General Tax Information Available Online

Spamvertised IRS 'Income Tax Refund Turned Down' themed emails

without comments

Complete Your Taxes Online

  • Free to Prepare, Free to Print, Free to eFile
  • Easy Questions, Tailored to You
  • Straightforward Guidance & Advice
  • Guaranteed Accurate Calculation
  • Get Your Biggest Tax Refund, Guaranteed
  • Live Tax Answers
  • FREE Technical Support
Click Here to Use TurboTax Federal FREE Edition Now!

By Dancho Danchev

Its taxation deteriorate and cybercriminals are mass mailing tens of thousands of IRS (Internal Revenue Service) themed emails in an try  to pretence users into meditative that their income taxation reinstate has been “turned down”. Once users click on any of a links found in a antagonistic emails, they’re automatically unprotected to a client-side exploits served by a Black Hole Exploit Kit.

More details:

Sample screenshot of a spamvertised email:

IRS_Income_Tax_Appeal_Spam_Email_Malware_Black_Hole_Exploit_Kit

Sample compromised URLs participating in a campaign:
hxxp://www.ordinarycoder.com//wp-content/themes/trulyminimal/includes/framework/plugins/rjtra_irs.html
hxxp://troutkinglures.com/store-front/wp-content/themes/mantra/uploads/rjtra_irs.html
hxxp://www.romanfirnkranz.com//wp-content/themes/trulyminimal/includes/framework/plugins/rjtra_irs.html
hxxp://ichetblog.net/wp-content/themes/mantra/uploads/rjtra_irs.html

Sample client-side exploits portion URL:
hxxp://micropowerboating.net/detects/pending_details.php

Sample antagonistic cargo dropping URL:
hxxp://micropowerboating.net/detects/pending_details.php?nf=1f:32:31:1l:2wee=2v:1j:1m:2v:1g:1m:1l:33:1g:2vl=1fzf=exx=w

Malicious domain name reconnaissance:
micropowerboating.net – 175.121.229.209; 198.144.191.50 – Email: dooronemars@aol.com
Name Server: NS1.POOPHANAM.NET – 31.170.106.17
Name Server: NS2.POOPHANAM.NET – 65.135.199.21

The following antagonistic domains also respond to a same IPs (175.121.229.209; 198.144.191.50) and are partial of a campaign’s infrastructure: 
madcambodia.net – 175.121.229.209
micropowerboating.net – 175.121.229.209
dressaytam.net – 175.121.229.209
acctnmrxm.net – 175.121.229.209
capeinn.net – 175.121.229.209
albaperu.net – 175.121.229.209
live-satellite-view.net – 175.121.229.209

morepowetradersta.com – 198.144.191.50
asistyapipressta.com – 198.144.191.50
uminteraktifcozumler.com – 198.144.191.50
rebelldagsanet.com – 198.144.191.50
madcambodia.net – 198.144.191.50
micropowerboating.net – 198.144.191.50
acctnmrxm.net- 198.144.191.50
capeinn.net – 198.144.191.50
albaperu.net – 198.144.191.50
live-satellite-view.net – 198.144.191.50

Although a initial client-side exploits portion domain used in a debate (micropowerboating.net) was down when we attempted to imitate a antagonistic payload, we managed to imitate a antagonistic cargo for a opposite domain parked during a same IP (175.121.229.209), namely, madcambodia.net.

Detection rate for a forsaken malware:
madcambodia.net – 175.121.229.209 – MD5: 2da28ae0df7a90ce89c7c43878927a9f – rescued by 23 out of 45 antivirus scanners as Trojan-Spy.Win32.Zbot.ivkf.

Upon execution, a representation combined a following files on a influenced hosts:
C:Documents and SettingsUSERApplication DataYdukcfuonar.exe
C:DOCUME~1USER~1LOCALS~1Temptmp53f9eac3.bat

Set a following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftEqini289bbd03

As good as a following Mutexes:
Global{CB561546-E774-D5EA-8F92-61FCBA8C42EE}
Local{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}
Global{2E56E149-137B-30EA-0508-B06D3016937F}
Global{2E56E149-137B-30EA-7109-B06D4417937F}
Global{2E56E149-137B-30EA-490A-B06D7C14937F}
Global{2E56E149-137B-30EA-610A-B06D5414937F}
Global{2E56E149-137B-30EA-8D0A-B06DB814937F}
Global{2E56E149-137B-30EA-990A-B06DAC14937F}
Global{2E56E149-137B-30EA-350B-B06D0015937F}
Global{2E56E149-137B-30EA-610B-B06D5415937F}
Global{2E56E149-137B-30EA-B90B-B06D8C15937F}
Global{2E56E149-137B-30EA-150C-B06D2012937F}
Global{2E56E149-137B-30EA-4D0C-B06D7812937F}
Global{2E56E149-137B-30EA-710C-B06D4412937F}
Global{2E56E149-137B-30EA-B50D-B06D8013937F}
Global{2E56E149-137B-30EA-2D0E-B06D1810937F}
Global{2E56E149-137B-30EA-650E-B06D5010937F}
Global{2E56E149-137B-30EA-7D08-B06D4816937F}
Global{2E56E149-137B-30EA-050C-B06D3012937F}
Global{2E56E149-137B-30EA-150D-B06D2013937F}
Global{2E56E149-137B-30EA-DD0E-B06DE810937F}
Global{2E56E149-137B-30EA-750F-B06D4011937F}
Global{2E56E149-137B-30EA-A10B-B06D9415937F}

Once executed, a representation also phones behind to a following CC (command and control) servers:
94.68.61.135:14511
99.76.3.38:11350

We also got another MD5 phoning behind to a same IP, MD5: c308f5c888fd97ae20eee1344f890bdb – rescued by 14 out of 45 antivirus scanners as PWS:Win32/Zbot.gen!AL.

What’s also value observant is a fact that we’ve already seen one of a domains parked during a same IPs (morepowetradersta.com) as a strange client-side exploits portion domain used in a debate in a following analyses:

Webroot SecureAnywhere users are proactively stable from these threats.

You can find some-more about Dancho Danchev during his LinkedIn Profile. You can also follow him on  Twitter.

Click Here to File Your Taxes for Free
with TurboTax Federal Free Edition NOW!
Get Your Biggest Tax Refund, Guaranteed

Written by admin

February 15th, 2013 at 6:45 pm

Posted in Income Tax

Leave a Reply