Sponsored by..

Wednesday 1 April 2015

Malware spam: "Australian Taxation Office - Refund Notification"

This fake tax notification spam leads to malware hosted on Cubby.

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    1 April 2015 at 00:51
Subject:    Australian Taxation Office - Refund Notification


Australian Taxation Office - 31/03/2015

After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2307.15 AUD.

To view/download your tax notification please click here or follow the link below :

Laurence Thayer, Tax Refund Department Australian Taxation Office
The names and the numbers change from email to email. Despite the displayed URL in the message, the link actually goes to cubbyusercontent.com (e.g. https://www.cubbyusercontent.com/pl/RYR5601763.zip/_33cdead4ebfe45179a32ee175b49c399) but these download locations don't last very long as there is a quota on each download.

In this case, the downloaded file is RYR5601763.zip which contains a malicious executable RYR5601763.scr which has a VirusTotal detection rate of 20/57.

Automated analysis tools [1] [2] [3] [4] [5] show that it downloads components from:


It then attempts to phone home to:

That IP is allocated to Makiyivka Online Technologies Ltd in Ukraine. In addition, it looks up the IP address of the computer at checkip.dyndns.org. Although this is benign, monitoring for it can be a good indicator of infection.

These URL requests are typical of the Upatre downloader.

According to the Malwr report  it drops another binary jydemnr66.exe with a detection rate of 11/55 plus a benign PDF file entitled "War by remote control" which acts as some sort of cover for the infection process.

Recommended blocklist:

No comments: