Rejected Federal Tax payment spam campaign (Nov 10, 2011)

SonicWALL UTM Research team observed a new spam campaign pretending to be arriving from IRS information center. It informs the user about a rejected Federal Tax payment and asks them to review the attached PDF report file for more information. The attached file is a malicious executable Trojan masquerading as a PDF file.

A sample e-mail message looks like:

The attached report file looks like:

The file if executed will perform following activity:

• Creates a process svchost.exe and injects code into it.
• Connects to public Google DNS Server 8.8.4.4 to check for Internet connectivity and sends DNS queries to it for a list of predetermined remote servers:
  
  • followmego12.ru
  • hidemyfass87111.ru
  • losokorot7621.ru
  • mamtumbochka766.ru

• Reports the infected machine's information to one of the above mentioned servers via POST request:
  

  

  The decrypted version of the data being sent looks like "id:8(REMOVED)|bid:X|bv:XXX|sv:XXXX|la:X"

• It further attempts to download malicious executable files from a remote server in Latvia:
  • 91.22(REMOVED).29/step.exe
  • 91.22(REMOVED).29/spm.exe
• Drops following files:
  
  • (All Users Temp)5328ffb60049acd7.exe
  • (User Temp)uhbgmrxgvk.bat
• Deletes the original copy of the file.

SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

• GAV: Pakes.QUJ (Trojan)
• GAV: Festi.C_3 (Trojan)
• GAV: Pakes.II_2 (Trojan)