Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malware


By Dancho Danchev

Cybercriminals are currently spamvertising with IRS (Internal Revenue Service) themed emails, enticing end and corporate users into downloading and viewing a malicious .htm attachment.

More details:

Spamvertised subject: Your tax return appeal is declined

Spamvertised message: Dear Chief Account Officer, Hereby you are notified that your Income Tax Refund Appeal id#9056219 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit yo ur appeal by using the instructions in the attachment.

Malicious attachment: IRS_H11832502.htm

Malicious iFrame URL found in the attachment:  hxxp://dporooppasoodajhsjs.ru:8080/images/aublbzdni.php

Upon downloading and viewing the malicious attachment, an iFrame tag attempts to load, ultimately serving client-side exploits such as the Libtiff integer overflow in Adobe Reader and Acrobat (CVE-2010-0188), and  Trusted method chaining remote code execution (CVE-2010-0840).

The malicious file attachment is currently detected as JS/Agent.PX.gen; JS/Kryptik.SA!tr; Mal/Iframe-AE, MD5: e1f40f7ca35b35692c4762ed26cc1a61 – by 4 out of 43 antivirus scanners.

Upon successful client-side exploitation, the campaign drops MD5: 972c89c5114fae66595e5d3e3817e746 – detected by 32 out of 42 antivirus scanners as Worm:Win32/Cridex.B from hxxp://xsopiisvvajushgd.ru:8080/images/jw.php?i=8.

It then phones back to hxxp://usepaxvulfdtnwiwwk.ru:8080/rwx/B1_3n9/in/ (178.162.154.214) and hxxp://nolwzyzsqkhjkqhomc.ru:8080/rwx/B1_3n9/in/ (88.190.22.72).

What’s particularly interesting about this campaign is that the malicious iFrame is hosted within a fast-flux botnet, and is therefore currently responding to multiple IPs, in an attempt by cybercriminals to make it harder for security researchers to take it down.

End users are advised to ensure that they’re not running outdated versions of their third-party software and browser plugins, as well as to avoid interacting with the malicious emails.

Webroot’s security researchers will continue monitoring the campaign, to ensure that Webroot SecureAnywhere customers are protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

5 thoughts on “Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malware

  1. Pingback: Your Questions About How To Choose Motorcycle Tires : ATAVENTURES

  2. Pingback: Spamvertised ‘Pizzeria Order Details’ themed campaign serving client-side exploits and malware « Webroot Threat Blog

  3. Pingback: Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side exploits and malware « Webroot Threat Blog

  4. Pingback: 2010 Federal Tax Return for Unemployed – 3 Unemployment Benefits for 2010 Tax Filing | Federal Tax Relief

  5. Pingback: Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s