CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Fake Power and Broadband Utility Bills serve Banking Trojans to Aussies

In our previous blog we highlighted how a group of scammers were targeting financial software customers by spamming out Microsoft SharePoint URLs that lead the target to fake invoices infected with malware. This time we observed the same group involved in another widespread campaign, spamming out similar Microsoft SharePoint URLs that link to fake Australian power and telco bills infected with malware.

Fake Energy Australia scam

EnergyAustralia formerly known as TRUenergy is an electricity generation and retail private company in Australia. On 18th September, 2017, we witnessed a rise in phishing messages distributing spoofed EnergyAustralia Electricity bills.

Spam Message

The spam/phishing message appears as a fake EnergyAustralia power bill as shown in Figure 1 and 2. Scammers have copied legit email bill templates to lure victims into believing the authenticity of their phished messages. Here it's important to note that these messages are sent from a domain "" that is different from the official EnergyAustralia domain "". Further analysis of the domain "" revealed that it was created on 17th September, 2017 and registered by the same group of scammers we pointed out in our previous blog. The registrant information for this domain is shown here:


Figure 1: Fake power bill


Figure 2: Fake power bill with different amount


The legit-looking message is designed to lure the user to click on the link to view his power bill. Clicking on this link points the web browser to the URL:

  • hxxp://eoaclk(.)com/v5yMMueJT0/victim@domain(.)

This domain performs an HTTP 302 temporary redirect to a Microsoft SharePoint URL as shown in Figure 4:

  • hxxps://viridor-my(.)sharepoint(.)com/personal/lawalters_viridor_co_uk/_layouts/15/guestaccess.aspx?docid=0c686998b26934002b1b3aa20d8340828&authkey=AfesB7cc4NVl6W0ZE5wKqSA&expiration=2017-12-16T21:48:00.000Z

Browsing to this URL downloads a zip file ("EnergyAustralia Electricity") to the system as shown in Figure 3. The 302 redirect seems to be a new evasive tactic used by the scammers. In previous campaigns they directly pointed to the SharePoint URL hosting the malicious script.


Figure 3: Clicking on the URL downloads the fake EnergyAustralia Electricity file



Figure 4: HTTP traffic illustrating the HTTP temporary 302 redirect to a Sharepoint URL

Unzipping the archive extracts to a JavaScript file "EnergyAustralia Electricity bill.js" (see Figure 5). Looking at the JavaSscript file it appears to be highly obfuscated and acts as a downloader and executor (see Figure 6).


Figure 5: The zipped archive extracts to a malicious JavaScript file named EnergyAustralia Electricity bill.js


Figure 6: The obfuscated JavaScript sample


Malware Analysis:

The JScript contains obfuscated strings which can be easily de-obfuscated with a one-liner Python code (see Figure 7):

Sample Obfuscated Strings:




Figure 7: Code for De-obfuscation


This JScript is basically a Trojan downloader and a launcher. It downloads two files, the first file is an EXE and the second is a PDF. The PDF is a fake Bill Invoice of Energy Australia which is displayed to trick the user while the binary (EXE) gets executed in the background.

Here's a screenshot of the fake Energy Australia Bill invoice that is presented to the unaware victim (see Figure 8)

Figure 8: Fake Energy Australia invoice shown to users


The executable was found to be a variant of a notorious banking Trojan known as ISFB A.K.A Ursnif/Gozi whose code was leaked in 2010. Upon execution, it creates a new process of svchost.exe and injects its code to that process.


The malware avoids process injection if its filename is "sample.exe", "mlwr_smpl.exe", or "artifact.exe". It also avoids running if any of the following Windows username are found:

  • Wilbert
  • admin
  • SystemIT
  • KLONE_X64-PC
  • John Doe
  • John

It collects system information and send it to its command and control at

This malware is designed to hook browser process and monitor browser activity. In addition, it can download additional plugins such as keylogger, email and FTP grabber, screen grabber and a downloader to install new malware.

Figure 9: Malware checks for browser process


Indicators of Compromise:


  • hxxps://cyrilorchard-my[.]sharepoint[.]com/personal/craydon_care_cyrilorchard_co_uk/_layouts/15/guestaccess.aspx?docid=030b41de800d34d78b8255b678bc7271a&authkey=AYua-r8lG2pSyjyGVKylOz8
  • hxxps://tracsc-my[.]sharepoint[.]com/personal/jonathan_tongue_tracscare_co_uk/_layouts/15/guestaccess.aspx?docid=0de8352ff82f2437ba7534ac18728d804&authkey=AT0x3YE-hry2jT-0qHSAesg
  • hxxp://94[.]23[.]249[.]41/manager/manager.tool
  • hxxp://94[.]23[.]61[.]195/files/Gas_bill.pdf
  • hxxp://94[.]23[.]249[.]41/manager/Notification_1-BYH7K31.pdf

Command and Control:

  • 33.188.154:443


  • %TEMP%/ZgUiIDs5.exe (SHA1: e44e92474796762c63d336c363ff7a0c43868ace)
  • %TEMP%/j9eEWNq.pdf – non-malicious fake invoice

Fake Telstra scam

In addition to the fake Energy Australia Spam email, we also encountered a fake Telstra bill notification scam on 27th September,2017 (See Figure 10). Telstra is an Australian telco company. Scammers spammed out legit-looking email messages containing counterfeit Telstra bill invoices having an embedded button to view the bill.


Figure 10: Fake Telstra Scam message

These spam messages were sent from the domain "" that could be attributed to the same malicious actors as shown here:


Clicking on the "View Bill" button in the spam message downloads a JavaScript file from a SharePoint URL that is similar to the script seen in the Energy Australia scam (see Figure 11).

Figure 11: The malicious obfuscated JS sample that is downloaded


The JS downloader downloads a binary file of the EMOTET malware instead of the URSNIF as seen in Energy Australia scam (see Figure 12).

Figure 12: Downloading of Ursnif malware


It also downloads a PDF file of the Telstra Bill that is shown below (see Figure 13 and 14).

Figure 13: Fake PDF invoice downloaded and displayed to user


Figure 14: Fake Telstra bill PDF


Indicators of Compromise (IOC)

  • URL:
    • hxxps://livedmsystemco-my(.)sharepoint(.)com/personal/vikki_dmsystem_co_uk/_layouts/15/guestaccess.aspx?docid=0005ccf72c5ae4fa6b492b233e27de460&authkey=AUfKUwbb0-6HBMJe8ZRrm-g
    • higgidy-my(.)
    • hbhydraulicengineering-my(.)
  • CnC:
    • 94(.)23(.)211.92/type/
    • 94(.)23(.)251.221/document/Telstra_Bill.pdf
  • Hash:
    • SHA1: A54E9FD76848368002FE842E3F95D9A114742410


Scammers are spamming out counterfeit bills impersonating Australian telco and power companies in an attempt to spread malware. These bills are infested with malicious links to banking trojans. Scammers are abusing the Microsoft SharePoint service to host their malware. The spam emails are sent out using newly registered domains owned by the same group reported earlier. Hiding malware behind links to reputable online services is being used as a means to evade detection by the spam gateways. A legit-looking decoy PDF bill is presented to the oblivious victims once they are infected to avoid suspicion.

Latest SpiderLabs Blogs

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

UPDATE: Palo Alto Networks confirmed on Tuesday (4/16) that disabling device telemetry is no longer considered an effective mitigation. On Wednesday (4/17), the company released new threat signatures...

Read More