By Dancho Danchev
Cybercriminals are currently spamvertising with IRS (Internal Revenue Service) themed emails, enticing end and corporate users into downloading and viewing a malicious .htm attachment.
Spamvertised subject: Your tax return appeal is declined
Spamvertised message: Dear Chief Account Officer, Hereby you are notified that your Income Tax Refund Appeal id#9056219 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit yo ur appeal by using the instructions in the attachment.
Malicious attachment: IRS_H11832502.htm
Malicious iFrame URL found in the attachment: hxxp://dporooppasoodajhsjs.ru:8080/images/aublbzdni.php
Upon downloading and viewing the malicious attachment, an iFrame tag attempts to load, ultimately serving client-side exploits such as the Libtiff integer overflow in Adobe Reader and Acrobat (CVE-2010-0188), and Trusted method chaining remote code execution (CVE-2010-0840).
Upon successful client-side exploitation, the campaign drops MD5: 972c89c5114fae66595e5d3e3817e746 – detected by 32 out of 42 antivirus scanners as Worm:Win32/Cridex.B from hxxp://xsopiisvvajushgd.ru:8080/images/jw.php?i=8.
It then phones back to hxxp://usepaxvulfdtnwiwwk.ru:8080/rwx/B1_3n9/in/ (220.127.116.11) and hxxp://nolwzyzsqkhjkqhomc.ru:8080/rwx/B1_3n9/in/ (18.104.22.168).
What’s particularly interesting about this campaign is that the malicious iFrame is hosted within a fast-flux botnet, and is therefore currently responding to multiple IPs, in an attempt by cybercriminals to make it harder for security researchers to take it down.
Webroot’s security researchers will continue monitoring the campaign, to ensure that Webroot SecureAnywhere customers are protected from this threat.