Trickbot Via Fake Bank Of America Secure Message

A bit of a change with the Trickbot delivery system with this example. Instead of directly attaching a malicious macro enabled word doc or other Microsoft Office file to the email, it instead has a html attachment and a link in the email body  that when opened shows  a web page that looks like a secure message with another link to download the malicious word doc. By the time I received the email and investigated, the website was down & not responding. I did manage to find a copy that somebody else had uploaded  to VirusTotal and Anyrun and went from there.

The html file and the word doc were hosted on the same look-a-like or Typosquatted domain that the emails were sent from  secmail-bankofamerica.com. The Trickbot criminal gang tried this sort of delivery system several months ago and it didn’t work very well then because the sites get taken down too quickly to be effective.  As far as I can tell this time, this fake Bank of America site was down within about 1 hour or so  of the campaign starting.

I haven’t seen a lot of noise on Twitter or other social media about this one, so hopefully it didn’t manage to infect many recipients.

This email containing the subject of “Secure Message” pretending to come from Bank of America but actually coming from “[email protected]” which is a look-a-like,  typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site  is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan

You can now submit suspicious sites, emails and files via our Submissions system

Email Details

From: Rene Ruiz <[email protected]>

Date: Tue 02/10/2018 19:11

Subject: Secure Message

Attachment: SecureMessage.doc

Body content:

This is a secure message from Bank of America.

Click here by 2018-10-03 22:45 GMT to read your message.

After that, either open the attachment or request the sender to re-send the message.

If you have concerns about the validity of this message, please contact the sender directly. This message will expire after 90 days.

More Info

Screenshot:

Fake Bank Of America Secure Message email

Bank of America has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.

What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there is only one newly registered domain  that imitate Companies House, HMRC, another Government department, a Bank, file hosting service or a message sending service that can easily be confused with the genuine organisation in some way, that are hosted on & sending emails from 3 or 4 different servers.

Some days however we do see dozens or even hundreds of fake domains. I only received 1 copy of this email to my server and when I started to investigate the domain was already down. I have managed to find some cached DNS entries that show the IP addresses that were being used.

Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar. Because of new GDPR rules we cannot easily find the registrants name or any further details.

  • secmail-bankofamerica.com  hosted on & sending emails via  50.63.202.36| 184.168.221.53 |5.79.76.195|

Malware Details

We start with the html attachment  which looks like this. The webpage this was also hosted on was

Fake Bank of America Secure Message HTML attachment

When you press the “Click to read Message” button the word doc would be downloaded from

Fake Bank of America word doc

SecureMessage.doc   Current Virus total detections | Hybrid Analysis | Anyrun |

Note: I am seeing some very strange behaviour from Hybrid Analysis with this sample. I have linked to the main page above rather than the sample directly. It is showing as an Adobe PDF rather than a Microsoft word doc, with screenshots of a PDF  [1]. A second upload of the word doc by me shows the correct word doc & malware payload sites  [2]  I don’t understand how the same MD5 or SHA-1 hash can display such different results, unless there was a problem on HA when the original was uploaded and somehow the wrong details have been displayed.

This malware doc file downloads  from which is a renamed .exe file  VirusTotal | Anyrun | Gtag Ser 1002US

The alternate Download location is  southjerseylawfirm

The folder for the files & configs is: C:\Users\[User]\AppData\Roaming\AMNI

All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc  that are downloaded from the web or received in an email  automatically in “protected view” that stops any embedded malware, macros and  DDE “exploit /Feature” and embedded ole objects  from being displayed and running.

Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.

Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still  using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007.  Many of us have continued to use older versions of word and other office programs, because  they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.

The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.

What can be infected by this

At this time, these malicious macros only infect windows computers. They do not affect a Mac, IPhone, IPad, Blackberry, Windows phone or Android phone. The malicious word or excel file can open on any device with an office program installed, and potentially the macro will run on Windows or Mac or any other device with Microsoft Office installed.

BUT the downloaded malware that the macro tries to download is windows specific, so will not harm, install or infect any other computer except a windows computer. You will not be infected if you do not have macros enabled in Excel or Word. These Macros, embedded Oles or DDE  do not run in “Office Online”  Open Office, Libre Office, Word Perfect or any other office program that can read Word or Excel files.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them

I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.

IOC:

SecureMessage.doc

MD5: 40e8601c417bd0bbaf97390fb1142ae2

SHA-1: adcf0e3f9fbaad95351da7805df6c5c14cfcf1a7

Download URLs

http://wormaldfj.com/cantbe.played   138.128.75.133

http://southjerseylawfirm.com/cantbe.played    208.76.80.45

MD5: 6dee5ed6df88b54e928154c282f8f29d

SHA1: e220a630b878cf5ed7a034cbf90e1a4428a20c78

https://secmail-bankofamerica.com/formpostdir/SecureMessageAtt.html

https://secmail-bankofamerica.com/formpostdir/SecureMessage.doc

Email from: [email protected]

50.63.202.36

184.168.221.53

5.79.76.195