AICPA – Income tax return fraud accusations

Subject: Income tax return fraud accusations.
URL: hxxp://yuripadal[.]com/wp-includes/aic.html

AICPA - Income tax return fraud accusations

The text ‘Complaint.pdf’ contains a hyperlink to a URL as shown above. This page contain an encoded script which is used to redirect to a Blackhole exploit kit at themeparkoupons[.]net/main.php?page=89cd1f8b9fb67fbc hosted at IP addresse(s):

41.64.21.71

The kit attempts to download the following file(s)/exploit(s):

themeparkoupons[.]net /content/ap2.php?f=6231f
themeparkoupons[.]net /content/GPlugin.jar

File: 91431.pdf
MD5: eb4e4cd4158f4988e806a28ac8368bd3
Size: 16,550 bytes
Exploit: Libtiff integer overflow in Adobe Reader and Acrobat (CVE-2010-0188)

File: GPlugin.jar
MD5: 02110cfd6ecd2231c6885b72943f3baf
Size: 12,163 bytes
Timestamp: 2012:03:07 17:38:20+01:00
Zip File Name: ER.class

If exploitation is successful, it redirects to themeparkoupons[.]net /w.php?f=50a25&e=2, a Bugat/Feodo variant with the following properties is installed:

File: info.exe
MD5: b405558cb35b379dd5f7fef02a7585cd
Size: 74,240 bytes
Timestamp: 2004:02:16 13:31:29+01:00
Company Name: Simon Brown, HB9DRV
File Description: Convoy Today Porous Doc Beware Maud
Product Name: Berth Fife Noon Civic
Bugat/Fedo is installed as:
File: C:\Documents and Settings\Administrator\Application Data\KB00090109.exe

This Bugat/Feodo variant retrieved its configuration file/target list from a command and control server at ngdvmtwodjjuovsnfj[.]ru:8080 /rwx/B2_9w3/in/. This domain is hosted at the following IP addresses on a fast flux infrastructure:

81.169.187.170
85.214.204.32
94.20.30.91
112.78.124.115
124.124.212.172
182.50.142.154
213.251.187.126

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: