‘Batch Payment File Declined’ EFTPS themed emails lead to Black Hole Exploit Kit

by


Cybercriminals are currently mass mailing tens of thousands of emails, impersonating the EFTPS (Electronic Federal Tax Payment System), in an attempt to trick its users into clicking on exploits and malware serving malicious links found in the emails.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_Malware_Exploits_Black_Hole_Exploit_Kit_EFTPS_Batch_Payment_Declined

Sample compromised URLs used in the campaign:
hxxp://metalcalhas.com/wp-content/plugins/zhemkaoooeo/eftpssignin.html
hxxp://mypaysrochois.com/wp-admin/eftpssignin.html
hxxp://stockidentify.com/wp-content/plugins/zhqoovdcsak/eftpssignin.html
hxxp://leztroy-restauration.com/wp-admin/eftpssignin.html
hxxp://enersol74.fr/wp-admin/eftpssignin.html
hxxp://oneummahcoaching.com/wp-content/plugins/zuayeuetvej/eftpssignin.html
hxxp://programme-de-piquage.com/images/eftpssignin.html
hxxp://menuiserieducrettet.fr/wp-admin/eftpssignin.html
hxxp://jurisdictionthemovie.com/wp-content/plugins/zeotyjoeuek/eftpssignin.html
hxxp://eqi74.com/site/eftpssignin.html
hxxp://programme-de-piquage.com/images/eftpssignin.html
hxxp://lesrandonneesauchalet.com/img/eftpssignin.html
hxxp://lavoixdubio.com/wp-admin/eftpssignin.html
hxxp://order-protandim.com/wp-content/plugins/zeleaqonybg/eftpssignin.html

Sample client-side exploits serving URLs:
hxxp://linuxreal.net/detects/eftps-gov.php
hxxp://foxpoolfrance.net/detects/eftps-gov.php

Sample malicious payload dropping URL:
hxxp://foxpoolfrance.net/detects/eftps-gov.php?rf=1g:1m:1k:1f:1n&ae=1f:2w:33:1f:1h:32:1m:1h:1m:32&b=1f&wi=d&jl=x

Upon succcessful clienet-side exploitation, the campaign drops MD5: d35a52d639468c2c4c857e6629b3f6f0 – detected by 25 out of 46 antivirus scanners as Worm:Win32/Cridex.E.

Once executed, the sample phones back to the following command and control servers:
109.230.229.250:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA
163.23.107.65:8080
174.142.68.239:8080
81.93.250.157:8080
180.235.150.72:8080
109.230.229.70:8080
95.142.167.193:8080
217.65.100.41:8080
188.120.226.30:8080
193.68.82.68:8080
203.217.147.52:8080
210.56.23.100:8080
221.143.48.6:8080
182.237.17.180:8080
59.90.221.6:8080
64.76.19.236:8080
69.64.89.82:8080
173.201.177.77:8080
78.28.120.32:8080
174.120.86.115:8080
74.207.237.170:8080
77.58.193.43:8080
94.20.30.91:8080
84.22.100.108:8080
87.229.26.138:8080
97.74.113.229:8080

We’ve already seen the same pseudo-random C&C characters used in the following previously profiled malicious campaigns:

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.