Spamvertised ‘Federal Tax Payment Rejected’ themed emails lead to Black Hole exploit kit


By Dancho Danchev

Remember the IRS (Internal Revenue Service) themed malicious campaign profiled at Webroot’s Threat Blog earlier this month?

Over the past 24 hours, the cybercriminals behind the campaign resumed mass mailing of the same IRS email template, exposing millions of users to the threats posed by the social engineering driven campaign.

More details:

Sample screenshot of the spamvertised email:

Upon clicking on the link, users are exposed to the following bogus “Page loading…” page:

Spamvertised malicious URLs hosted on compromised hosts: hxxp://feterouge.info/wp-content/plugins/rejrev.html; hxxp://jasnoiglasno.com/wp- content/plugins/zooexojfeix/intrev.html; hxxp://businesspromotesolutions.com/admin/irser.html; hxxp://www.aquitato.net/v3/wp-content/plugins/zvncekcolnx/revnse.html; hxxp://atdcindia.com/COFFEE/revnse.html; hxxp://xerby.com/irsrev.html; hxxp://myoushinji.com/irsrev.html; hxxp://room-4-dessert.com/heb/wp-
content/plugins/zeoebikeoou/irser.html; hxxp://evrootdelka.tom.ru/txpo.html; hxxp://wholefoodmall.9138.8008202191.com/txpo.html

Detection rate for a sample java script redirection: MD5: 8c5ee1902b4429ce303530f37115854a – detected by 1 out of 41 antivirus scanners as Mal/Iframe-W

Sample exploits serving landing URls: hxxp://immigrationunix.pro/main.php?page=28677a727aff0456; hxxp://bikeslam.net/main.php?page=8b89c7278770dfd7; hxxp://market-panel.net/main.php?page=8b89c7278770dfd7; hxxp://steampoweredprobability.pro/main.php?page=e55871a71c789475; hxxp://wireframeglee.info/main.php?page=39630332cf486f5a; hxxp://wireframeglee.info/main.php?page=39630332cf486f5a; hxxp://allhugedeals.net/main.php?page=ca16f7c53056850e

Sample exploits served: CVE-2010-0188; CVE-2010-1885

Upon successful client-side exploitation, the campaign drops MD5: 42307705ad637c615a6ed5fbf1e755d1 – detected by 34 out of 42 antivirus scanners as Trojan.Win32.Yakes.ansm; Trojan:Win32/Coremhead, MD5: 027b7e4f2a34ccea32ffe38c35a20903 – detected by 20 out of 42 antivirus scanners as Worm:Win32/Cridex.E; Trojan- Dropper.Win32.Dapato.bpqt, MD5: 29cd72608b456c87d91809132401379d – detected by 20 out of 42 antivirus scanners as Trojan.Dropper.Agent.VJQ, MD5: cc7ce4552794d3e4c28e8986bec469c2 – detected by 34 out of 42 antivirus scanners as Trojan.Win32.Yakes.aonc; Trojan:Win32/Malagent, MD5: b8e0ffb6591f6ab556575e4d65e9fed1 – detected by 1 out of 28 antivirus scanners as Trojan-PSW.Win32.Tepfer.babg.

Upon execution, the samples phone back to 192.5.5.241:8080/mx5/B/in; 87.120.41.155:8080/mx5/B/in. We’ve already seen malware phoning back to the same IP (87.120.41.155) in the recently profiled “Cybercriminals spamvertise bogus greeting cards, serve exploits and malware“, and the “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit” campaign.

Responding to 87.120.41.155 are the following malicious domains and command and control servers:
horoshovsebudet.ru
kamarovoskorlovo.ru
serebrokakzoloto.ru
cojsdhfhhlsl.ru
geekstuffmag.com
vzhpiaswhqlswkji.ru
insomniacporeed.ru

We’ll continue monitoring the development of the campaign.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

2 thoughts on “Spamvertised ‘Federal Tax Payment Rejected’ themed emails lead to Black Hole exploit kit

  1. Pingback: Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit « Webroot Threat Blog

  2. Pingback: Spamvertised ‘Your Fedex invoice is ready to be paid now’ themed emails lead to Black Hole Exploit kit « Webroot Threat Blog

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s