{"id":9703,"date":"2013-02-15T00:00:06","date_gmt":"2013-02-15T07:00:06","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=9703"},"modified":"2018-10-05T12:16:59","modified_gmt":"2018-10-05T18:16:59","slug":"spamvertised-irs-income-tax-refund-turned-down-themed-emails-lead-to-black-hole-exploit-kit","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/02\/15\/spamvertised-irs-income-tax-refund-turned-down-themed-emails-lead-to-black-hole-exploit-kit\/","title":{"rendered":"Spamvertised IRS ‘Income Tax Refund Turned Down’ themed emails lead to Black Hole Exploit Kit"},"content":{"rendered":"

Its tax season and cybercriminals are mass mailing tens of thousands of IRS (Internal Revenue Service)<\/strong><\/a> themed emails in an attempt \u00a0to trick users into thinking that their income tax refund has been “turned down”. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit<\/strong><\/a>.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshot of the spamvertised email:<\/strong><\/p>\n

\"IRS_Income_Tax_Appeal_Spam_Email_Malware_Black_Hole_Exploit_Kit\"<\/a><\/p>\n

Sample compromised URLs participating in the campaign:<\/strong>
\nhxxp:\/\/www.ordinarycoder.com\/\/wp-content\/themes\/trulyminimal\/includes\/framework\/plugins\/rjtra_irs.html<\/em>
\nhxxp:\/\/troutkinglures.com\/store-front\/wp-content\/themes\/mantra\/uploads\/rjtra_irs.html<\/em>
\nhxxp:\/\/www.romanfirnkranz.com\/\/wp-content\/themes\/trulyminimal\/includes\/framework\/plugins\/rjtra_irs.html<\/em>
\nhxxp:\/\/ichetblog.net\/wp-content\/themes\/mantra\/uploads\/rjtra_irs.html<\/em><\/p>\n

Sample client-side exploits serving URL:<\/strong>
\nhxxp:\/\/micropowerboating.net\/detects\/pending_details.php<\/em><\/p>\n

Sample malicious payload dropping URL:<\/strong>
\nhxxp:\/\/micropowerboating.net\/detects\/pending_details.php?nf=1f:32:31:1l:2w&ee=2v:1j:1m:2v:1g:1m:1l:33:1g:2v&l=1f&zf=e&xx=w<\/em><\/p>\n

Malicious domain name reconnaissance:<\/strong>
\nmicropowerboating.net<\/strong> – 175.121.229.209; 198.144.191.50 – Email: dooronemars@aol.com
\nName Server: NS1.POOPHANAM.NET<\/strong> – 31.170.106.17
\nName Server: NS2.POOPHANAM.NET<\/strong> – 65.135.199.21<\/p>\n

The following malicious domains also respond to the same IPs <\/strong>(175.121.229.209; 198.144.191.50) and are part of the campaign’s infrastructure:\u00a0<\/strong>
\nmadcambodia.net<\/strong> – 175.121.229.209
\nmicropowerboating.net<\/strong> – 175.121.229.209
\ndressaytam.net<\/strong> – 175.121.229.209
\nacctnmrxm.net<\/strong> – 175.121.229.209
\ncapeinn.net<\/strong> – 175.121.229.209
\nalbaperu.net<\/strong> – 175.121.229.209
\nlive-satellite-view.net<\/strong> – 175.121.229.209<\/p>\n

morepowetradersta.com<\/strong> – 198.144.191.50
\nasistyapipressta.com<\/strong> – 198.144.191.50
\numinteraktifcozumler.com<\/strong> – 198.144.191.50
\nrebelldagsanet.com<\/strong> – 198.144.191.50
\nmadcambodia.net<\/strong> – 198.144.191.50
\nmicropowerboating.net<\/strong> – 198.144.191.50
\nacctnmrxm.net<\/strong>– 198.144.191.50
\ncapeinn.net<\/strong> – 198.144.191.50
\nalbaperu.net<\/strong> – 198.144.191.50
\nlive-satellite-view.net<\/strong> – 198.144.191.50<\/p>\n

