Everyone loves to hate the Canada Revenue Agency. Unfortunately, criminals apparently love the tax man — they keep finding ways of leveraging Canadians’ fear of the agency to lure them into malware.
Often its fraudulent phone calls in the spring claiming to be from the agency. But recently an email campaign was detected by Trustwave, which in a blog Wednesday described how someone is using a .MSG email attachment, the format of Microsoft Outlook and Exchange message files, as the vehicle for malware. Some of this mail will likely fall into the mailboxes of enterprises.
The subject line will be “Canada Revenue Agency — Notification.” The sender appears to be legit as “Canada Revenue Agency Online Mail.”
The first clue this is phoney is it’s email. Governments do NOTHING unsolicited by email — they love paper because it can be traced.
The second clue is body of the text: It’s addressed to “Dear Taxpayer.”
Lesson: Do not click on the attachment, which purports to be a case file.
What’s more interesting to our readers is the analysis of the malware by Trustwave. Opening the attachment researchers found a number of files and four folders. Two of the folders have images of spoofed PDF files with spoofed file names, while the third folder has a compressed file with another OLE file. Inside that file is another compressed file with JavaScript. When it runs it downloads a malicious executable from a command server, a Trojan which injects its code into an available Windows Explorer browser, and then downloads the Zbot banking Trojan, which can intercept network traffic and steal system information, online banking credentials and passwords.
“We don’t often see malicious files embedded in .MSG file attachments,” notes Trustwave. “It represents yet another technique used by cybercriminals to bypass email gateways. While extracting the malicious JavaScript object, we encountered layers of compression that would perhaps be difficult for some antivirus product to detect.”
The lesson for infosec teams with organizations that use Outlook is to pass the word that employees should be wary of opening .MSG files. By default, Outlook will prompt users with a warning that some objects in the message may have a virus.
Trustwave calls this hunt for the malware package going down the rabbit hole. For young threat researchers it’s a lesson on how to do it.