Sponsored by..

Monday, 22 June 2015

Malware spam: "Tax inspection notification" / "tax_663-20845-0479-435.zip size=18288.zipsize=18288"

This fake tax notification comes with a malicious payload.

Date:    22 June 2015 at 19:10
Subject:    Tax inspection notification

Good day!
Trust this e-mail finds You well.
Please be notified that next week the revenue service is going to organize tax inspections.
That is why we highly recommend You to file the attached form in order to be prepared.
Inspectors are to determine whether You as a taxpayer have settled the correct amount of taxes.
According to our records, the inspectors license No. is 090-96919-5886-935. Please check  as it is an important procedure rule.
We may discuss all the related matters by phone: +1 998-497-85. Feel free to contact us.
Bruce Climt,
Tax Advisor

Attached is a file with a malformed ZIP filename of tax_663-20845-0479-435.zip size=18288.zipsize=18288 which contains a malicious executable info_bank_pdf.exe which has a VirusTotal detection rate of 4/57.

This Malwr analysis indicates a traffic pattern consistent with the Upatre downloader:

That IP address is the same as seen in this attack earlier today and it belongs to Orion Telekom in Serbia. This VirusTotal report also shows traffic to (Optical Systems LLC, Ukraine), and this Hybrid Analysis report also shows traffic to (Triolan, Ukraine).

Furthermore, this other Malwr report shows two dropped executables, karetfob.exe [VT 4/57] and sveezback.exe [VT 15/57]. The dropped payload will be the Dyre banking trojan.

Recommended blocklist:


No comments: