From "noreply@taxreg.hmrc.gov.uk" [noreply@taxreg.hmrc.gov.uk]
Date Wed, 1 Jul 2015 11:20:37 +0000
Subject HMRC taxes application with reference L4TI 2A0A UWSV WASP received
The application with reference number L4TI 2A0A UWSV WASP submitted by you or your
agent to register for HM Revenue & Customs (HMRC) taxes has been received and will
now be verified. HMRC will contact you if further information is needed.
Please download/view your HMRC documents here: http://quadroft.com/secure_storage/get_document.html
The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.d
If you have the correct browser agent (e.g. Internet Explorer 8 on Windows) you will see a "Your document will download shortly.." notice. If you have something else, a fake 404 page will be generated.
The page then forwards to the real HMRC login page but attempts to dump a malicious ZIP from another source at the same time.
In this case, the ZIP file was Document_HM901417.zip which contains a malicious executable Document_HM901417.exe. This has a VirusTotal detection rate of 3/55 (identified as the Upatre downloader).
Automated analysis [1] [2] [3] shows attempted traffic to 93.185.4.90 (C2NET, Czech Republic) and a dropped executable with a random name and an MD5 of ba841ac5f7500b6ea59fcbbfd4d8da32 with a detection rate of 2/55.
The payload is almost definitely the Dyre banking trojan.