ask for Card Reader codes on the phone or when logging in.
Fraudsters may claim to be the bank to try and access security information. If you receive a call or email from NatWest that you are suspicious about, cease the call immediately, or forward the email to firstname.lastname@example.org Visit natwest.com/security for more information and advice.
National Westminster Bank Plc, Registered in England and Wales No. 929027. Registered Office: 135 Bishopsgate, London, EC2M 3UR.
Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Our Financial Services Register number is 121878.
NatWest has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there are between 2 and 4 newly registered domains that imitate Companies House, HMRC, another Government department, a Bank, file hosting service or a message sending service that can easily be confused with the genuine organisation in some way. Some days however we do see dozens or even hundreds of fake domains. Today once again they have only registered 1 domain but are hosting the domain & sending emails via 4 different IP addresses and servers.
Today’s example of the spoofed domain is registered via Godaddy as registrar using fake details
- natwestmail.uk sending emails via 126.96.36.199 nld-net-ip.as51430.net NL AS51430 AltusHost B.V. | 188.8.131.52 184.108.40.206.deltahost-ptr Dronten Flevoland NL AS50673 Serverius Holding B.V | 220.127.116.11 AS60781 LeaseWeb Netherlands B.V. | 18.104.22.168 AS50673 Serverius Holding B.V|
This malware doc file downloads from http://silverlinktechnologies.com/privacy.bin which is a renamed .exe file ( VirusTotal) Gtag ser 0503
The alternate Download location is http://narwhaldatapartners.com/privacy.bin
There are some changes today with the file locations and naming conventions. They are now using C:\Users\username \AppData\Roaming\mstools\ folder for the malware location ( I saw this briefly mentioned overnight on twitter, but can’t find the tweet now)
All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware, macros and DDE “exploit /Feature” and embedded ole objects from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.
Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.
The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them
I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.