New Scam Impersonates VAT Form to Deliver Malware

Researchers from Trustwave have unearthed a scam impersonating Her Majesty’s Revenue & Customs (HMRC) to trick victims into downloading malware.

According to the security firm, on September 6 2017, scammers launched an email phishing attack disguised as a HMRC VAT return document, which contained links to the infamous JRAT malware. The email was sent using a registered HMRC-like domain (

Trustwave explained that the body of the email encourages the user to click on an embedded image of a PDF doc citing an error in their recently submitted VAT return, taking the victim to a Microsoft OneDrive file sharing service that downloads a VAT Return ZIP file – inside is a malicious Java Jar file that on execution downloads and launches malware via several VBS scripts. There is no actual attachment sent with the message.

Analyzing the Jar file, Trustwave explained that it is the jRAT's bot agent. 

“Each bot has its own configuration and this particular sample has an anti-analysis mechanism where it prevents execution of well-known security and forensic related tools. It adds the process name to ‘Image File Execution’ registry key so that ‘svchost.exe’ will be executed instead”, wrote Dr Fahim Abbasi, Gerald Carsula and Rodel Mendrez.

The Java RAT trojan provides complete remote control over the victim’s computer, they added, citing an increase in phishing campaigns using Microsoft services such as SharePoint (a web-based collaborative platform) and OneDrive (a file sharing service).

“We assume that the scammers route their malware leveraging reputable cloud services like Microsoft to evade detection by various security defenses. Users need to be particularly careful since such scams are quite active during tax return season.”

Speaking to Infosecurity Luis Corrons, PandaLabs technical director, Panda Security, said that this attack shows how creative attackers can be in order to fool users into infecting themselves.

“The technique they use in this particular attack is pretty smart, as it avoids the use of an attachment in an email,” he explained. “The only thing we can ask users for is to be sceptic and to not execute/open anything that comes from an unknown source.”

However, this can only work for so long, he adds. “The security measures in place are the ones that have to take care of these attacks (not the users!), and that is why having a solution capable of classifying all running processes in the computers of a corporate network with real time monitoring and a threat hunting service is the only viable approach to be effectively safe.”

What’s Hot on Infosecurity Magazine?