Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake HMRC UK malware phishing scam email claims you have received a new message about Tax Notices.

Versions with attachments and links to malware

Spoofs hmrc.gov.uk in From headers.


Subject: You have received new messages from HMRC

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.

Please do not reply to this e-mail.

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM
Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.
1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure
or copying is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender at the above address and then delete the
e-mail from your system. 2. If you suspect that this e-mail may have been
intercepted or amended, please notify the sender. 3. Any opinions expressed in
this e-mail are those of the individual sender and not necessarily those of
QualitySolicitors Punch Robson. 4. Please note that this e-mail and any attachments
have been created in the knowledge that internet e-mail is not a 100% secure
communications medium. It is your responsibility to ensure that they are actually
virus free. No responsibility is accepted by QualitySolicitors Punch Robson for
any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson:
Main office 35 Albert Road Middlesbrough TS1 1NU Telephone 01642 230700. Offices
also at 34 Myton Road, Ingleby Barwick, Stockton On Tees, TS17 0WG Telephone
01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough TS8 0TJ
Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is
available from any of our offices. For further details, please visit our
website http://www.qualitysolicitors.com/punchrobson

Subject: Tax Notice

Subject: HMRC Tax Notice

 Dear [your email address]

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.
Document Reference: 4839160.

The security and confidentiality of your personal information is important for us.
If you have any questions, please either call the toll-free customer service phone number.
2014 © All rights reserved

PDF_Scanned_HMRCD805361A80.zip (107)

Picture of the 12 March 2014 version of the fake HMRC tax notice email with malware.

Oh geeze... a second notice?

Subject: Second alert:HMRC Tax Departament

 Second NOTICE to [your email address]

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.
Document Reference: 502087762.


The security and confidentiality of your personal information is important for us. If you have
any questions, please either call the toll-free customer service phone number.
2014 © All rights reserved

PDF_Scan_HMRCAF4C2ABCA5.zip (74)

Picture of the second-notice version of the fake HMRC email with malware.

Subject: You have received new messages from HMRC

 Please be advised that one or more Personal Notification Notices have been
issued.

- Go on line at http://www.fwplimited.com/pi/8846094
- Download and view PDF document to read your message

Please do not reply to this e-mail.

The information in this e-mail and any attachments is confidential and may
be
subject to legal professional privilege. Unless you are the intended
recipient
or his/her representative you are not authorised to, and must not, read,
copy,
distribute, use or retain this message or any part of it. If you are not
the
intended recipient, please notify the sender immediately.

HM Revenue & Customs computer systems will be monitored and communications
carried on them recorded, to secure the effective operation of the system
and
for lawful purposes.

The Commissioners for HM Revenue and Customs are not liable for any
personal
views of the sender.

This e-mail may have been intercepted and its information altered.

The original of this email was scanned for viruses by the Government Secure

Intranet virus scanning service supplied by Vodafone in partnership with
Symantec. (CCTM Certificate Number 2009/09/0052.) This email has been
certified
virus free.
Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

Header samples:

Spoofs hmrc.gov.uk in From headers. Envelope left over from previous spam campaign.

Received: from 7.Red-79-152-134.dynamicIP.rima-tde.net [79.152.134.7]
X-Envelope-From: service @citibank.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: You have received new messages from HMRC

Received: from [220.241.244.130]
X-Envelope-From: service @citibank.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: You have received new messages from HMRC

Received: from [58.210.199.243]
X-Envelope-From: service @citibank.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: You have received new messages from HMRC

Received: from 7.Red-79-152-134.dynamicIP.rima-tde.net [79.152.134.7]
X-Envelope-From: service @citibank.com
From: "noreply @hmrc.gov.uk" <noreply @hmrc.gov.uk>
Subject: You have received new messages from HMRC

Received: from host-92-29-33-67.as13285.net [92.29.33.67]
X-Envelope-From: no_reply @hmrc.gov.uk
From: "HMRC" <no_reply @hmrc.gov.uk>
Subject: Tax Notice

