Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

VAT Return with a Vengeance

Scam Overview

Her Majesty's Revenue & Customs (HMRC) is the UK department responsible for collecting taxes and other tax related services like VAT returns. On 6th September, 2017, scammers launched a phishing attack using spoofed e-mail messages appearing to come from a HMRC support service domain and containing links to the infamous JRAT malware disguised as a VAT return document. The scam email was sent using a registered HMRC-like domain (hmirc-gov.co.uk), that was registered on 6th September, 2017, contained no web content at the time. A phishing email is sent from this domain with the subject "VAT Return Query". The body of the email entices the user to click on the embedded image of a PDF document by suggesting that there were some errors in the user's recently submitted VAT return. Clicking on the link takes the victim to a Microsoft OneDrive file sharing service that downloads a VAT Return ZIP file. This ZIP file contains a malicious Java Jar file that on execution downloads and launches malware via several VBS scripts.

Email Header

The spoofed message containing both the header and the body is show in Figure 1. Notice the From field contains a spoofed HMRC name field and an email with a fake HMRC-like domain: HMRC Business Help and Support Email <no-reply@hmirc-gov.co.uk>. Also, the subject line contains the subject: "VAT Return Query", appealing to the user as a legit message.

 

Email body

The email body contains a message alerting the user that their online VAT Return encountered some errors which are provided in what looks like an attached file. With this catchy message the scammers intend to lure the victim into clicking on the attachment. Here it's important to note that there is no actual attachment sent with this message. The illusion of the attachment that can be seen in the message body in Figure 1 is achieved using an embedded HTML image that is rigged with a URL pointing to the Microsoft OneDrive file sharing service. The HTML code of the body to achieve this is illustrated here:

<div><a href="hxxps://1drv[.]ms/u/s!AidAUoMZ6gzMjXT1O4pZ6yRDcwJO"><img src="cid:150470248359aff0137c36e299790454@hmirc-gov[.]co.uk" alt="" width="269" height="77" /></a></div>

Clicking on the link points the browser to the OneDrive service and automatically downloads the file "VAT RETURN QUERY.ZIP" as shown in Figure 2

 

Unzipping the "VAT RETURN QUERY.ZIP" extracts to a Java Jar file "VAT Return Query.pdf.jar" (having MD5 2408ae3fa15b0236055f467b52f4a487)

Malware Analysis

Analyzing the Jar file, we found that it is the jRAT's bot agent. We see a lot of this Java RAT both in Email spam and during IR investigations. One possible reason being that it is very affordable. At USD 29, you can own a remote machine. You may find jRAT's functionalities from its website (https://jrat[.]io/showcase.php).

Each bot has its own configuration and this particular sample has an anti-analysis mechanism where it prevents execution of well-known security and forensic related Tools. It adds the process name to "Image File Execution" registry key so that "svchost.exe" will be executed instead as shown in Figure 3:

The malware disables Task Manager by adding the following registry key:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

DisableTaskMgr = dword:00000002

It modifies the following registry key to lower the security settings of the Windows Attachment Manager:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    • SaveZoneInformation = dword:00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
    • LowRiskFileTypes = ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;"

It disables System Restore by adding the following Registry Entry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
    • "DisableConfig"=dword:00000001
    • "DisableSR"=dword:00000001

And for its persistence mechanism, it creates the following registry:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    • "wdATEvtEWcA"="C:\Users\<user>\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\<user>\iokxIzCCSmO\.jar.gAdpwu"

The bot's Command and Control server is 1990[.]nflfan[.]org:1990 (see Figure 4)

IOC

Folders

  • %USERPROFILE%\fUTkALeaTxM – install folder
  • %USERPROFILE%\iokxIzCCSmO - install folder

Registry

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  • "wdATEvtEWcA"="C:\Users\<user>\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\<user>\iokxIzCCSmO\.jar.gAdpwu"

Network

  • 1990[.]nflfan[.]org:1990
  • localhost:7777

Conclusion

Scammers exploit the simplicity provided by email to further their cause. These cybercriminals are well aware of online processes and dependence of online mechanisms used by both public and private sector organizations and use this information to gain a victim's trust. They are also aware of various deadlines such as those used by governments for tax returns and use this information to instil a sense of urgency. Motivated by lucrative returns and equipped with modern malware, these cyber criminals capitalize on recent events to launch phishing attacks targeting global victims. These phishing attacks lure their victims into downloading malware disguised as fake VAT return documents using spoofed messages appearing to have been sent from the government tax department. For this campaign, the malware used was a well-known Java RAT trojan that provides complete remote control over the victim's computer. We have witnessed an increase in phishing campaigns using Microsoft services such as SharePoint (a web-based collaborative platform) and OneDrive (a file sharing service). We assume that the scammers route their malware leveraging reputable cloud services like Microsoft to evade detection by various security defences. Users need to be particularly careful since such scams are quite active during tax return season.

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More