Remember the IRS (Internal Revenue Service) themed malicious campaign profiled at Webroot’s Threat Blog earlier this month?

Over the past 24 hours, the cybercriminals behind the campaign resumed mass mailing of the same IRS email template, exposing millions of users to the threats posed by the social engineering driven campaign.

More details:

Sample screenshot of the spamvertised email:

Upon clicking on the link, users are exposed to the following bogus “Page loading…” page:

Spamvertised malicious URLs hosted on compromised hosts: hxxp://feterouge.info/wp-content/plugins/rejrev.html; hxxp://jasnoiglasno.com/wp- content/plugins/zooexojfeix/intrev.html; hxxp://businesspromotesolutions.com/admin/irser.html; hxxp://www.aquitato.net/v3/wp-content/plugins/zvncekcolnx/revnse.html; hxxp://atdcindia.com/COFFEE/revnse.html; hxxp://xerby.com/irsrev.html; hxxp://myoushinji.com/irsrev.html; hxxp://room-4-dessert.com/heb/wp-
content/plugins/zeoebikeoou/irser.html; hxxp://evrootdelka.tom.ru/txpo.html; hxxp://wholefoodmall.9138.8008202191.com/txpo.html

Detection rate for a sample java script redirection: MD5: 8c5ee1902b4429ce303530f37115854a – detected by 1 out of 41 antivirus scanners as Mal/Iframe-W

Sample exploits serving landing URls: hxxp://immigrationunix.pro/main.php?page=28677a727aff0456; hxxp://bikeslam.net/main.php?page=8b89c7278770dfd7; hxxp://market-panel.net/main.php?page=8b89c7278770dfd7; hxxp://steampoweredprobability.pro/main.php?page=e55871a71c789475; hxxp://wireframeglee.info/main.php?page=39630332cf486f5a; hxxp://wireframeglee.info/main.php?page=39630332cf486f5a; hxxp://allhugedeals.net/main.php?page=ca16f7c53056850e

Sample exploits served: CVE-2010-0188; CVE-2010-1885

Upon successful client-side exploitation, the campaign drops MD5: 42307705ad637c615a6ed5fbf1e755d1 – detected by 34 out of 42 antivirus scanners as Trojan.Win32.Yakes.ansm; Trojan:Win32/Coremhead, MD5: 027b7e4f2a34ccea32ffe38c35a20903 – detected by 20 out of 42 antivirus scanners as Worm:Win32/Cridex.E; Trojan- Dropper.Win32.Dapato.bpqt, MD5: 29cd72608b456c87d91809132401379d – detected by 20 out of 42 antivirus scanners as Trojan.Dropper.Agent.VJQ, MD5: cc7ce4552794d3e4c28e8986bec469c2 – detected by 34 out of 42 antivirus scanners as Trojan.Win32.Yakes.aonc; Trojan:Win32/Malagent, MD5: b8e0ffb6591f6ab556575e4d65e9fed1 – detected by 1 out of 28 antivirus scanners as Trojan-PSW.Win32.Tepfer.babg.

Upon execution, the samples phone back to 192.5.5.241:8080/mx5/B/in; 87.120.41.155:8080/mx5/B/in. We’ve already seen malware phoning back to the same IP (87.120.41.155) in the recently profiled “Cybercriminals spamvertise bogus greeting cards, serve exploits and malware“, and the “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit” campaign.

Responding to 87.120.41.155 are the following malicious domains and command and control servers:
horoshovsebudet.ru
kamarovoskorlovo.ru
serebrokakzoloto.ru
cojsdhfhhlsl.ru
geekstuffmag.com
vzhpiaswhqlswkji.ru
insomniacporeed.ru

We’ll continue monitoring the development of the campaign.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This