Fake “Your Latest BT Onebill Is Available Now” Malspam Leads To Dridex Banking Trojan

caution malware

An email with the subject of Your latest BT OneBill is available now pretending to come from BT but actually coming from a different domain ebilling4business@btdnet.com that can just about be mistaken for a genuine BT email address is today’s latest spoof of a well-known company, bank or public authority delivering Dridex banking Trojan

They are using email addresses and subjects that will scare, persuade or entice you to read the email and open the attachment.

Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.

BT has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.

What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there are between 2 and 4 newly registered domains that imitate Companies House, HMRC, another Government department, a Bank or a message sending service that can easily be confused with the genuine organisation in some way. Some days however we do see dozens or even hundreds of fake domains.

Today’s example of the spoofed domains are, as usual, registered via eranet.com as registrar. This was registered on 29 August 2017 by the criminals

btdnet.com hosted on 54.36.30.168 OVH
This particular email was sent from IP 54.36.30.230 but a quick look up of the domain details show that these criminals have also set a whole range of IP addresses to be able to send these emails and pass authentication checks

91.121.174.196
54.36.30.0/24
94.23.212.72
54.36.30.0/24
188.165.227.13
54.36.30.0/24
94.23.208.20
54.36.30.0/24
176.31.240.50
54.36.30.0/24
37.59.50.201

The email looks like:

From: ebilling4business@bt.com <ebilling4business@btdnet.com>

Date: Wed 30/08/2017 14:56

Subject: Your latest BT OneBill is available now

Body content:

BT.com username: jenny@[redacted].co.uk

Your latest BT OneBill is ready to download from here

The benefits of which are:
• Access to your OneBill data online 24/7
• Data available online for 15 months
• More than one person can have access
• Online Help & Support
• You can import and analyse using BT Billing Analyst
Your PDF / Media file should be available to view or download in 24 hours.
If you try to do this sooner, you may encounter an error message.
There is no need to contact us unless the 24 hours from the time
of this notification has elapsed.
Regards,

Dylan Holtberg, CEO, BT Business

Help & support Forgotten Log in details Contact us Forums

Screenshot:

The link in the mail goes to a compromised or fraudulently set up SharePoint AKA onedrive for business address: https://mccabelawyers-my.sharepoint.com/personal/g_macneill_swslawyers_com_au/_layouts/15/guestaccess.aspx?docid=0cc833a8ff3b4411a986bfb04282f2ffb&authkey=AVpD74OXseK7zr4gaxr_UBE which downloads the zip file containing the .js file that eventually delivers Dridex

BT OneBill.zip extracts to BT OneBill.js Current Virus total detections: Payload Security This downloads Dridex banking Trojan but I am unable to determine the actual download site ( VirusTotal)

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them