Spamvertised IRS 'Income Tax Refund Turned Down' themed emails …
- Free to Prepare, Free to Print, Free to eFile
- Easy Questions, Tailored to You
- Straightforward Guidance & Advice
- Guaranteed Accurate Calculation
- Get Your Biggest Tax Refund, Guaranteed
- Live Tax Answers
- FREE Technical Support
By Dancho Danchev
Its taxation deteriorate and cybercriminals are mass mailing tens of thousands of IRS (Internal Revenue Service) themed emails in an try to pretence users into meditative that their income taxation reinstate has been “turned down”. Once users click on any of a links found in a antagonistic emails, they’re automatically unprotected to a client-side exploits served by a Black Hole Exploit Kit.
More details:
Sample screenshot of a spamvertised email:
Sample compromised URLs participating in a campaign:
hxxp://www.ordinarycoder.com//wp-content/themes/trulyminimal/includes/framework/plugins/rjtra_irs.html
hxxp://troutkinglures.com/store-front/wp-content/themes/mantra/uploads/rjtra_irs.html
hxxp://www.romanfirnkranz.com//wp-content/themes/trulyminimal/includes/framework/plugins/rjtra_irs.html
hxxp://ichetblog.net/wp-content/themes/mantra/uploads/rjtra_irs.html
Sample client-side exploits portion URL:
hxxp://micropowerboating.net/detects/pending_details.php
Sample antagonistic cargo dropping URL:
hxxp://micropowerboating.net/detects/pending_details.php?nf=1f:32:31:1l:2wee=2v:1j:1m:2v:1g:1m:1l:33:1g:2vl=1fzf=exx=w
Malicious domain name reconnaissance:
micropowerboating.net – 175.121.229.209; 198.144.191.50 – Email: dooronemars@aol.com
Name Server: NS1.POOPHANAM.NET – 31.170.106.17
Name Server: NS2.POOPHANAM.NET – 65.135.199.21
The following antagonistic domains also respond to a same IPs (175.121.229.209; 198.144.191.50) and are partial of a campaign’s infrastructure:
madcambodia.net – 175.121.229.209
micropowerboating.net – 175.121.229.209
dressaytam.net – 175.121.229.209
acctnmrxm.net – 175.121.229.209
capeinn.net – 175.121.229.209
albaperu.net – 175.121.229.209
live-satellite-view.net – 175.121.229.209
morepowetradersta.com – 198.144.191.50
asistyapipressta.com – 198.144.191.50
uminteraktifcozumler.com – 198.144.191.50
rebelldagsanet.com – 198.144.191.50
madcambodia.net – 198.144.191.50
micropowerboating.net – 198.144.191.50
acctnmrxm.net- 198.144.191.50
capeinn.net – 198.144.191.50
albaperu.net – 198.144.191.50
live-satellite-view.net – 198.144.191.50
Although a initial client-side exploits portion domain used in a debate (micropowerboating.net) was down when we attempted to imitate a antagonistic payload, we managed to imitate a antagonistic cargo for a opposite domain parked during a same IP (175.121.229.209), namely, madcambodia.net.
Detection rate for a forsaken malware:
madcambodia.net – 175.121.229.209 – MD5: 2da28ae0df7a90ce89c7c43878927a9f – rescued by 23 out of 45 antivirus scanners as Trojan-Spy.Win32.Zbot.ivkf.
Upon execution, a representation combined a following files on a influenced hosts:
C:Documents and SettingsUSERApplication DataYdukcfuonar.exe
C:DOCUME~1USER~1LOCALS~1Temptmp53f9eac3.bat
Set a following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftEqini289bbd03
As good as a following Mutexes:
Global{CB561546-E774-D5EA-8F92-61FCBA8C42EE}
Local{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}
Global{2E56E149-137B-30EA-0508-B06D3016937F}
Global{2E56E149-137B-30EA-7109-B06D4417937F}
Global{2E56E149-137B-30EA-490A-B06D7C14937F}
Global{2E56E149-137B-30EA-610A-B06D5414937F}
Global{2E56E149-137B-30EA-8D0A-B06DB814937F}
Global{2E56E149-137B-30EA-990A-B06DAC14937F}
Global{2E56E149-137B-30EA-350B-B06D0015937F}
Global{2E56E149-137B-30EA-610B-B06D5415937F}
Global{2E56E149-137B-30EA-B90B-B06D8C15937F}
Global{2E56E149-137B-30EA-150C-B06D2012937F}
Global{2E56E149-137B-30EA-4D0C-B06D7812937F}
Global{2E56E149-137B-30EA-710C-B06D4412937F}
Global{2E56E149-137B-30EA-B50D-B06D8013937F}
Global{2E56E149-137B-30EA-2D0E-B06D1810937F}
Global{2E56E149-137B-30EA-650E-B06D5010937F}
Global{2E56E149-137B-30EA-7D08-B06D4816937F}
Global{2E56E149-137B-30EA-050C-B06D3012937F}
Global{2E56E149-137B-30EA-150D-B06D2013937F}
Global{2E56E149-137B-30EA-DD0E-B06DE810937F}
Global{2E56E149-137B-30EA-750F-B06D4011937F}
Global{2E56E149-137B-30EA-A10B-B06D9415937F}
Once executed, a representation also phones behind to a following CC (command and control) servers:
94.68.61.135:14511
99.76.3.38:11350
We also got another MD5 phoning behind to a same IP, MD5: c308f5c888fd97ae20eee1344f890bdb – rescued by 14 out of 45 antivirus scanners as PWS:Win32/Zbot.gen!AL.
What’s also value observant is a fact that we’ve already seen one of a domains parked during a same IPs (morepowetradersta.com) as a strange client-side exploits portion domain used in a debate in a following analyses:
- Fake ‘FedEx Online Billing – Invoice Prepared to be Paid’ themed emails lead to Black Hole Exploit Kit
- Fake LinkedIn ‘Invitation Notifications’ themed emails lead to client-side exploits and malware
Webroot SecureAnywhere users are proactively stable from these threats.
You can find some-more about Dancho Danchev during his LinkedIn Profile. You can also follow him on Twitter.