Sponsored by..

Monday 22 June 2015

Malware spam: "Tax inspection notification" / "tax_663-20845-0479-435.zip size=18288.zipsize=18288"

This fake tax notification comes with a malicious payload.

Date:    22 June 2015 at 19:10
Subject:    Tax inspection notification

Good day!
Trust this e-mail finds You well.
Please be notified that next week the revenue service is going to organize tax inspections.
That is why we highly recommend You to file the attached form in order to be prepared.
Inspectors are to determine whether You as a taxpayer have settled the correct amount of taxes.
According to our records, the inspectors license No. is 090-96919-5886-935. Please check  as it is an important procedure rule.
We may discuss all the related matters by phone: +1 998-497-85. Feel free to contact us.
Bruce Climt,
Tax Advisor

Attached is a file with a malformed ZIP filename of tax_663-20845-0479-435.zip size=18288.zipsize=18288 which contains a malicious executable info_bank_pdf.exe which has a VirusTotal detection rate of 4/57.

This Malwr analysis indicates a traffic pattern consistent with the Upatre downloader:

http://93.93.194.202:13234/203/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13234/203/HOME/41/5/4/ELHBEDIBEHGBEHK

That IP address is the same as seen in this attack earlier today and it belongs to Orion Telekom in Serbia. This VirusTotal report also shows traffic to 178.214.221.89 (Optical Systems LLC, Ukraine), and this Hybrid Analysis report also shows traffic to 37.57.144.177 (Triolan, Ukraine).

Furthermore, this other Malwr report shows two dropped executables, karetfob.exe [VT 4/57] and sveezback.exe [VT 15/57]. The dropped payload will be the Dyre banking trojan.

Recommended blocklist:
93.93.194.202
178.214.221.89
37.57.144.177

MD5s:
394c56133b323ce3bf038cfc7a00562a
4e9fec8e532664672bd3a022f4f0b4ec
14b8a0f6a9258f9e73f63a4269641ca0


No comments: