[ Fake DnB documents malspam delivers Trickbot banking Trojan ]

I happened to chance upon this alert from Singapore Commercial Credit Bureau as shown in the image below.

I got interested in this since it’s a Singapore company giving this alert. I started looking at the samples from VirusTotal and found this interesting email.
An email with the subject of “FW: Case DNB928929” pretending to come from “Dun & BradStreet” but actually coming from a look-a-like domain “” with either a malicious zip attachment containing a .doc file or a .doc attachment delivering Trickbot banking Trojan.

As the malware authors are using email addresses that is similar to the real “Dun & BradStreet” and subjects that will scare or entice a user to read the email and open the attachment.

The email looks like:

From: Dun & Bradstreet [mailto:[email protected]]
Sent: Thursday, 6 July, 2017 12:40 AM
Subject: FW: Case DNB928929

Company Complaint: DNB928929

Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.

In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by July 14, 2017 Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.

The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Dun and BradStreet. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.

We encourage you to print this complaint (attached file), answer the questions and respond to us.

We look forward to your prompt attention to this matter.

Dun & Bradstreet
103 JFK Parkway
Short Hills
NJ 07078


Recipient:
File Validity: 07/07/2017
File Format: Microsoft Word
File Name: DNB928929.doc

[DNB Verified]

The hash of the malicious doc is: 79344f12ecfbd478a564297e339067180625e83c7266c4cab39b2f68440fcb6b
The VBA in the malicious doc will download the payload from “http://calendarortodox[.]ro/serstalkerskysbox.png

That “serstalkerskysbox.png” is actually Trickbot
The hash of that Trickbot is 3e225d16e486fae7df684d73c6e4531fbaf203b898ea899623cf5150a0f13652

PLEASE be very CAREFUL with email attachments. All of these emails usually use Social Engineering tricks to persuade you to open the malicious attachments that comes attached with the email.

Article Link: http://www.vxsecurity.sg/2017/07/08/fake-dnb-documents-malspam-delivers-trickbot-banking-trojan/