Sponsored by..

Friday, 6 March 2015

Malware spam: "Your 2015 Electronic IP Pin!" / "Internal Revenue Service [refund.noreply@irs.gov]"

This fake IRS email comes with a malicious attachment.

From:    Internal Revenue Service [refund.noreply@irs.gov]
Date:    6 March 2015 at 08:48
Subject:    Your 2015 Electronic IP Pin!

Dear Member

This is to inform you that our system has generated your new secured Electronic PIN to e-file your 2014 tax return.

Please kindly download the microsoft file to securely review it.


Internal Revenue Service
915 Second Avenue, MS W180

So far I have only seen a single sample of this with an attachment TaxReport(IP_PIN).doc - although there are usually several different versions. Currently this is undetected by AV vendors. This contains a malicious macro [pastebin] which downloads a component from the following location:


There are probably other download locations, but the payload will be the same. This is saved as %TEMP%\324235235.exe and has a detection rate of 1/55. Automated analysis tools [1] [2] show attempted connections to: (MWTV, Latvia) (Digital Networks CJSC aka DINETHOSTING, Russia) (Net3, US) (OneGbits, Lithunia)

According to the Malwr report this executable drops another version of itself [VT 1/56] and a malicious DLL [VT 2/56].

Recommended blocklist:

No comments: