Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake IRS virus spam email claims your tax refund request has been processed and a copy is attached.

Attached .doc has macro to download malware.


Subject: Payment confirmation for tax refund request # 75991792  


You are receiving this notification because your tax refund request has been processed.
Please find attached a copy of the approved 1040A form you have submitted, containing
your personal information and signature.
On the last page, you can also find the wire transfer confirmation from the bank.

Transaction type : Tax Refund
Payment method : Wire transfer
Amount : $7592
Status : Processed
Form : 1040A

Additional information regarding tax refunds can be found on our website:
http://www.irs.gov/Refunds.
Please note that IRS will never ask you to disclose personal or payment information
in an email.

Regards,
Internal Revenue Service
Address: 1111 Constitution Avenue, NW
Washington, DC 20224
Website: http://www.irs.gov
Phone: 1-800-829-1040

confimation_75991792.doc (78)


Header Examples:

16 April 2015

Spoofs irs.gov in From headers and random junk in the HELO and MAIL FROM connection strings.

 

Received: from net-2-35-220-180.cust.vodafonedsl.it [2.35.220.180]
X-Envelope-From: disturbingjh7 @radiomagnetic.com
From: "Internal Revenue Service" <office @irs.gov>
Subject: Payment confirmation for tax refund request # 75991792

Received: from 93-47-137-255.ip113.fastwebnet.it [93.47.137.255]
X-Envelope-From: resonatorslz136 @rothrockfamily.com
From: "Internal Revenue Service" <office @irs.gov>
Subject: Payment confirmation for tax refund request # 75991792

Received: from JHPOAZXO ([151.82.167.202]
X-Envelope-From: kirkingbp175 @rosesforweddings.com
From: "Internal Revenue Service" <office @irs.gov>
Subject: Payment confirmation for tax refund request # 75991792

Received: from static-71-250-237-181.nwrknj.east.verizon.net [71.250.237.181]
X-Envelope-From: fleagk59 @rdnav.com
From: "Internal Revenue Service" <office @irs.gov>
Subject: Payment confirmation for tax refund request # 3098-2344342

Received: from 230-48-164-181.fibertel.com.ar [181.164.48.230]
X-Envelope-From: itemizemm5 @rotec.com
From: "Internal Revenue Service" <office @irs.gov>
Subject: Payment confirmation for tax refund request # 3098-2344342

Received: from net-2-35-220-180.cust.vodafonedsl.it [2.35.220.180]
X-Envelope-From: disturbingjh7 @radiomagnetic.com
From: "Internal Revenue Service" <office @irs.gov>
Subject: Payment confirmation for tax refund request # 75991792

Malware

16 April 2015

Attachment : malicious .doc file with macro to download malware : confimation_75991792.doc

The macro will try to download an executable from places like :

91.194.254.235/uss/file.exe  <-- dyreza  
91.194.254.222/us2/file.exe <-- hancitor

VirusTotal report 

Kaspersky 	Trojan-Downloader.MSWord.Agent.ii  
McAfee Generic.vx
Microsoft TrojanDownloader:W97M/Bartallex
Sophos Troj/DocDl-KK
Symantec W97M.Downloader
TrendMicro W2KM_BARTALEX.UI

Malwr.com report | hybrid-analysis.com report

Downloaded  executable : file.exe  ( dyreza banking stealer )

VirusTotal report 

BitDefender 	Gen:Variant.Graftor.183906  
ESET-NOD32 a variant of Win32/Kryptik.DFKM
GData Gen:Variant.Graftor.183906
K7GW Trojan ( 004bd7fb1 )
Kaspersky UDS:DangerousObject.Multi.Generic
Malwarebytes Trojan.Agent.ED
McAfee Artemis!88ED077E12A8
Qihoo-360 HEUR/QVM10.1.Malware.Gen
Tencent Trojan.Win32.Qudamah.Gen.1

Malwr.com report 

The binary likely contains encrypted or compressed data.

hybrid-analysis.com report

Also...

These C2 sites were in memory:

	nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p:443
91.238.74.70:443
62.122.69.172:4443
181.189.152.131:443
194.28.190.183:443
95.67.88.84:4443
176.56.24.229:443
85.66.249.207:443
178.136.123.22:443
91.194.239.126:4443
94.231.178.46:4443
194.28.190.167:443
80.234.34.137:443
213.111.243.60:4443
46.149.253.52:4443
37.57.101.221:4443
134.249.63.46:443
85.192.165.229:443
46.151.48.149:443
195.34.206.204:443
62.122.69.159:4443
188.123.34.203:443
188.123.34.203:443
178.18.172.215:4443
91.232.157.139:443
46.151.49.128:443

And dyreza configs were in memory, consisting of bank login sites to intercept and what to about them:

	<serverlist>
<server>
<sal>srv_name</sal>
<saddr>62.75.177.5:443</saddr>
</server>
</serverlist>
<localitems>
<litem>
businessaccess.citibank.citigroup.com/cbusol/signon.do*
businessaccess.citibank.citigroup.com/*
urklzdwikyjhsolqirdqedyobrpz12181.com
srv_name
</litem>
<litem>
www.bankline.natwest.com/CWSLogon/logon.do*
www.bankline.natwest.com/*
nisxiegafacuxfp12281.com
srv_name
</litem>
<litem>
www.bankline.rbs.com/CWSLogon/logon.do*
www.bankline.rbs.com/*
rhpiqswphsr12381.com
srv_name
</litem>
.... many more

Downloaded  executable : file.exe  ( hancitor general-purpose botnet and downloader )

VirusTotal report 

AVG 		Agent5.WDY  
ESET-NOD32 Win32/Agent.RAS
Kaspersky Trojan-Ransom.Win32.Foreign.mfbv
McAfee RDN/Generic.hra!ck
Microsoft Trojan:Win32/Chanitor
Sophos Troj/Agent-AMMF
Symantec Trojan Horse

api.ipify.org (107.21.126.30)
um6fsdil5ecma5kf.tor2web.blutmagie.de (192.251.226.206)

Malwr.com report 

Performs some HTTP requests
The binary likely contains encrypted or compressed data.
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

hybrid-analysis.com report

Also:

network traffic:
api.ipify.org (107.20.173.238)
https://um6fsdil5ecma5kf.tor2web.blutmagie.de

later instructed to download:
mps23.ru/libraries/fof/controller/1304.exe

Subsequently downloaded executable : 1304.exe ( Vawtrak  banking stealer )

 from : 1mps23.ru/libraries/fof/controller/1304.exe 

 VirusTotal report | Malwr.com report | hybrid-analysis.com report

 

 If this was at least a little helpful, how about a +1, Like, or Tweet?


 You are receiving this notification because your tax refund request has been processed.
Please find attached a copy of the approved 1040A form you have submitted, containing your personal information and signature.