Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malware

by

Share this news now.

Cybercriminals are currently spamvertising with IRS (Internal Revenue Service) themed emails, enticing end and corporate users into downloading and viewing a malicious .htm attachment.

More details:

Spamvertised subject: Your tax return appeal is declined

Spamvertised message: Dear Chief Account Officer, Hereby you are notified that your Income Tax Refund Appeal id#9056219 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit yo ur appeal by using the instructions in the attachment.

Malicious attachment: IRS_H11832502.htm

Malicious iFrame URL found in the attachment:  hxxp://dporooppasoodajhsjs.ru:8080/images/aublbzdni.php

Upon downloading and viewing the malicious attachment, an iFrame tag attempts to load, ultimately serving client-side exploits such as the Libtiff integer overflow in Adobe Reader and Acrobat (CVE-2010-0188), and  Trusted method chaining remote code execution (CVE-2010-0840).

The malicious file attachment is currently detected as JS/Agent.PX.gen; JS/Kryptik.SA!tr; Mal/Iframe-AE, MD5: e1f40f7ca35b35692c4762ed26cc1a61by 4 out of 43 antivirus scanners.

Upon successful client-side exploitation, the campaign drops MD5: 972c89c5114fae66595e5d3e3817e746 – detected by 32 out of 42 antivirus scanners as Worm:Win32/Cridex.B from hxxp://xsopiisvvajushgd.ru:8080/images/jw.php?i=8.

It then phones back to hxxp://usepaxvulfdtnwiwwk.ru:8080/rwx/B1_3n9/in/ (178.162.154.214) and hxxp://nolwzyzsqkhjkqhomc.ru:8080/rwx/B1_3n9/in/ (88.190.22.72).

What’s particularly interesting about this campaign is that the malicious iFrame is hosted within a fast-flux botnet, and is therefore currently responding to multiple IPs, in an attempt by cybercriminals to make it harder for security researchers to take it down.

End users are advised to ensure that they’re not running outdated versions of their third-party software and browser plugins, as well as to avoid interacting with the malicious emails.

Webroot’s security researchers will continue monitoring the campaign, to ensure that Webroot SecureAnywhere customers are protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.

Trackbacks

  1. [...] DOJ ASKED TO INVESTIGATE HOW OBAMA CAMPAIGN CO-CHAIR OBTAINED STOLEN IRS TAX RETURNSpamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits an… [...]

  2. [...] The Russian domains are fast-fluxed by the cybercriminals in an attempt to make it harder for security researchers and vendors to take down their campaign. We’ve seen a similar fast-flux technique applied in the following  campaingn – “Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malwar…“. [...]

  3. [...] Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malwar… [...]

  4. [...] Filing in case of Futures & Options TradesStart Planning Now for Next Year’s Tax ReturnSpamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits an… .recentcomments a{display:inline !important;padding:0 !important;margin:0 [...]

  5. [...] March 2012, we intercepted an IRS themed malicious campaign that was serving client-side exploits to prospective users in an attempt to drop malware on the [...]