Cybercriminals are currently mass mailing tens of thousands of emails, impersonating the EFTPS (Electronic Federal Tax Payment System), in an attempt to trick its users into clicking on exploits and malware serving malicious links found in the emails.
More details:
Sample screenshot of the spamvertised email:
Sample compromised URLs used in the campaign:
hxxp://metalcalhas.com/wp-content/plugins/zhemkaoooeo/eftpssignin.html
hxxp://mypaysrochois.com/wp-admin/eftpssignin.html
hxxp://stockidentify.com/wp-content/plugins/zhqoovdcsak/eftpssignin.html
hxxp://leztroy-restauration.com/wp-admin/eftpssignin.html
hxxp://enersol74.fr/wp-admin/eftpssignin.html
hxxp://oneummahcoaching.com/wp-content/plugins/zuayeuetvej/eftpssignin.html
hxxp://programme-de-piquage.com/images/eftpssignin.html
hxxp://menuiserieducrettet.fr/wp-admin/eftpssignin.html
hxxp://jurisdictionthemovie.com/wp-content/plugins/zeotyjoeuek/eftpssignin.html
hxxp://eqi74.com/site/eftpssignin.html
hxxp://programme-de-piquage.com/images/eftpssignin.html
hxxp://lesrandonneesauchalet.com/img/eftpssignin.html
hxxp://lavoixdubio.com/wp-admin/eftpssignin.html
hxxp://order-protandim.com/wp-content/plugins/zeleaqonybg/eftpssignin.html
Sample client-side exploits serving URLs:
hxxp://linuxreal.net/detects/eftps-gov.php
hxxp://foxpoolfrance.net/detects/eftps-gov.php
Sample malicious payload dropping URL:
hxxp://foxpoolfrance.net/detects/eftps-gov.php?rf=1g:1m:1k:1f:1n&ae=1f:2w:33:1f:1h:32:1m:1h:1m:32&b=1f&wi=d&jl=x
Upon succcessful clienet-side exploitation, the campaign drops MD5: d35a52d639468c2c4c857e6629b3f6f0 – detected by 25 out of 46 antivirus scanners as Worm:Win32/Cridex.E.
Once executed, the sample phones back to the following command and control servers:
109.230.229.250:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA
163.23.107.65:8080
174.142.68.239:8080
81.93.250.157:8080
180.235.150.72:8080
109.230.229.70:8080
95.142.167.193:8080
217.65.100.41:8080
188.120.226.30:8080
193.68.82.68:8080
203.217.147.52:8080
210.56.23.100:8080
221.143.48.6:8080
182.237.17.180:8080
59.90.221.6:8080
64.76.19.236:8080
69.64.89.82:8080
173.201.177.77:8080
78.28.120.32:8080
174.120.86.115:8080
74.207.237.170:8080
77.58.193.43:8080
94.20.30.91:8080
84.22.100.108:8080
87.229.26.138:8080
97.74.113.229:8080
We’ve already seen the same pseudo-random C&C characters used in the following previously profiled malicious campaigns:
- Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit
- ‘Please confirm your U.S Airways online registration’ themed emails lead to Black Hole Exploit Kit
- Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed emails, serve client-side exploits and malware
- Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware
- Spamvertised AICPA themed emails serve client-side exploits and malware
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
