This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Payment Receipt Advise/Avis de Reception de paiement” pretends to come from RBC Royal Bank of Canada but actually comes from “firstname.lastname@example.org” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. Today they are using XLSM Excel spreadsheet files.
RBC Banque Royale, Banque Royale du Canada, Royal Bank of Canada has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like the genuine Company, Bank, Government Department or message sending service. Normally there is only one newly registered domain that imitates a well known Company, Government Department, Bank or other organisation that can easily be confused with the genuine body or website in some way. These are hosted on & send the emails from 3 or 4 different servers. Some days however we do see dozens or even hundreds of fake domains.
Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar. Because of new GDPR rules we cannot easily find the registrants name or any further details.
- achaft-rbc.com A DNS lookup only gives 22.214.171.124 as the IP address but the copy I saw came from 126.96.36.199 | with these other IP addresses listed as approved to send via SPF records lookups 188.8.131.52 | 184.108.40.206 |220.127.116.11
You can now submit suspicious sites, emails and files via our Submissions system
From: RBC Royal Bank-Banque Royal-Customer support/Soutien a la clientele <email@example.com>
Date: Wed 27/02/2019 17:09
Subject: Payment Receipt Advise/Avis de Reception de paiement
Payment Date/Date du paiement: 2019-02-27 A Direct Deposit has been made to your account in the amount of/Un Dépôt Directa été fait à votre compte au montant de CAD $8,485.31 Reference/Référence: 14308278291 Direct Queries to/Queries direct à:———————————–Payor/Créateur: Canada Revenue Agency/Agence du revenu du CanadaContact/Personne-ressource: Fiona McDonaldEmail address/Addresse courriel: firstname.lastname@example.orgPhone Number/numéro de téléphone: (800) 959-8281 Ext: For more information, please find enclosed document / Pour plus d’informations, veuillez trouver le document ci-joint. This message has been automatically produced by a computerized system and willnot be monitored for your reply.Ce message a été produit automatiquement par un système informatisé et aucunerésponse n’est attendue de votre part. This e-mail may be privileged and/or confidential, and the sender does not waiveany related rights and obligations. Any distribution, use or copying of thise-mail or the information it contains by other than an intended recipient isunauthorized. If you received this e-mail in error, please advise the Payor (byreturn e-mail or otherwise) immediately. Ce courrier électronique est confidentiel et protégé. L’expéditeur ne renoncepas aux droits et obligations qui s’y rapportent. Toute diffusion, utilisationou copie de ce message ou des renseignements qu’il contient par une personneautre que le (les) destinataire(s) désigné(s) est interdite. Si vousrecevez ce courrier électronique par erreur, veuillez à Créateur aviserimmédiatement. Registered trademarks of Royal Bank of Canada. RBC and Royal Bank areregistered trademarks of Royal Bank of Canada.
This may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this or the information it contains by other than an intended recipient is unauthorized. If you received this in error, please advise the sender (by return or otherwise) immediately. You have consented to receive the attached electronically at the above-noted address; please retain a copy of this confirmation for future reference.
This malware xls file downloads from http://tyleruk.com/document.rbc which is a renamed .exe file VirusTotal | Gtag ser 0227us
The alternate Download location is http://hemig.lk/document.rbc
The folder for the files & configs is: C:\Users\[User]\AppData\Roaming\appnet
All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware, macros and DDE “exploit /Feature” and embedded ole objects from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.
Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.
The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them
I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.
Main object- “14308278291.xlsm”
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Temp\file01.exe 252d3838936de2f3a455306dbee46cfaa11f37d1aab1dfcb64780ed66913eb44
RBC Royal Bank-Banque Royal-Customer support/Soutien a la clientele <email@example.com>