Malware Delivery Campaign Using Spoofed NHS Email Addresses

CareCERT is aware of a recent spam email campaign which uses spoofed @hscic.gov.uk and @nhs.net email addresses to deliver a malicious link which, when clicked, downloads a malicious JavaScript attachment containing malware.

Threat ID:: CC-1328
Category:: Trojan
Threat Severity:: High
Threat Vector:: Email spam
Published:: 12 April 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - all versions

Threat details

Example spam email 1 :

You have received an invoice from PLACE HSCIC (HEALTH AND SOCIAL CARE INFORMATION CENTRE) [SPOOFED EMAIL ADDRESS] for Â£3,534.49. To view, print or download a JS copy of your invoice, click the link below:
[LINK TO MALICIOUS URL]

Best regards, PLACE HSCIC (HEALTH AND SOCIAL CARE INFORMATION CENTRE)
[SPOOFED EMAIL ADDRESS]

Malware Name: Trojan.Script.Heuristic-js.iacgm

Malware File Name: view__report__invoice__0000156__Apr___12___2017.js

Malware file hashes:

- MD5 3b8927da0cdca9e657e3d75fc9cb862a
- SHA1 016be72b4cf73850dceee1c83f88656de7064578
- SHA256 2a24f47fde8ed12f583cddb3da17068e3d5e6587bd0bf3fb4ea6338606200d92

Remediation advice

For Users:

Remediation steps

Type	Step
	Do not open attachments or follow links within unsolicited emails. Verify the legitimacy of any requests via email by contacting the sender through official channels. Report any suspected spam email to NHSmail at [email protected] using CareCERT Best practice guide: Reporting suspicious/unsolicited/spam emails within the NHS. If you suspect your computer has become infected with a virus then unplug the network cable, turn off your Wi-Fi or power down your computer and immediately report the suspected infection to your IT support provider. Organisations Should Ensure A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity. Block identified malicious URLs at your firewall and web content filtering solutions

Type

Step

Do not open attachments or follow links within unsolicited emails.
Verify the legitimacy of any requests via email by contacting the sender through official channels.
Report any suspected spam email to NHSmail at [email protected] using CareCERT Best practice guide: Reporting suspicious/unsolicited/spam emails within the NHS.
If you suspect your computer has become infected with a virus then unplug the network cable, turn off your Wi-Fi or power down your computer and immediately report the suspected infection to your IT support provider.

Organisations Should Ensure

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.
Block identified malicious URLs at your firewall and web content filtering solutions

Last edited: 17 February 2020 11:34 am