AICPA fraud allegations

Since there was so much overlap between the IRS spam blogged about earlier today and a concurrent AICPA fraud allegation spam, it makes sense to point out some of these similarities. Here is an image of the AICPA spam:

This particular spam contains a hyperlink to evergreennatural[.]ro/aicp.html. Just like with the IRS spam, this campaign uses the same HTML page name across all of the hacked sites – in this case, ‘aicp.html’. We can find additional hacked pages with our Google-fu:

Remember the Black hole exploit kit URL the IRS spam redirected to – hxxp://energirans[.]net/main.php?page=710730c6e154dae7? Surprise, the hacked URLs in the AICPA spam redirect to a Black hole kit using the same domain with a different ‘page=’ ID – energirans[.]net/main.php?page=78581944265196f1.

This also drops a Bugat variant, the malicious binary is downloaded from energirans[.]net /w.php?f=dd786&e=4:

65024 bytes

After connecting to a C&C server, this variant is updated with a new Bugat binary:

63488 bytes

Look familiar? It should, its the same MD5 we saw dropped by the IRS spam.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: