Spamvertised IRS-themed "Last Notice" Emails Serving Malware

0
October 18, 2011

Cybercriminals are once again impersonating the Internal Revenue Service (IRS) for malware-serving purposes. In this intelligence brief, we'll dissect the malware campaign.

Spamvertised attachment: IRS_Calculations_#ID6749.zip
Spamvertised message: Notice, There are arrears reckoned on your account over a period of 2010-2011 year. You will find all calculations according to your financial debt, enclosed. You have to pay out the debt by the 17 December 2011. Yours sincerely, IRS.

- Detection rate:
IRS_Calculations.exe - W32/Yakes.B!tr - 34/40 (85.0%)
MD5   : e44eb03582f030d30251e6be384f6b32
SHA1  : eaa3d76534d247d04987b8950965d0142d770b29
SHA256: 18386f49580298eee73688ce5e626a9e332886c25403a991495e0a3250c53e32

Upon execution phones back to:
bitgale.com/404.php?type=stats&affid=574&subid=01&iruns - 31.44.184.42; AS15884 - Email: davidsiddins@gxmailbox.com
shbsharri.com/arkivi_files/574-01.exe - returns "Bandwidth Limit Exceeded" - 74.55.50.202; AS21844 - Email: contact@privacyprotect.org
shbsharri.com/arkivi_files/setup.exe - returns "Bandwidth Limit Exceeded"
shbsharri.com/arkivi_files/sl16.exe - returns "Bandwidth Limit Exceeded"
shbsharri.com/arkivi_files/sssss.exe - returns "Bandwidth Limit Exceeded"
gansgansgroup.ru/true/index.php?cmd=getgrab - Connect to 91.229.90.139 on port 80 ... failed
gansgansgroup.ru/true/index.php?cmd=getproxy - Connect to 91.229.90.139 on port 80 ... failed
gansgansgroup.ru/true/index.php?cmd=getload&login=4117AF14E694E469C&sel=donat&ver=5.1&bits=0&file=1&run=ok
gansgansgroup.ru/true/index.php?cmd=getsocks&login=4117AF14E694E469C&port=11925

gansgansgroup.ru - 91.229.90.139; AS6753 (responding to 91.229.90.139 is also falcononfly2006.ru - Email: makrogerhouse@yandex.ru) - Email: gansgansgroup.ru@allperson.ru

The same email makrogerhouse@yandex.ru, has been linked to a previously spamvertised IRS-themed malware campaign.

Clearly, both campaigns have been launched by the same cybercriminal.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

About the author

Donec non enim in turpis pulvinar facilisis. Ut felis. Praesent dapibus, neque id cursus faucibus. Aenean fermentum, eget tincidunt.

0 Comments:

Subscribe to: Post Comments (Atom)