By Dancho Danchev
In March 2012, we intercepted an IRS themed malicious campaign that was serving client-side exploits to prospective victims in an attempt to drop malware on the affected hosts.
This week, we intercepted three consecutive campaigns using the exact same email template used in the March campaign. What has changed? Are the cybercriminals behind these campaigns relying on any new tactics, or are they basically sticking to well proven techniques to infect tens of thousands of socially engineered users?
Let’s find out.
Sample screenshot of the spamvertised email:
Unlike March 2012’s campaign that used client-side exploits in an attempt to drop malware on the affected host, the last three campaigns have relied on malicious archives attached to spamvertised emails. Each has a unique MD5 and phones back to a different (compromised) command and control server.
The first sample: MD5: f56026fcc9ac2daad210da82d92f57a3 – detected by 36 out of 44 antivirus scanners as Worm:Win32/Cridex.E phones back to 188.8.131.52:8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan).
We’ve already seen the same command and control server used in the previously profiled “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware“; “Spamvertised American Airlines themed emails lead to Black Hole exploit kit” malicious campaigns, indicating that these have all been launched by the same party.
The second sample: MD5: 53c4f27ce39fa8b9330c3faff85e4917 – detected by 35 out of 44 antivirus scanners as Worm:Win32/Cridex.E phones back to 184.108.40.206:8080/Ajtw/UCygrDAA/Ud+asDAA (AS9, Carnegie Mellon University Backbone AS).
We also have another: MD5: 532bdd2565cae7b84cb26e4cf02f42a0 – detected by 33 out of 44 antivirus scanners as Worm:Win32/Cridex.E that is known to have phoned back to the same IP, 220.127.116.11:8080/37ugtbaaaaa/enmtzaaaaa/pxos/
The following MD5s are also known to have phoned back to this very same IP:
MD5: a5c8fb478ff7788609863b83079718ec – detected by 33 out of 44 antivirus scanners as Worm:Win32/Cridex.E
MD5: f739f99f978290f5fc9a812f2a559bbb – detected by 7 out of 44 antivirus scanners as Trojan.Win32.Bublik.swr
The third sample used in the IRS themed campaign: MD5: 32b4227ae379f98c1581f5cb2b184412 – detected by 36 out of 44 antivirus scanners as Worm:Win32/Cridex.E phones back to 18.104.22.168:8080/Ajtw/UCygrDAA/Ud+asDAA (AS23974, Ministry of education, Thailand).
Webroot SecureAnywhere users are proactively protected from these threats.