Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

A fake HMRC UK Tax email claims you sent your VAT Return online, and the report is attached.

Attachment is a malicious .DOC file, or an EXE in ZIP.

Spoofs HMRC.GOV.UK in From headers.


Subject: Successful Receipt of Online Submission for Reference 8360236 

 Thank you for sending your VAT Return online. The submission for reference 8360236 was successfully 
received on Wed, 15 Apr 2015 11:35:31 +0100 and is being processed. Make VAT Returns is just one
of the many online services we offer that can save you time and paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning
service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate
Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

Ref_8360236.zip (20)

Subject: Successful Receipt of Online Submission for Reference 512115733

Thank you for sending your VAT Return online. The submission for reference 512115733 was
successfully received on 2013-05-16 T10:49:28 and is being processed. Make VAT Returns is just
one of the many online services we offer that can save you time and paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet virus
scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes.

VAT Returns Repot 512115733.doc (628)
or
Ref_1050355.zip (10)

Header samples:

Spoofs hmrc.gov.uk in From headers, and random stuff or the usual cutwail nacha/aexp/fiserv mix for Envelope.

Received: from c-66-229-224-76.hsd1.fl.comcast.net [66.229.224.76]
X-Envelope-From: funereallyf5015 @daxis.nl
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>

Received: from augustin1-1-138.cnt.nerim.net [213.215.1.138]
X-Envelope-From: barbaraun9 @gil.com.au
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>

Received: from 94-76-251-244.static.as29550.net [94.76.251.244]
X-Envelope-From: fowls549 @bobandisabelle.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>

Received: from 12.ds.rdns.acropolistelecom.net [217.64.50.12]
X-Barracuda-Envelope-From: fraud @aexp.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: Successful Receipt of Online Submission for Reference 1050355

Received: from static-71-167-42-18.nycmny.fios.verizon.net [71.167.42.18]
X-Envelope-From: shrewdlyettq8 @npgcable.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>

Received: from 26.252.156.175.unknown.m1.com.sg [175.156.252.26]
X-Envelope-From: stigmay915 @btc-bci.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: Successful Receipt of Online Submission for Reference 1404476

Received: from [91.232.40.179]
X-Envelope-From: fuddlexe3 @purifiercn.ru
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: Successful Receipt of Online Submission for Reference 7945478

Received: from c-98-246-48-85.hsd1.or.comcast.net [98.246.48.85]
X-Envelope-From: antigenc5823 @unb.ca
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: Successful Receipt of Online Submission for Reference 4406331

Received: from static-96-254-126-208.tampfl.fios.verizon.net [96.254.126.208] X-Envelope-From: message @inbound.efax.com From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk> Subject: Successful Receipt of Online Submission for Reference 9053507

Malware

14 April 2015

Attachment :  Ref_8360236.zip containing Ref_041515.scr ( upatre - now with SSL! )

VirusTotal report 

McAfee 		Downloader-FSH!5FBBAA669405 
McAfee-GW BehavesLike.Win32.Downloader.mh
Tencent Trojan.Win32.YY.Gen.24

Malwr.com report

Performs some HTTP requests
The binary likely contains encrypted or compressed data.
Steals private information from local Internet browsers
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup

displays PDF about drones called "War By Remote Control"

hybrid-analysis.com report

Also :

downloads encrypted binaries (not really .png files) from self-signed cert SSL sites :
https://176.106.142.52/wedk3.png <-- connection refused https://83.219.139.124/wedk3.png https://78.157.227.34/wedk3.png <-- ssl connected, dl timed out https://83.239.125.206/wedk3.png <-- ssl connected, dl timed out
checks in with campaign ID : 5.141.22.43:13450/WEDUK13/
drops executable after downloading and decrypting fake .png files

These SSL sites are really slow, and may be low-powered devices or be behind a slow connection.
If you HTTP to the SSL sites, you will find a DVR and two Mikrotik boxes.

Downloaded, decrypted, and dropped executable : pqjamcyt.exe

VirusTotal report 

Tencent 	Trojan.Win32.YY.Gen.24 

Malwr.com report

Installs itself for autorun at Windows startup

hybrid-analysis.com report

 

6 February 2014

Attachment : Reference.zip containing Reference.scr

VirusTotal report 

Emsisoft 	Android.Riskware.SMSReg.W (B) 	
Qihoo-360 HEUR/Malware.QVM20.Gen
Sophos Mal/Generic-S

Malwr.com report 

Starts servers listening on 0.0.0.0:0, 0.0.0.0:8839, 0.0.0.0:4102
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup
Generates some ICMP traffic

HTTP downloads: bsitacademy.com /img /events /ie.enc

 

May 2013

VAT Returns Repot 512115733.doc was a malicious .doc file, Ikarus Exploit.MSWord.CVE-2012

Check out the Joe Sandbox report on this. It is pretty gnarly.

 

30 July 2013

Attachment : VAT_9053507.zip containing VAT_07302013.exe

VirusTotal report | Malwr report

 

24 December 2013

Ref_1050355.zip containing Ref_12242013.exe

VirusTotal report  | Malwr report | File-Analyzer report

 

If this was at least a little helpful, how about a +1, Like, or Tweet?