Successful Receipt of Online Submission for Reference - Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

A fake HMRC UK Tax email claims you sent your VAT Return online, and the report is attached.

Attachment is a malicious .DOC file, or an EXE in ZIP.

Spoofs HMRC.GOV.UK in From headers.


Subject: Successful Receipt of Online Submission for Reference 512115733

Thank you for sending your VAT Return online. The submission for reference 512115733 was
successfully received on 2013-05-16 T10:49:28 and is being processed. Make VAT Returns is just
one of the many online services we offer that can save you time and paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet virus
scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes.

VAT Returns Repot 512115733.doc (628)
or
Ref_1050355.zip (10)

Header samples:

Spoofs hmrc.gov.uk in From headers, and random stuff or the usual cutwail nacha/aexp/fiserv mix for Envelope.

Received: from c-66-229-224-76.hsd1.fl.comcast.net [66.229.224.76]
X-Envelope-From: funereallyf5015 @daxis.nl
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>

Received: from augustin1-1-138.cnt.nerim.net [213.215.1.138]
X-Envelope-From: barbaraun9 @gil.com.au
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>

Received: from 94-76-251-244.static.as29550.net [94.76.251.244]
X-Envelope-From: fowls549 @bobandisabelle.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>

Received: from 12.ds.rdns.acropolistelecom.net [217.64.50.12]
X-Barracuda-Envelope-From: fraud @aexp.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: Successful Receipt of Online Submission for Reference 1050355

Received: from static-71-167-42-18.nycmny.fios.verizon.net [71.167.42.18]
X-Envelope-From: shrewdlyettq8 @npgcable.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>

Received: from 26.252.156.175.unknown.m1.com.sg [175.156.252.26]
X-Envelope-From: stigmay915 @btc-bci.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: Successful Receipt of Online Submission for Reference 1404476

Received: from [91.232.40.179]
X-Envelope-From: fuddlexe3 @purifiercn.ru
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: Successful Receipt of Online Submission for Reference 7945478

Received: from c-98-246-48-85.hsd1.or.comcast.net [98.246.48.85]
X-Envelope-From: antigenc5823 @unb.ca
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: Successful Receipt of Online Submission for Reference 4406331

Received: from static-96-254-126-208.tampfl.fios.verizon.net [96.254.126.208] X-Envelope-From: message @inbound.efax.com From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk> Subject: Successful Receipt of Online Submission for Reference 9053507

Attachment Examples:

May 2013

VAT Returns Repot 512115733.doc was a malicious .doc file, Ikarus Exploit.MSWord.CVE-2012

Check out the Joe Sandbox report on this. It is pretty gnarly.

30 July 2013

VAT_9053507.zip containing VAT_07302013.exe | VirusTotal report | Malwr report

24 December 2013

Ref_1050355.zip containing Ref_12242013.exe | VirusTotal report  | Malwr report File-Analyzer report

6 February 2014

Reference.zip containing Reference.scr

VirusTotal report 

Emsisoft 	Android.Riskware.SMSReg.W (B) 	
Qihoo-360 HEUR/Malware.QVM20.Gen
Sophos Mal/Generic-S

Malwr.com report 

Starts servers listening on 0.0.0.0:0, 0.0.0.0:8839, 0.0.0.0:4102
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup
Generates some ICMP traffic

HTTP downloads: bsitacademy.com /img /events /ie.enc

From the PCAP file, UDP traffic 

These addresses had back and forth udp communications.
107.221.229.216 UNITED STATES
184.3.61.57 UNITED STATES
198.96.0.241 UNITED STATES
222.148.158.72 JAPAN
24.46.85.208 UNITED STATES
81.149.16.130 UNITED KINGDOM
85.100.41.9 TURKEY

These addresses were sent udp but never answered back
107.207.148.251 UNITED STATES

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity