This example is an email containing the subject of “REF: Notification of payment collection” pretending to come from HMRC but actually coming from a look-a-like or typo-squatted domain < firstname.lastname@example.org > with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The initial word doc downloads Smoke Loader and that in turn downloads other malware including Trickbot banking trojan. Since posting this several Analysts have looked at this “new” version of Trickbot and discovered it now has a Monero mining component included along with its Bank Account and password stealing capabilities. http://malware-traffic-analysis.net/2018/02/01/index.html.
has good write up on it.
In the UK it the time of year when we all have to do our tax returns and will get correspondence from HMRC telling us how much to pay. Be very wary of any email saying it is from HMRC. They normally do everything by letter, not email with word attachments.
To read the original article:https://myonlinesecurity.co.uk/fake-hmrc-ref-notification-of-payment-collection-malspam-delivers-smoke-loader-which-downloads-trickbot-banking-trojan/