VAT Return with a Vengeance

Authors: Dr. Fahim Abbasi, Gerald Carsula and Rodel Mendrez

Scam Overview

Her Majesty's Revenue & Customs (HMRC) is the UK department responsible for collecting taxes and other tax related services like VAT returns. On 6th September, 2017, scammers launched a phishing attack using spoofed e-mail messages appearing to come from a HMRC support service domain and containing links to the infamous JRAT malware disguised as a VAT return document. The scam email was sent using a registered HMRC-like domain (hmirc-gov.co.uk), that was registered on 6th September, 2017, contained no web content at the time. A phishing email is sent from this domain with the subject "VAT Return Query". The body of the email entices the user to click on the embedded image of a PDF document by suggesting that there were some errors in the user's recently submitted VAT return. Clicking on the link takes the victim to a Microsoft OneDrive file sharing service that downloads a VAT Return ZIP file. This ZIP file contains a malicious Java Jar file that on execution downloads and launches malware via several VBS scripts.

Email Header

The spoofed message containing both the header and the body is show in Figure 1. Notice the From field contains a spoofed HMRC name field and an email with a fake HMRC-like domain: HMRC Business Help and Support Email <no-reply@hmirc-gov.co.uk>. Also, the subject line contains the subject: "VAT Return Query", appealing to the user as a legit message.

1
Figure 1: The spoofed HMRC phishing message

Email body

The email body contains a message alerting the user that their online VAT Return encountered some errors which are provided in what looks like an attached file. With this catchy message the scammers intend to lure the victim into clicking on the attachment. Here it's important to note that there is no actual attachment sent with this message. The illusion of the attachment that can be seen in the message body in Figure 1 is achieved using an embedded HTML image that is rigged with a URL pointing to the Microsoft OneDrive file sharing service. The HTML code of the body to achieve this is illustrated here:

<div><a href="hxxps://1drv[.]ms/u/s!AidAUoMZ6gzMjXT1O4pZ6yRDcwJO"><img src="cid:150470248359aff0137c36e299790454@hmirc-gov[.]co.uk" alt="" width="269" height="77" /></a></div>

Clicking on the link points the browser to the OneDrive service and automatically downloads the file "VAT RETURN QUERY.ZIP" as shown in Figure 2

2
Figure 2: MS OneDrive page hosting the zipped malware

Unzipping the "VAT RETURN QUERY.ZIP" extracts to a Java Jar file "VAT Return Query.pdf.jar" (having MD5 2408ae3fa15b0236055f467b52f4a487)

Malware Analysis

Analyzing the Jar file, we found that it is the jRAT's bot agent. We see a lot of this Java RAT both in Email spam and during IR investigations. One possible reason being that it is very affordable. At USD 29, you can own a remote machine. You may find jRAT's functionalities from its website (https://jrat[.]io/showcase.php).

Each bot has its own configuration and this particular sample has an anti-analysis mechanism where it prevents execution of well-known security and forensic related Tools. It adds the process name to "Image File Execution" registry key so that "svchost.exe" will be executed instead as shown in Figure 3:

3
Figure 3: Changes to Image Fiel Execution registry keys

The malware disables Task Manager by adding the following registry key:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

DisableTaskMgr = dword:00000002

It modifies the following registry key to lower the security settings of the Windows Attachment Manager:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    • SaveZoneInformation = dword:00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
    • LowRiskFileTypes = ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;"

It disables System Restore by adding the following Registry Entry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
    • "DisableConfig"=dword:00000001
    • "DisableSR"=dword:00000001

And for its persistence mechanism, it creates the following registry:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    • "wdATEvtEWcA"="C:\Users\<user>\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\<user>\iokxIzCCSmO\.jar.gAdpwu"

The bot's Command and Control server is 1990[.]nflfan[.]org:1990 (see Figure 4)

4
Figure 4: Bot CnC

5

IOC

Folders

  • %USERPROFILE%\fUTkALeaTxM – install folder
  • %USERPROFILE%\iokxIzCCSmO - install folder

Registry

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  • "wdATEvtEWcA"="C:\Users\<user>\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\<user>\iokxIzCCSmO\.jar.gAdpwu"

Network

  • 1990[.]nflfan[.]org:1990
  • localhost:7777

CONCLUSION

Scammers exploit the simplicity provided by email to further their cause. These cybercriminals are well aware of online processes and dependence of online mechanisms used by both public and private sector organizations and use this information to gain a victim's trust. They are also aware of various deadlines such as those used by governments for tax returns and use this information to instill a sense of urgency. Motivated by lucrative returns and equipped with modern malware, these cyber criminals capitalize on recent events to launch phishing attacks targeting global victims. These phishing attacks lure their victims into downloading malware disguised as fake VAT return documents using spoofed messages appearing to have been sent from the government tax department. For this campaign, the malware used was a well-known Java RAT trojan that provides complete remote control over the victim's computer. We have witnessed an increase in phishing campaigns using Microsoft services such as SharePoint (a web-based collaborative platform) and OneDrive (a file sharing service). We assume that the scammers route their malware leveraging reputable cloud services like Microsoft to evade detection by various security defenses. Users need to be particularly careful since such scams are quite active during tax return season.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.