Although the initial client-side exploits serving domain used in the campaign (micropowerboating.net<\/strong>) was down when we attempted to reproduce its malicious payload, we managed to reproduce the malicious payload for a different domain parked at the same IP (175.121.229.209<\/strong>), namely,\u00a0madcambodia.net<\/strong>.<\/p>\n

Detection rate for the dropped malware:
\nmadcambodia.net<\/strong> – 175.121.229.209 – MD5: 2da28ae0df7a90ce89c7c43878927a9f<\/strong><\/a> – detected by 23 out of 45 antivirus scanners as Trojan-Spy.Win32.Zbot.ivkf.<\/p>\n

Upon execution, the sample created the following files on the affected hosts:<\/strong>
\nC:Documents and Settings<USER>Application DataYdukcfuonar.exe<\/em>
\nC:DOCUME~1<USER>~1LOCALS~1Temptmp53f9eac3.bat<\/em><\/p>\n

Set the following Registry Keys:<\/strong>
\nHKEY_CURRENT_USERSoftwareMicrosoftEqini289bbd03<\/em><\/p>\n

As well as the following Mutexes:<\/strong>
\nGlobal{CB561546-E774-D5EA-8F92-61FCBA8C42EE}<\/em>
\nLocal{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}<\/em>
\nGlobal{2E56E149-137B-30EA-0508-B06D3016937F}<\/em>
\nGlobal{2E56E149-137B-30EA-7109-B06D4417937F}<\/em>
\nGlobal{2E56E149-137B-30EA-490A-B06D7C14937F}<\/em>
\nGlobal{2E56E149-137B-30EA-610A-B06D5414937F}<\/em>
\nGlobal{2E56E149-137B-30EA-8D0A-B06DB814937F}<\/em>
\nGlobal{2E56E149-137B-30EA-990A-B06DAC14937F}<\/em>
\nGlobal{2E56E149-137B-30EA-350B-B06D0015937F}<\/em>
\nGlobal{2E56E149-137B-30EA-610B-B06D5415937F}<\/em>
\nGlobal{2E56E149-137B-30EA-B90B-B06D8C15937F}<\/em>
\nGlobal{2E56E149-137B-30EA-150C-B06D2012937F}<\/em>
\nGlobal{2E56E149-137B-30EA-4D0C-B06D7812937F}<\/em>
\nGlobal{2E56E149-137B-30EA-710C-B06D4412937F}<\/em>
\nGlobal{2E56E149-137B-30EA-B50D-B06D8013937F}<\/em>
\nGlobal{2E56E149-137B-30EA-2D0E-B06D1810937F}<\/em>
\nGlobal{2E56E149-137B-30EA-650E-B06D5010937F}<\/em>
\nGlobal{2E56E149-137B-30EA-7D08-B06D4816937F}<\/em>
\nGlobal{2E56E149-137B-30EA-050C-B06D3012937F}<\/em>
\nGlobal{2E56E149-137B-30EA-150D-B06D2013937F}<\/em>
\nGlobal{2E56E149-137B-30EA-DD0E-B06DE810937F}<\/em>
\nGlobal{2E56E149-137B-30EA-750F-B06D4011937F}<\/em>
\nGlobal{2E56E149-137B-30EA-A10B-B06D9415937F}<\/em><\/p>\n

Once executed, the sample also phones back to the following C&C (command and control) servers:<\/strong>
\n94.68.61.135:14511<\/em>
\n99.76.3.38:11350<\/em><\/p>\n

We also got another MD5 phoning back to the same IP, MD5: c308f5c888fd97ae20eee1344f890bdb<\/strong><\/a> – detected by 14 out of 45 antivirus scanners as PWS:Win32\/Zbot.gen!AL.<\/p>\n

What’s also worth noting is the fact that we’ve already seen one of the domains parked at the same IPs (morepowetradersta.com<\/strong>)\u00a0as the original client-side exploits serving domain used in the campaign in the following analyses:<\/p>\n