Rejected Federal Tax payment spam campaign
SonicWALL UTM Research team observed a new spam campaign pretending to be arriving from IRS information center. It informs the user about a rejected Federal Tax payment and asks them to review the attached PDF report file for more information. The attached file is a malicious executable Trojan masquerading as a PDF file.
A sample e-mail message looks like:
The attached report file looks like:
The file if executed will perform following activity:
- Creates a process svchost.exe and injects code into it.
- Connects to public Google DNS Server 220.127.116.11 to check for Internet connectivity and sends DNS queries to it for a list of predetermined remote servers:
- Reports the infected machine's information to one of the above mentioned servers via POST request:
The decrypted version of the data being sent looks like "id:8(REMOVED)|bid:X|bv:XXX|sv:XXXX|la:X"
- It further attempts to download malicious executable files from a remote server in Latvia:
- 91.22(REMOVED).29/step.exe [Detected as GAV: Pakes.II_2 (Trojan)]
- 91.22(REMOVED).29/spm.exe [Detected as GAV: Festi.C_3 (Trojan)]
- Drops following files:
- (All Users Temp)5328ffb60049acd7.exe [Copy of itself detected as GAV: Pakes.QUJ (Trojan)]
- (User Temp)uhbgmrxgvk.bat [Batch file to remove previous version]
- Deletes the original copy of the file.
SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:
- GAV: Pakes.QUJ (Trojan)
- GAV: Festi.C_3 (Trojan)
- GAV: Pakes.II_2 (Trojan)