Cybercriminals are once again impersonating the Internal Revenue Service (IRS) for malware-serving purposes. In this intelligence brief, we’ll dissect the malware campaign.
Spamvertised attachment: IRS_Calculations_#ID6749.zip
Spamvertised message: Notice, There are arrears reckoned on your account over a period of 2010-2011 year. You will find all calculations according to your financial debt, enclosed. You have to pay out the debt by the 17 December 2011. Yours sincerely, IRS.
– Detection rate:
IRS_Calculations.exe – W32/Yakes.B!tr – 34/40 (85.0%)
MD5 : e44eb03582f030d30251e6be384f6b32
SHA1 : eaa3d76534d247d04987b8950965d0142d770b29
SHA256: 18386f49580298eee73688ce5e626a9e332886c25403a991495e0a3250c53e32
Upon execution phones back to:
bitgale.com/404.php?type=stats&affid=574&subid=01&iruns – 31.44.184.42; AS15884 – Email: davidsiddins@gxmailbox.com
shbsharri.com/arkivi_files/574-01.exe – returns “Bandwidth Limit Exceeded” – 74.55.50.202; AS21844 – Email: contact@privacyprotect.org
shbsharri.com/arkivi_files/setup.exe – returns “Bandwidth Limit Exceeded”
shbsharri.com/arkivi_files/sl16.exe – returns “Bandwidth Limit Exceeded”
shbsharri.com/arkivi_files/sssss.exe – returns “Bandwidth Limit Exceeded”
gansgansgroup.ru/true/index.php?cmd=getgrab – Connect to 91.229.90.139 on port 80 … failed
gansgansgroup.ru/true/index.php?cmd=getproxy – Connect to 91.229.90.139 on port 80 … failed
gansgansgroup.ru/true/index.php?cmd=getload&login=4117AF14E694E469C&sel=donat&ver=5.1&bits=0&file=1&run=ok
gansgansgroup.ru/true/index.php?cmd=getsocks&login=4117AF14E694E469C&port=11925
gansgansgroup.ru – 91.229.90.139; AS6753 (responding to 91.229.90.139 is also falcononfly2006.ru – Email: makrogerhouse@yandex.ru) – Email: gansgansgroup.ru@allperson.ru
The same email makrogerhouse@yandex.ru, has been linked to a previously spamvertised IRS-themed malware campaign.
Clearly, both campaigns have been launched by the same cybercriminal.
This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.
Leave a reply
