This is the second version of Trickbot today. This one is obviously targeted at Canadian users rather than the UK ones I normally see. This example is an email containing the subject of “Secure mail waiting: (SECURE) – COMPLETED BANK CONFIRMATION ” pretending to come from Scotia Bank but actually coming from a look-a-like or typo-squatted domain “email@example.com” or “firstname.lastname@example.org” with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan
They have also continued with changed behaviour we first saw on Tuesday by downloading .bin files instead of fake .png files. This delivery is slightly different to the previous Equation Editor versions we have been used to seeing. It looks slightly more complicated. It is using an exploit, probably CVE-2017-0199 to download and run a rtf file silently in the background that uses the equation editor exploits. There are a completely different set of URLs involved in this one to today’s earlier one hitting UK.
This does ask you to update links on the word doc. The anyrun app shows the whole malware chain working and being downloaded without actually clicking yes to the prompt. In previous versions clicking no stopped the exploit working. I don’t know what happens on a real computer and whether it will still run without clicking yes on the prompt, but from feedback I got from at least 1 earlier victim today it looks like it runs totally without user interaction. All you need to do is open the word doc attached to the email to get infected ( if you do not have protected view enabled or you click prompts to allow editing and content).
This version is probably using Threadkit which is an office doc exploit builder using the Microsoft Equation Editor Exploits CVE-2017-11882 and CVE-2017-8570 and other office exploits instead of Macros. I understand that one of the exploits being used possibly uses an exploit in Adobe flash that when run crashes word and allows the shell code. I am informed that even if you are fully updated in Microsoft Office but flash player is outdated, this exploit still runs and will infect you. I am not 100% certain if protected view in Microsoft Office stops this but I believe it does. This is one reason to add additional security and make sure you set RTF files to display only and not allow editing of RTF files at all. That will stop this and any other currently known exploit from running.
You can now submit suspicious sites, emails and files via our Submissions system
From: Scotia Bank <email@example.com>
Date: Thu 12/04/2018 18:08
Subject: Secure mail waiting: (SECURE) – COMPLETED BANK CONFIRMATION
This automated message has been sent because
has attempted to send you a secure, encrypted e-mail message.
To view this e-mail, please download attached file and log in with your existing account.
Please note that a self-password-reset feature has been added to the Scotiabank Secure Email Service.
Once you login to the Scotiabank secure email service you will be prompted to select a challenge question and enter your answer to the question.
You will use the selected challenge question and answer during a password reset.
For further information on how to use this service please refer to the Secure Email User Guide.
Vous avez reçu ce message automatisé parce que
vous a envoyé un courriel sécurisé.
Pour lire ce courriel, veuillez télécharger le fichier joint ou vous connecter à votre compte existant.
Veuillez noter qu’une fonction de réinitialisation de mot de passe en libre-service a été ajoutée au service de courriel sécurisé de la Banque Scotia.
Lorsque vous ouvrirez une session dans le système de courriel sécurisé de la Banque Scotia, un message guide vous demandera de sélectionner une question secrète et d’entrer la réponse à cette question.
Vous aurez besoin de la question secrète choisie et de la réponse pour réinitialiser le mot de passe.
Pour de plus amples renseignements sur la façon d’utiliser le Service de courriel sécurisé – Guide de l’utilisateur.
Se le ha enviado este mensaje automático porque
ha intentado enviarle un correo electrónico seguro y cifrado.
Para ver este correo electrónico, por favor descargue adjunto o puede ingresar utilizando su cuenta existente.
Tome en cuenta que se ha agregado una función de restablecimiento de contraseña al servicio de Correo Electrónico Seguro Scotiabank.
Una vez que inicie sesión en el servicio de correo electrónico seguro Scotiabank, recibirá una solicitud para que elija una pregunta e ingrese la respuesta correspondiente.
La pregunta y la respuesta serán requeridas durante el restablecimiento de contraseña.
Si desea más información sobre cómo usar este servicio, sírvase consultar la Guía de Correo Electrónico Seguro para el Usuario.
Scotia Bank has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there are between 2 and 4 newly registered domains that imitate Companies House, HMRC, another Government department, a Bank, file hosting service or a message sending service that can easily be confused with the genuine organisation in some way. Some days however we do see dozens or even hundreds of fake domains.
Today’s examples of the spoofed domains have switched from being registered via Godaddy as registrar using privacy protection services to using Tucows.com as registrar but still using privacy protection.
- scotiabank-mail.com 126.96.36.199 server134.hostner.com Schiedam Zuid-Holland NL AS62370 Snel.com B.V.
- scotiabankmail.com 188.8.131.52 Leaseweb AS60781
Downloads a RTF from http://pulp99.com/1.rtf ( VirusTotal)
A second Anyrun shows that even when pressing no to the update links prompt, the malware chain completes it full download and actions and Trickbot is installed and run on the computer
This malware doc file downloads from http://ccmlongueuil.ca/C3VHMY.bin which is renamed .exe file ( VirusTotal) Gtag ser0412ca
The alternate Download location is http://ushnass.com/C3VHMY.bin
This also downloads 3 alternative versions of Trickbot
- http://184.108.40.206/table.png VirusTotal | Anyrun | Gtag lob203
- http://220.127.116.11/worming.png VirusTotal | Anyrun | Gtag jim203
- http://18.104.22.168/toler.png VirusTotal | Anyrun | Gtag tot203
All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware, macros and DDE “exploit /Feature” and embedded ole objects from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.
Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.
The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them
I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.