Fake Royal Bank of Canada Payment Receipt Advise/Avis de Reception de paiement delivers Trickbot
iSpeech
This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Payment Receipt Advise/Avis de Reception de paiement” pretends to come from RBC Royal Bank of Canada but actually comes from “noreply@achaft-rbc.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. Today they are using XLSM Excel spreadsheet files.
RBC Banque Royale, Banque Royale du Canada, Royal Bank of Canada has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like the genuine Company, Bank, Government Department or message sending service. Normally there is only one newly registered domain that imitates a well known Company, Government Department, Bank or other organisation that can easily be confused with the genuine body or website in some way. These are hosted on & send the emails from 3 or 4 different servers. Some days however we do see dozens or even hundreds of fake domains.
Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar. Because of new GDPR rules we cannot easily find the registrants name or any further details.
- achaft-rbc.com A DNS lookup only gives 216.87.148.114 as the IP address but the copy I saw came from 109.232.227.28 | with these other IP addresses listed as approved to send via SPF records lookups 85.17.147.174 | 95.211.197.161 |85.17.80.20
[adsense size='1']
From: RBC Royal Bank-Banque Royal-Customer support/Soutien a la clientele <noreply@achaft-rbc.com>
Date: Wed 27/02/2019 17:09
Subject: Payment Receipt Advise/Avis de Reception de paiement
Attachment: 14308278291.xlsm
Body content:
Payment Date/Date du paiement: 2019-02-27 A Direct Deposit has been made to your account in the amount of/Un Dépôt Directa été fait à votre compte au montant de CAD $8,485.31 Reference/Référence: 14308278291 Direct Queries to/Queries direct à:———————————–Payor/Créateur: Canada Revenue Agency/Agence du revenu du CanadaContact/Personne-ressource: Fiona McDonaldEmail address/Addresse courriel: info@cra-arc.gc.caPhone Number/numéro de téléphone: (800) 959-8281 Ext: For more information, please find enclosed document / Pour plus d’informations, veuillez trouver le document ci-joint. This message has been automatically produced by a computerized system and willnot be monitored for your reply.Ce message a été produit automatiquement par un système informatisé et aucunerésponse n’est attendue de votre part. This e-mail may be privileged and/or confidential, and the sender does not waiveany related rights and obligations. Any distribution, use or copying of thise-mail or the information it contains by other than an intended recipient isunauthorized. If you received this e-mail in error, please advise the Payor (byreturn e-mail or otherwise) immediately. Ce courrier électronique est confidentiel et protégé. L’expéditeur ne renoncepas aux droits et obligations qui s’y rapportent. Toute diffusion, utilisationou copie de ce message ou des renseignements qu’il contient par une personneautre que le (les) destinataire(s) désigné(s) est interdite. Si vousrecevez ce courrier électronique par erreur, veuillez à Créateur aviserimmédiatement. Registered trademarks of Royal Bank of Canada. RBC and Royal Bank areregistered trademarks of Royal Bank of Canada.
[adsense size='1']
This may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this or the information it contains by other than an intended recipient is unauthorized. If you received this in error, please advise the sender (by return or otherwise) immediately. You have consented to receive the attached electronically at the above-noted address; please retain a copy of this confirmation for future reference.
Screenshot:
Fake Royal Bank email
Malware Details
Fake RBC excel Spreadsheet
14308278291.xlsm Current Virus total detections | Hybrid Analysis | Anyrun
This malware xls file downloads from http://tyleruk.com/document.rbc which is a renamed .exe file VirusTotal | Gtag ser 0227us
The alternate Download location is http://hemig.lk/document.rbc
The folder for the files & configs is: C:\Users\[User]\AppData\Roaming\appnet
All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware, macros and DDE “exploit /Feature” and embedded ole objects from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.
Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.
The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them
I strongly urge you to update your office software
[adsense size='1']
IOC:
Main object- “14308278291.xlsm”
sha256 8f54fc0d4a053f5d5ea9d00d22408ac5df9b9a646ae31ef5c0789bf2e592cf9a
sha1 f5845c52f3b391aa96e5ef336465dbc685c18e60
md5 1db47ff5f1ef69964912b13a4f080d5f
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Temp\file01.exe 252d3838936de2f3a455306dbee46cfaa11f37d1aab1dfcb64780ed66913eb44
DNS requests
domain hemig.lk
domain tyleruk.com
domain api.ip.sb
domain 109.22.102.82.zen.spamhaus.org
domain 109.22.102.82.cbl.abuseat.org
Connections
ip 198.136.49.178
ip 45.250.66.10
ip 47.52.62.55
ip 188.65.115.177
ip 195.123.246.99
ip 103.119.144.250
ip 36.66.115.180
ip 31.131.18.108
HTTP/HTTPS requests
url http://tyleruk.com/document.rbc
url http://hemig.lk/document.rbc
url http://103.119.144.250:8082/ser0227us/USER-PC_W617601.CC79AEA7E7594F85173D1C2BA2461163/81/
url https://api.ip.sb/ip
url http://103.119.144.250:8082/ser0227us/USER-PC_W617601.CC79AEA7E7594F85173D1C2BA2461163/83/
url http://103.119.144.250:8082/ser0227us/USER-PC_W617601.CC79AEA7E7594F85173D1C2BA2461163/90
Email from:
RBC Royal Bank-Banque Royal-Customer support/Soutien a la clientele <noreply@achaft-rbc.com>
216.87.148.114
85.17.147.174
95.211.197.161
85.17.80.20
109.232.227.28
Gloss