From: John Smith [mailto:john.smith@mail-irs.gov]The link in the email has a format such as:
Sent: 13 January 2015 11:13
Subject: Your tax return was incorrectly filled out
Attention: Owner/ Manager
We would like to inform you that you have made mistakes while completing the last tax form application (ID: 960164707883) .
Please follow the advice of our tax specialists HERE
Please amend the mistakes and send the corrected tax return to your tax agent as soon as possible.
Yours sincerely
http://marypageevans.com/taxadmin/get_doc.html
http://laser-support.co.uk/taxadmin/get_doc.html
A journey through some heavily obfuscated javascript follows (see here for a deeper analysis of this sort of attack) which eventually leads to a download called message.zip which contains a malicious executable tax_guide_pdf.exe which changes slightly every time it is downloaded. Incidentally, there seems to be a download limit of about 6 times, after which nonsense text is displayed instead.
The .exe file has a VirusTotal detection rate of just 2/57 and Norman identifies it as Upatre. According to the Malwr report it connects to the following URLs:
http://202.153.35.133:19639/1301us23/HOME/0/51-SP3/0/
http://202.153.35.133:19639/1301us23/HOME/1/0/0/
http://dstkom.com/mandoc/lit23.pdf
http://202.153.35.133:19657/1301us23/HOME/41/7/4/
It also drops a file (in this case called FbIpg60.exe) which has another low detection rate of just 2/57. Fake IRS spam is quite common, if you don't deal with the IRS then blocking mail-irs.gov on your email gateway might help.
No comments:
Post a Comment