Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

VAT Return with a Vengeance

Scam Overview

Her Majesty's Revenue & Customs (HMRC) is the UK department responsible for collecting taxes and other tax related services like VAT returns. On 6th September, 2017, scammers launched a phishing attack using spoofed e-mail messages appearing to come from a HMRC support service domain and containing links to the infamous JRAT malware disguised as a VAT return document. The scam email was sent using a registered HMRC-like domain (hmirc-gov.co.uk), that was registered on 6th September, 2017, contained no web content at the time. A phishing email is sent from this domain with the subject "VAT Return Query". The body of the email entices the user to click on the embedded image of a PDF document by suggesting that there were some errors in the user's recently submitted VAT return. Clicking on the link takes the victim to a Microsoft OneDrive file sharing service that downloads a VAT Return ZIP file. This ZIP file contains a malicious Java Jar file that on execution downloads and launches malware via several VBS scripts.

Email Header

The spoofed message containing both the header and the body is show in Figure 1. Notice the From field contains a spoofed HMRC name field and an email with a fake HMRC-like domain: HMRC Business Help and Support Email <no-reply@hmirc-gov.co.uk>. Also, the subject line contains the subject: "VAT Return Query", appealing to the user as a legit message.

 

Email body

The email body contains a message alerting the user that their online VAT Return encountered some errors which are provided in what looks like an attached file. With this catchy message the scammers intend to lure the victim into clicking on the attachment. Here it's important to note that there is no actual attachment sent with this message. The illusion of the attachment that can be seen in the message body in Figure 1 is achieved using an embedded HTML image that is rigged with a URL pointing to the Microsoft OneDrive file sharing service. The HTML code of the body to achieve this is illustrated here:

<div><a href="hxxps://1drv[.]ms/u/s!AidAUoMZ6gzMjXT1O4pZ6yRDcwJO"><img src="cid:150470248359aff0137c36e299790454@hmirc-gov[.]co.uk" alt="" width="269" height="77" /></a></div>

Clicking on the link points the browser to the OneDrive service and automatically downloads the file "VAT RETURN QUERY.ZIP" as shown in Figure 2

 

Unzipping the "VAT RETURN QUERY.ZIP" extracts to a Java Jar file "VAT Return Query.pdf.jar" (having MD5 2408ae3fa15b0236055f467b52f4a487)

Malware Analysis

Analyzing the Jar file, we found that it is the jRAT's bot agent. We see a lot of this Java RAT both in Email spam and during IR investigations. One possible reason being that it is very affordable. At USD 29, you can own a remote machine. You may find jRAT's functionalities from its website (https://jrat[.]io/showcase.php).

Each bot has its own configuration and this particular sample has an anti-analysis mechanism where it prevents execution of well-known security and forensic related Tools. It adds the process name to "Image File Execution" registry key so that "svchost.exe" will be executed instead as shown in Figure 3:

The malware disables Task Manager by adding the following registry key:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

DisableTaskMgr = dword:00000002

It modifies the following registry key to lower the security settings of the Windows Attachment Manager:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    • SaveZoneInformation = dword:00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
    • LowRiskFileTypes = ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;"

It disables System Restore by adding the following Registry Entry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
    • "DisableConfig"=dword:00000001
    • "DisableSR"=dword:00000001

And for its persistence mechanism, it creates the following registry:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    • "wdATEvtEWcA"="C:\Users\<user>\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\<user>\iokxIzCCSmO\.jar.gAdpwu"

The bot's Command and Control server is 1990[.]nflfan[.]org:1990 (see Figure 4)

IOC

Folders

  • %USERPROFILE%\fUTkALeaTxM – install folder
  • %USERPROFILE%\iokxIzCCSmO - install folder

Registry

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  • "wdATEvtEWcA"="C:\Users\<user>\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\<user>\iokxIzCCSmO\.jar.gAdpwu"

Network

  • 1990[.]nflfan[.]org:1990
  • localhost:7777

Conclusion

Scammers exploit the simplicity provided by email to further their cause. These cybercriminals are well aware of online processes and dependence of online mechanisms used by both public and private sector organizations and use this information to gain a victim's trust. They are also aware of various deadlines such as those used by governments for tax returns and use this information to instil a sense of urgency. Motivated by lucrative returns and equipped with modern malware, these cyber criminals capitalize on recent events to launch phishing attacks targeting global victims. These phishing attacks lure their victims into downloading malware disguised as fake VAT return documents using spoofed messages appearing to have been sent from the government tax department. For this campaign, the malware used was a well-known Java RAT trojan that provides complete remote control over the victim's computer. We have witnessed an increase in phishing campaigns using Microsoft services such as SharePoint (a web-based collaborative platform) and OneDrive (a file sharing service). We assume that the scammers route their malware leveraging reputable cloud services like Microsoft to evade detection by various security defences. Users need to be particularly careful since such scams are quite active during tax return season.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo