Sponsored by..

Thursday, 16 May 2013

HMRC spam / VAT Returns Repot 517794350.doc

This fake HMRC (UK tax authority) spam contains a malicious attachment:

From: noreply@hmrc.gov.uk [mailto:noreply@hmrc.gov.uk]
Sent: 16 May 2013 10:48
Subject: Successful Receipt of Online Submission for Reference 517794350


Thank you for sending your VAT Return online. The submission for reference 517794350 was successfully received on 2013-05-16 T10:45:27 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

The attachment is VAT Returns Repot 517794350.doc which contains an exploit which is currently being analysed. It is likely to use the same vulnerability as this attack. VirusTotal results are just 1/46, so either this is something completely new or it is a corrupt sample.

UPDATE: ThreatTrack reports that the malware sample appears to make contact with the following IPs which are all dynamic IP addresses, indicating perhaps a P2P version of Zeus:
62.103.27.242
76.245.44.216
86.124.111.218
92.241.139.165
122.179.128.38
189.223.139.172
190.42.161.35

2 comments:

Stuart Smith said...

Where are you getting the IP's from? as some of our users got this email and selected the .doc file. What payload, etc does the .doc release?

Conrad Longmore said...

@Stuart: the payload is something called P2P Zeus - those IPs are part of a botnet, you would probably see different ones. These were identified by the ThreatTrack report I included.

As far as I can tell, if the machine is fully up-to-date with Microsoft patches then the attack should fail, MS12-027 was patched last year.