IRS – Your tax appeal is rejected.

Subject: Your tax appeak is rejected.
URL: hxxp://morningdeals[.]net/ZseUkSLa/index.html

Your tax appeal is rejected.

The text ‘Online Tax Appeal’ contains a hyperlink to a URL as shown above. This page contains no content but only 4 JS:

badigames[.]net /YRQnqzee/js.js
hermandaddepasion[.]com /63x21NoX/js.js[.]th /8vVWAm9s/js.js
http://www.trakter4u[.]gr /dLYd6p1U/js.js

These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at


It first downloaded Pony downloader from the following location:

tradercircuit[.]com /q.php?f=e4a98&e=2

File: info.exe
Size: 95,392 bytes

This pony downloader variant was also configured to download Gameover Zeus binaries from the following locations:

layout.cnt[.]br /3ZD7ArbR/rnzj80FK.exe —> hosted at IP address
kucukagaanaokulu.k12[.]tr /5hxYiCGM/DLsp9.exe —> hosted at IP address
beyondcreativehm[.]com /MnFUS9Ah/PVzKLHf.exe —> hosted at IP address

All of these files were same with following properties:

File: rnzj80FK.exe/DLsp9.exe/PVzKLHf.exe
MD5: 4bf9cca55ff576e91c1fd4a2c2d35ff1
Size: 2,78,528 bytes
Other: This file is digitally signed by ‘66666666’
Company Name: 2q3wet Corporation
File Description: Windows TaskManager
Internal Name: taskmgr
Legal Copyright: Copyright (C) 2q3wet Corp. 1991-1999
Original Filename: taskmgr.exe

This Gameover variant is detected by 4 of 43 AV vendors on The Gameover Zeus variant posts to a dropzone at over port 28598. It had CID of “3004”.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: