Spamvertised IRS-themed &quot;Last Notice&quot; Emails Serving Malware

Tuesday, October 18, 2011

Spamvertised IRS-themed "Last Notice" Emails Serving Malware

Cybercriminals are once again impersonating the Internal Revenue Service (IRS) for malware-serving purposes. In this intelligence brief, we'll dissect the malware campaign.

Spamvertised attachment: IRS_Calculations_#ID6749.zip
Spamvertised message: Notice, There are arrears reckoned on your account over a period of 2010-2011 year. You will find all calculations according to your financial debt, enclosed. You have to pay out the debt by the 17 December 2011. Yours sincerely, IRS.

- Detection rate:
IRS_Calculations.exe - W32/Yakes.B!tr - 34/40 (85.0%)
MD5 : e44eb03582f030d30251e6be384f6b32
SHA1 : eaa3d76534d247d04987b8950965d0142d770b29
SHA256: 18386f49580298eee73688ce5e626a9e332886c25403a991495e0a3250c53e32

Upon execution phones back to:
bitgale.com/404.php?type=stats&affid=574&subid=01&iruns - 31.44.184.42; AS15884 - Email: davidsiddins@gxmailbox.com
shbsharri.com/arkivi_files/574-01.exe - returns "Bandwidth Limit Exceeded" - 74.55.50.202; AS21844 - Email: contact@privacyprotect.org
shbsharri.com/arkivi_files/setup.exe - returns "Bandwidth Limit Exceeded"
shbsharri.com/arkivi_files/sl16.exe - returns "Bandwidth Limit Exceeded"
shbsharri.com/arkivi_files/sssss.exe - returns "Bandwidth Limit Exceeded"
gansgansgroup.ru/true/index.php?cmd=getgrab - Connect to 91.229.90.139 on port 80 ... failed
gansgansgroup.ru/true/index.php?cmd=getproxy - Connect to 91.229.90.139 on port 80 ... failed
gansgansgroup.ru/true/index.php?cmd=getload&login=4117AF14E694E469C&sel=donat&ver=5.1&bits=0&file=1&run=ok
gansgansgroup.ru/true/index.php?cmd=getsocks&login=4117AF14E694E469C&port=11925

gansgansgroup.ru - 91.229.90.139; AS6753 (responding to 91.229.90.139 is also falcononfly2006.ru - Email: makrogerhouse@yandex.ru) - Email: gansgansgroup.ru@allperson.ru

The same email makrogerhouse@yandex.ru, has been linked to a previously spamvertised IRS-themed malware campaign.

Clearly, both campaigns have been launched by the same cybercriminal.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Tuesday, October 18, 2011

Spamvertised IRS-themed "Last Notice" Emails Serving Malware

No comments:

Post a Comment