Received: from User-EP43DS3L (36-227-51-110.dynamic-ip.hinet.net [36.227.51.110]
X-Envelope-From: no_reply @hmrc.gov.uk
From: "HM Revenue" <no_reply @hmrc.gov.uk>
Subject: HMRC: Tax Notice

Received: from dynamic.vdc.vn [113.163.197.213])
X-Envelope-From: no_reply @hmrc.gov.uk
From: "HMRC" <no_reply @hmrc.gov.uk>
Subject:Second alert:HMRC Tax Departament

Malware

29 January 2015 

Attachment : report120102.zip containing report.exe ( upatre )

VirusTotal report

ByteHero         Virus.Win32.Heur.c 
CAT-QuickHeal     (Suspicious) - DNAScan
McAfee-GW        BehavesLike.Win32.Autorun.pz
Qihoo-360         HEUR/QVM19.1.Malware.Gen

Malwr.com report 

Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Creates an Alternate Data Stream (ADS)

Drops urDVwG8.exe <- after downloading and decypting files

TotalHash report 

195.154.242.226:18201/2901us22
arcieridelfinale.com/misc/manualad.pdf
canebyte.com/manualad.pdf

Downloaded and decrypted executable : urDVwG8.exe ( dyreza )

VirusTotal report 

DrWeb 		Trojan.Dyre.43
ESET-NOD32 a variant of Win32/Battdil.I
Emsisoft Gen:Variant.Kazy.540191 (B)
McAfee PWS-FBZI!1C8111043F6A
Norman Dyzap.B
TrendMicro TSPY_DYRE.SMAB

Malwr.com report 

Performs some HTTP requests
The binary likely contains encrypted or compressed data.
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)

stun1.voiceeclipse.net 64.24.35.201 (Gets public-facing IP via NAT traversal protocol)

30 September 2014

Link to interesting malware website urls.

The links include URLs like:

www.embodiedimagination.com/pi/3265418
www.embodiedimagination.com/pi/6591327
www.fwplimited.com/pi/8846094
ephemerapress.com/pi/2986355

Visiting the link with a Linux or Mac OS, I was lied to about the site being under construction.

Picture of the HMRC malware link lieing to my linux machine about being under construction.

Visiting the link with a Windows machine, I received an interesting response. I was redirected to obama.php and my browser just sat there with some javascript on it, not doing anything. But the HTTP response size was over 12k.

Picture of http response and redirection.

The large response was because of a link with the URL HREF set to set to data:application/zip;base64 and en entire malware zip encoded in base64. The 12k size originally made me think it might be Upatre, but I don't think so.

Picture of the http response with iframe containing base64 encoded zip with malware.

After manually copy-pasta the base64, it yielded a zip containing l3-view-28297.scr

Picture of malware icon from the hmrc link after unbase64.

One of the other URLs worked better. I was handed the zip by the browser and redirected to NatWest bank to complete the illusion,

Picture of fiddler logs of tricky malware url behavior framing NatWest bank.

l3-view-28297.scr

VirusTotal report 

Bkav 		HW32.Inectrj.iycg
ByteHero Trojan.Malware.Obscu.Gen.002
CMC Packed.Win32.Katusha.3!O

Creates mutex:
__PDH_PLA_MUTEX__ <-- process explorer also creates this mutex.

TotalHash report 

12 March 2014

Attachment : PDF_Scanned_HMRCD805361A80.zip containing scaned_7246582_pdf_4364534533.exe

VirusTotal report  | Malwr.com report  | File-Analyzer.net report

14 February 2014

Attachment : HMRC_Message.zip containing HMRC_Message.exe

VirusTotal report | Malwr.com report | File-Analyzer.net report

August 2013

Tax Notices Report.zip containing Tax Notices Report.exe

virustotal report | Malwr report

 

If this was at least a little helpful, how about a +1, Like, or Tweet?

{jcomments on}