Sponsored by..

Tuesday 13 January 2015

Malware spam: "john.smith@mail-irs.gov" / "Your tax return was incorrectly filled out"

This fake tax return spam leads to malware:

From: John Smith [mailto:john.smith@mail-irs.gov]
Sent: 13 January 2015 11:13
Subject: Your tax return was incorrectly filled out


Attention: Owner/ Manager
We would like to inform you that you have made mistakes while completing the last tax form application (ID: 960164707883) .
Please follow the advice of our tax specialists HERE
Please amend the mistakes and send the corrected tax return to your tax agent as soon as possible.
Yours sincerely
The link in the email has a format such as:
http://marypageevans.com/taxadmin/get_doc.html
http://laser-support.co.uk/taxadmin/get_doc.html

A journey through some heavily obfuscated javascript follows (see here for a deeper analysis of this sort of attack) which eventually leads to a download called message.zip which contains a malicious executable tax_guide_pdf.exe which changes slightly every time it is downloaded. Incidentally, there seems to be a download limit of about 6 times, after which nonsense text is displayed instead.

The .exe file has a VirusTotal detection rate of just 2/57 and Norman identifies it as Upatre. According to the Malwr report it connects to the following URLs:

http://202.153.35.133:19639/1301us23/HOME/0/51-SP3/0/
http://202.153.35.133:19639/1301us23/HOME/1/0/0/
http://dstkom.com/mandoc/lit23.pdf
http://202.153.35.133:19657/1301us23/HOME/41/7/4/

It also drops a file (in this case called FbIpg60.exe) which has another low detection rate of just 2/57. Fake IRS spam is quite common, if you don't deal with the IRS then blocking mail-irs.gov on your email gateway might help.

No comments: