Sponsored by..

Friday 23 January 2015

Malware spam: "2014 Tax payment issue" / "Your tax return was incorrectly filled out"

This tax-themed spam has a malicious Word document attached. It appears to come in several variants, for example:

From:    Quinton
Date:    23 January 2015 at 08:18
Subject:    2014 Tax payment issue

According to your tax payments for 2014 year period we found that you gave a wrong legal address in your last tax payment. In order to avoid penalty fees on your tax dues we ask you to contact our specialist having checked the previous payment in advance (the DOC invoice attached below).

Regards
Quinton
Tax Inspector

-----------------

From:    Tara Morris
Date:    23 January 2015 at 09:28
Subject:    Your tax return was incorrectly filled out

Attention: Accountant

This is to inform you that your legal address was filled incorrectly while completing the last tax form application for 2014 year.
In order to avoid penalty fees during the next tax period please contact our expert as soon as you check the payment details (the DOC invoice attached below).
Attached is a Word document with a random name, but always starting with "TAX_". Examples include:

TAX_42592OE.doc
TAX_381694AI.doc
TAX_59582FZ.doc

There are two different variants of this Word document that I have seen so far, neither are detected by AV vendors [1] [2] containing one of two malicious macros [1] [2] that download a file 20.exe from the following URLs:

http://37.139.47.221:8080/koh/mui.php
http://95.163.121.82:8080/koh/mui.php


This file is then saved to %TEMP%\GYHjksdf.exe and has a low detection rate of 2/56 (Norman AV identifies it as Dridex). The Malwr analysis is inconclusive, other analysis is pending.


1 comment:

AnthonyG said...

I got this one this morning. It reads like something from the 1990s with its "tax period" and "wrong legal address" and ending with that charming "regards".

I suppose the guys who write the complex macros in the attachments don't have the time to spend on the email itself.