Sponsored by..

Tuesday, 21 April 2015

Malware spam: "Australian Taxation Office - Refund Notification" / "Australian Taxation Office [noreply@ato.gov.au]"

G'day mate. Despite not being an Aussie and never having paid a single Australian cent in tax, apparently I'm due a tax refund from the Australian Tax Office. Bonzer!

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    21 April 2015 at 21:36
Subject:    Australian Taxation Office - Refund Notification


Australian Taxation Office - 22/04/2015

After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 218.21 AUD.

To view/download your tax notification please click here or follow the link below :

Brett Newman, Tax Refund Department Australian Taxation Office 

Despite the "gov.au" site that apparently displays in the link, it actually leads to a download from i.nfil.es and it leads to a ZIP file called report2104.zip which in turn contains the malicious executable report2104.exe.

Currently this malware has a reasonable detection rate of 23/57. Out of various automated analysis tools, only the Payload Security Hybrid Analysis engine gave a decent result indicating that a connection was made to a legitimate but hacked site relianceproducts.com and then several versions of the same .EXE were downloaded, which this VirusTotal report indicates is the Dyre banking trojan. That same VirusTotal post also lists a number of C&C servers that you might want to block:

No comments: