A bit of a change with the Trickbot delivery system with this example. Instead of directly attaching a malicious macro enabled word doc or other Microsoft Office file to the email, it instead has a html attachment and a link in the email body that when opened shows a web page that looks like a secure message with another link to download the malicious word doc. By the time I received the email and investigated, the website was down & not responding. I did manage to find a copy that somebody else had uploaded to VirusTotal and Anyrun and went from there.
The html file and the word doc were hosted on the same look-a-like or Typosquatted domain that the emails were sent from secmail-bankofamerica.com. The Trickbot criminal gang tried this sort of delivery system several months ago and it didn’t work very well then because the sites get taken down too quickly to be effective. As far as I can tell this time, this fake Bank of America site was down within about 1 hour or so of the campaign starting.
I haven’t seen a lot of noise on Twitter or other social media about this one, so hopefully it didn’t manage to infect many recipients.
This email containing the subject of “Secure Message” pretending to come from Bank of America but actually coming from “Rene.Ruiz@secmail-bankofamerica.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan
You can now submit suspicious sites, emails and files via our Submissions system
From: Rene Ruiz <Rene.Ruiz@secmail-bankofamerica.com>
Date: Tue 02/10/2018 19:11
Subject: Secure Message
This is a secure message from Bank of America.
Click here by 2018-10-03 22:45 GMT to read your message.
After that, either open the attachment or request the sender to re-send the message.
If you have concerns about the validity of this message, please contact the sender directly. This message will expire after 90 days.
Bank of America has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there is only one newly registered domain that imitate Companies House, HMRC, another Government department, a Bank, file hosting service or a message sending service that can easily be confused with the genuine organisation in some way, that are hosted on & sending emails from 3 or 4 different servers. Some days however we do see dozens or even hundreds of fake domains. I only received 1 copy of this email to my server and when I started to investigate the domain was already down. I have managed to find some cached DNS entries that show the IP addresses that were being used.
Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar. Because of new GDPR rules we cannot easily find the registrants name or any further details.
- secmail-bankofamerica.com hosted on & sending emails via 220.127.116.11| 18.104.22.168 |22.214.171.124|
We start with the html attachment which looks like this. The webpage this was also hosted on was https://secmail-bankofamerica.com/formpostdir/SecureMessageAtt.html
When you press the “Click to read Message” button the word doc would be downloaded from https://secmail-bankofamerica.com/formpostdir/SecureMessage.doc
SecureMessage.doc Current Virus total detections | Hybrid Analysis | Anyrun |
Note: I am seeing some very strange behaviour from Hybrid Analysis with this sample. I have linked to the main page above rather than the sample directly. It is showing as an Adobe PDF rather than a Microsoft word doc, with screenshots of a PDF . A second upload of the word doc by me shows the correct word doc & malware payload sites  I don’t understand how the same MD5 or SHA-1 hash can display such different results, unless there was a problem on HA when the original was uploaded and somehow the wrong details have been displayed.
The alternate Download location is http://southjerseylawfirm.com/cantbe.played
The folder for the files & configs is: C:\Users\[User]\AppData\Roaming\AMNI
All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware, macros and DDE “exploit /Feature” and embedded ole objects from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.
Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.
The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them
I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.
Email from: Rene.Ruiz@secmail-bankofamerica.com