March 22, 2012Dancho Danchev By Dancho Danchev

Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malware

Cybercriminals are currently spamvertising with IRS (Internal Revenue Service) themed emails, enticing end and corporate users into downloading and viewing a malicious .htm attachment.

More details:

Spamvertised subject: Your tax return appeal is declined

Spamvertised message: Dear Chief Account Officer, Hereby you are notified that your Income Tax Refund Appeal id#9056219 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit yo ur appeal by using the instructions in the attachment.

Malicious attachment: IRS_H11832502.htm

Malicious iFrame URL found in the attachment:  hxxp://

Upon downloading and viewing the malicious attachment, an iFrame tag attempts to load, ultimately serving client-side exploits such as the Libtiff integer overflow in Adobe Reader and Acrobat (CVE-2010-0188), and  Trusted method chaining remote code execution (CVE-2010-0840).

The malicious file attachment is currently detected as JS/Agent.PX.gen; JS/Kryptik.SA!tr; Mal/Iframe-AE, MD5: e1f40f7ca35b35692c4762ed26cc1a61 – by 4 out of 43 antivirus scanners.

Upon successful client-side exploitation, the campaign drops MD5: 972c89c5114fae66595e5d3e3817e746 – detected by 32 out of 42 antivirus scanners as Worm:Win32/Cridex.B from hxxp://

It then phones back to hxxp:// ( and hxxp:// (

What’s particularly interesting about this campaign is that the malicious iFrame is hosted within a fast-flux botnet, and is therefore currently responding to multiple IPs, in an attempt by cybercriminals to make it harder for security researchers to take it down.

End users are advised to ensure that they’re not running outdated versions of their third-party software and browser plugins, as well as to avoid interacting with the malicious emails.

Webroot’s security researchers will continue monitoring the campaign, to ensure that Webroot SecureAnywhere customers are protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button