You have received new messages from HMRC - Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

Fake HMRC UK malware phishing scam email claims you have received a new message about Tax Notices.

Attached zip file contains an exe virus or trojan horse.

Spoofs hmrc.gov.uk in From headers.


Subject: You have received new messages from HMRC

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.

Please do not reply to this e-mail.

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM
Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.
1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure
or copying is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender at the above address and then delete the
e-mail from your system. 2. If you suspect that this e-mail may have been
intercepted or amended, please notify the sender. 3. Any opinions expressed in
this e-mail are those of the individual sender and not necessarily those of
QualitySolicitors Punch Robson. 4. Please note that this e-mail and any attachments
have been created in the knowledge that internet e-mail is not a 100% secure
communications medium. It is your responsibility to ensure that they are actually
virus free. No responsibility is accepted by QualitySolicitors Punch Robson for
any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson:
Main office 35 Albert Road Middlesbrough TS1 1NU Telephone 01642 230700. Offices
also at 34 Myton Road, Ingleby Barwick, Stockton On Tees, TS17 0WG Telephone
01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough TS8 0TJ
Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is
available from any of our offices. For further details, please visit our
website http://www.qualitysolicitors.com/punchrobson

Subject: Tax Notice

Subject: HMRC Tax Notice

Dear [your email address]

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.
Document Reference: 4839160.

The security and confidentiality of your personal information is important for us.
If you have any questions, please either call the toll-free customer service phone number.
2014 © All rights reserved

PDF_Scanned_HMRCD805361A80.zip (107)

Picture of the 12 March 2014 version of the fake HMRC tax notice email with malware.

Oh geeze... a second notice?

Subject: Second alert:HMRC Tax Departament

Second NOTICE to [your email address]

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.
Document Reference: 502087762.


The security and confidentiality of your personal information is important for us. If you have
any questions, please either call the toll-free customer service phone number.
2014 © All rights reserved

PDF_Scan_HMRCAF4C2ABCA5.zip (74)

Picture of the second-notice version of the fake HMRC email with malware.


Header samples:

Spoofs hmrc.gov.uk in From headers. Envelope left over from previous spam campaign.

Received: from 7.Red-79-152-134.dynamicIP.rima-tde.net [79.152.134.7]
X-Envelope-From: service @citibank.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: You have received new messages from HMRC

Received: from [220.241.244.130]
X-Envelope-From: service @citibank.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: You have received new messages from HMRC

Received: from [58.210.199.243]
X-Envelope-From: service @citibank.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: You have received new messages from HMRC

Received: from 7.Red-79-152-134.dynamicIP.rima-tde.net [79.152.134.7]
X-Envelope-From: service @citibank.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: You have received new messages from HMRC

Received: from host-92-29-33-67.as13285.net [92.29.33.67]
X-Envelope-From: no_reply @hmrc.gov.uk
From: "HMRC" <no_reply @hmrc.gov.uk>
Subject: Tax Notice

Received: from User-EP43DS3L (36-227-51-110.dynamic-ip.hinet.net [36.227.51.110]
X-Envelope-From: no_reply @hmrc.gov.uk
From: "HM Revenue" <no_reply @hmrc.gov.uk>
Subject: HMRC: Tax Notice

Received: from dynamic.vdc.vn [113.163.197.213])
X-Envelope-From: no_reply @hmrc.gov.uk
From: "HMRC" <no_reply @hmrc.gov.uk>
Subject:Second alert:HMRC Tax Departament

Attachment Examples:

August 2013

Tax Notices Report.zip containing Tax Notices Report.exe | virustotal report | Malwr report

14 February 2014

HMRC_Message.zip containing HMRC_Message.exe | VirusTotal report | Malwr.com report | File-Analyzer.net report 

12 March 2014

PDF_Scanned_HMRCD805361A80.zip containing scaned_7246582_pdf_4364534533.exe

VirusTotal report 

AhnLab-V3 		Spyware/Win32.Zbot 	
Avast Win32:Rootkit-gen [Rtk]
Bkav W32.FadoxbesLTG.Trojan
Commtouch W32/Trojan.FDSV-9320
F-Prot W32/Trojan3.HSU
Malwarebytes Spyware.Zbot.ED
Panda Trj/Genetic.gen
Sophos Mal/Generic-S
Symantec Trojan.Zbot
ViRobot Trojan.Win32.Zbot.110592.F
nProtect Trojan-PWS/W32.Tepfer.110592.AJ

Malwr.com report 

Starts servers listening on 0.0.0.0:4990, 0.0.0.0:5862
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Steals private information from local Internet browsers
Harvests credentials from local FTP client softwares
Installs itself for autorun at Windows startup
HTTP POSTs to: 62.76.179.74 /ppp/ta.php
HTTP GETs:
62.76.190.140 /p2p/1.exe
62.76.190.140/p2p/2.exe
62.76.190.140/p2p/3.exe

From the PCAP file, UDP traffic:

These addresses had back and forth udp communications.
115.126.143.176 JAPAN
119.172.162.34 JAPAN
124.102.71.137 JAPAN
125.192.77.86 JAPAN
125.4.34.229 JAPAN
213.123.192.140 UNITED KINGDOM
27.54.110.77 JAPAN
82.213.60.98 PALESTINIAN, STATE OF
99.122.66.193 UNITED STATES
99.37.80.46 UNITED STATES

These addresses were sent udp but never answered back
109.152.14.70 UNITED KINGDOM
121.6.40.64 SINGAPORE
157.14.189.108 JAPAN
174.95.148.169 CANADA
180.32.45.40 JAPAN
181.28.56.2 ARGENTINA
218.40.104.20 JAPAN
50.100.208.136 CANADA
81.134.111.58 UNITED KINGDOM

File-Analyzer.net report 

Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Downloads files from webservers via HTTP
Posts data to webserver
Opens a port and listens for incoming connection (possibly a backdoor)
port: 5421
port: 5831
Binary may include packed or encrypted data
Drops:
C:\Documents and Settings\Administrator\Local Settings\Temp\Zyaf\uxxega.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\221421.exe
C:\WINDOWS\system32\drivers\3282a.sys
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\196484.exe
Contains functionality to execute programs as a different user
Contains functionality to inject threads in other processes
May tried to detect the virtual machine to hinder analysis
Binary or memory string: \\vmware-host:Y

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity