Cyber Attack | Data Breach trickbot2

Published on March 2nd, 2019 📆 | 1588 Views ⚑

0

Fake Royal Bank of Canada Payment Receipt Advise/Avis de Reception de paiement delivers Trickbot

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Payment Receipt Advise/Avis de Reception de paiement” pretends to come from RBC Royal Bank of Canada but actually comes from “noreply@achaft-rbc.com” which is a look-a-like,  typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site.   Today they are using  XLSM Excel spreadsheet files.

RBC Banque Royale, Banque Royale du Canada, Royal Bank of Canada has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.

What has happened is that the criminals sending these have registered various domains that look like the genuine Company, Bank, Government Department or message sending service. Normally  there is only one newly registered domain  that imitates a well known Company, Government Department, Bank or other organisation that can easily be confused with the genuine body or website  in some way.  These are hosted on & send the emails from 3 or 4 different servers. Some days however we do see dozens or even hundreds of fake domains.

Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar. Because of new GDPR rules we cannot easily find the registrants name or any further details.

  • achaft-rbc.com  A DNS lookup only gives   216.87.148.114 as the IP address but the copy I saw came from  109.232.227.28 | with these other IP addresses listed as approved to send via SPF records lookups  85.17.147.174 | 95.211.197.161 |85.17.80.20

▼Advertisement

From: RBC Royal Bank-Banque Royal-Customer support/Soutien a la clientele <noreply@achaft-rbc.com>

Date: Wed 27/02/2019 17:09

Subject: Payment Receipt Advise/Avis de Reception de paiement

Attachment: 14308278291.xlsm

Body content:

Payment Date/Date du paiement:          2019-02-27 A Direct Deposit has been made to your account in the amount of/Un Dépôt Directa été fait à votre compte au montant de CAD $8,485.31 Reference/Référence:                    14308278291 Direct Queries to/Queries direct à:———————————–Payor/Créateur:                         Canada Revenue Agency/Agence du revenu du CanadaContact/Personne-ressource:             Fiona McDonaldEmail address/Addresse courriel:        info@cra-arc.gc.caPhone Number/numéro de téléphone:       (800) 959-8281  Ext: For more information, please find enclosed document / Pour plus d’informations, veuillez trouver le document ci-joint. This message has been automatically produced by a computerized system and willnot be monitored for your reply.Ce message a été produit automatiquement par un système informatisé et aucunerésponse n’est attendue de votre part. This e-mail may be privileged and/or confidential, and the sender does not waiveany related rights and obligations. Any distribution, use or copying of thise-mail or the information it contains by other than an intended recipient isunauthorized. If you received this e-mail in error, please advise the Payor (byreturn e-mail or otherwise) immediately. Ce courrier électronique est confidentiel et protégé. L’expéditeur ne renoncepas aux droits et obligations qui s’y rapportent. Toute diffusion, utilisationou copie de ce message ou des renseignements qu’il contient par une personneautre que le (les) destinataire(s) désigné(s) est interdite. Si vousrecevez ce courrier électronique par erreur, veuillez à Créateur aviserimmédiatement. Registered trademarks of Royal Bank of Canada. RBC and Royal Bank areregistered trademarks of Royal Bank of  Canada.

▼Advertisement

This may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this or the information it contains by other than an intended recipient is unauthorized. If you received this in error, please advise the sender (by return or otherwise) immediately. You have consented to receive the attached electronically at the above-noted address; please retain a copy of this confirmation for future reference.

Screenshot:

Fake Royal Bank email

Malware Details

Fake RBC excel Spreadsheet

14308278291.xlsm    Current Virus total detections | Hybrid Analysis | Anyrun

This malware xls file downloads  from http://tyleruk.com/document.rbc  which is a renamed .exe file  VirusTotal | Gtag ser 0227us

▼Advertisement

The alternate Download location is  http://hemig.lk/document.rbc  

The folder for the files & configs is: C:\Users\[User]\AppData\Roaming\appnet

All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc  that are downloaded from the web or received in an email  automatically in “protected view” that stops any embedded malware, macros and  DDE “exploit /Feature” and embedded ole objects  from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.

Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still  using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007.  Many of us have continued to use older versions of word and other office programs, because  they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.

The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.

What can be infected by this
At this time, these malicious macros only infect windows computers. They do not affect a Mac, IPhone, IPad, Blackberry, Windows phone or Android phone. The malicious word or excel file can open on any device with an office program installed, and potentially the macro will run on Windows or Mac or any other device with Microsoft Office installed. BUT the downloaded malware that the macro tries to download is windows specific, so will not harm, install or infect any other computer except a windows computer. You will not be infected if you do not have macros enabled in Excel or Word. These Macros, embedded Oles or DDE  do not run in “Office Online”  Open Office, Libre Office, Word Perfect or any other office program that can read Word or Excel files.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them

I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.

 

▼Advertisement

IOC:

Main object- “14308278291.xlsm”
sha256 8f54fc0d4a053f5d5ea9d00d22408ac5df9b9a646ae31ef5c0789bf2e592cf9a
sha1 f5845c52f3b391aa96e5ef336465dbc685c18e60
md5 1db47ff5f1ef69964912b13a4f080d5f
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Temp\file01.exe 252d3838936de2f3a455306dbee46cfaa11f37d1aab1dfcb64780ed66913eb44
DNS requests
domain hemig.lk
domain tyleruk.com
domain api.ip.sb
domain 109.22.102.82.zen.spamhaus.org
domain 109.22.102.82.cbl.abuseat.org
Connections
ip 198.136.49.178
ip 45.250.66.10
ip 47.52.62.55
ip 188.65.115.177
ip 195.123.246.99
ip 103.119.144.250
ip 36.66.115.180
ip 31.131.18.108
HTTP/HTTPS requests
url http://tyleruk.com/document.rbc
url http://hemig.lk/document.rbc
url http://103.119.144.250:8082/ser0227us/USER-PC_W617601.CC79AEA7E7594F85173D1C2BA2461163/81/
url https://api.ip.sb/ip
url http://103.119.144.250:8082/ser0227us/USER-PC_W617601.CC79AEA7E7594F85173D1C2BA2461163/83/
url http://103.119.144.250:8082/ser0227us/USER-PC_W617601.CC79AEA7E7594F85173D1C2BA2461163/90

Email from:
RBC Royal Bank-Banque Royal-Customer support/Soutien a la clientele <noreply@achaft-rbc.com>
216.87.148.114
85.17.147.174
95.211.197.161
85.17.80.20
109.232.227.28

Download Premium WordPress Themes Free
Free Download WordPress Themes
Free Download WordPress Themes
Download Best WordPress Themes Free Download
online free course

Tagged with:



Leave a Reply ✍


loading...