ITB - IT Solutions for the next generation
linkedin logo twitter logo facebook logo google+ logo

Barking and Dagenham PCN Email Virus

24th January 2017
Barking and Dagenham PCN Email Virus


WARNING! Yesterday we received an email claiming to be from London Borough of Barking and Dagenham stating we had an overdue parking ticket. The link in the email sends you to a fake copy of the site which asks you to download your case and evidence details. A Malicious Javascript file is downloaded and used to download and run other malware direct on the computer.

It is currently believed to download the Ursnif banking Trojan but we have tracked multiple different scripts using the name Case_Details.js

One of the scripts invokes a WScript to download a Trojan, another a Powershell function. As the script is changed often they can also change the payload
so could potentially included Ransomware

If you receive a PCN notice via e-mail from Barking and Dagenham please DELETE it or go to there website by manually typing there address.

Email Body: 

Fake Webpage which asks for capture to download information.

Download contains a .zip file with a .js Javascript file. 

If no browser is set as a default for *.js files JavaScript is run is the Windows Script Host (Wscript.exe)

The JavaScript is heavily obfuscated to hide the true function which runs a Trojan downloader to get the payload (in this case Ursnif Banking Trojan).



On day two the Trojan had a different script which uses wscript.exe to run a powershell command instead. 

As the JavaScript can be obfuscated in a different manner each time the Trojans signature will change making it harder for AV products to detect. The JavaScript
uses function returns, arrays and variables to compile the final malicious script.   

Most enterprise security solutions will include behavioural analysis which can detect how scripts are running and will help protect you machine.

Also ensuring that all *.js scripts are defaulted to run within secure browsers such as Chrome or Firefox may help as they run .js scripts in a browser
sandbox stopping scripts being run on the host directly. 

Mark Lambourne – ITB Technical Consultant