This morning I received another, slightly different, AICPA.org phishing email. This time, the spoofed sender was “Aaron Peters – security@intuit.com” (Header available at the bottom of the post).
This email contained two hotlinks, both of which pointed to hxxp://foraver.de/wp-includes/aic.html. This post has a slightly more convincing version of the standard wait screen, which consists of the code below.
Welcome to the AICPA
Page is loading, please wait..
You will see tax info on this screen.
It also contains exploit code for the Adobe LIBTiff and Microsoft HPC URL vulnerabilities. The full report for the site is available here.
Also of note, the site seems to be a legitimate website that has been compromised, and not a site set up specifically for the scam.
Within the malicious script, are the links for the malicious files. The first is hxxp://themeparkoupons.net/content/ap2.php?f=6231f, which delivers a malicious PDF file that currently has a 6/43 detection rate on VirusTotal.
The second link is hxxp://themeparkoupons.net/main.php?page=89cd1f8b9fb67fbc, which if successful, serves up the payload from hxxp://themeparkoupons.net/w.php?f=6231f&e=[1-4]. The malware currently also has a 6/43 detection ratio on VirusTotal. The Microsoft detection for the malware is Worm:Win32/Cridex.B.
This sample names itself similar to a Windows Update file in the format KB########.exe within C:\Documents and Settings\USERNAME\Application Data and creates a run value to maintain persistence. Once placed in the correct location, the malware uses cmd.exe to delete the initial executable and a bat file it uses during execution.
The malware also injects itself in to explorer.exe and performs a variety of actions. Of note, is the DNS request issued for ngdvmtwodjjuovsnfj.ru. When successful, the malware communicates via a POST parameter (/rwx/B2_9w3/in/ in this case) to the domain on port 8080. Currently, the DNS query results were:
124.124.212.172
182.50.142.154
213.251.187.126
81.169.187.170
85.214.204.32
94.20.30.91
112.78.124.115
Although the malware carries out additional activities, that’s about all the time I have to dedicate to this at the moment. A full report from the executable is available on Anubis, here.
If anyone else does any analysis, please let me know so I can link to it here!
Headers
Received: from CH1PRD0702HT009.namprd07.prod.outlook.com (10.42.110.11) by
BY2PRD0710HT002.namprd07.prod.outlook.com (10.255.86.37) with Microsoft SMTP
Server (TLS) id 14.16.123.2; Thu, 8 Mar 2012 10:55:25 +0000
Received: from CH1PRD0702HT008.namprd07.prod.outlook.com (10.42.110.189) by
CH1PRD0702HT009.namprd07.prod.outlook.com (10.42.110.11) with Microsoft SMTP
Server (TLS) id 14.15.45.0; Thu, 8 Mar 2012 10:55:24 +0000
Received: from mail16-tx2-R.bigfish.com (65.55.88.111) by
CH1PRD0702HT008.namprd07.prod.outlook.com (10.42.110.189) with Microsoft SMTP
Server (TLS) id 14.15.45.0; Thu, 8 Mar 2012 10:55:24 +0000
Received: from mail16-tx2 (localhost [127.0.0.1]) by mail16-tx2-R.bigfish.com
(Postfix) with ESMTP id DEF9D802EF for
8 Mar 2012 10:55:22 +0000 (UTC)
X-Safelisted-IP: 192.149.109.20
X-Forefront-Antispam-Report: CIP:192.149.109.20;KIP:192.149.109.20;UIP:(null);(null);H:mail.norwich.edu;R:internal;EFV:INT
X-FOPE-CONNECTOR: SANITIZED
Received-SPF: fail (mail16-tx2: domain of intuit.com does not designate 192.149.109.20 as permitted sender) client-ip=192.149.109.20; envelope-from=security@intuit.com; helo=mail.norwich.edu ;.norwich.edu ;
Received: from mail16-tx2 (localhost.localdomain [127.0.0.1]) by mail16-tx2
(MessageSwitch) id 1331204120373441_2784; Thu, 8 Mar 2012 10:55:20 +0000
(UTC)
Received: from TX2EHSMHS009.bigfish.com (unknown [10.9.14.247]) by
mail16-tx2.bigfish.com (Postfix) with ESMTP id 4C5033C0057 for
Received: from mail.norwich.edu (192.149.109.20) by TX2EHSMHS009.bigfish.com
(10.9.99.109) with Microsoft SMTP Server id 14.1.225.23; Thu, 8 Mar 2012
10:55:17 +0000
X-IronPort-AV: E=Sophos;i=”4.73,551,1325480400″;
d=”scan’208,217″;a=”31739615″
Received: from home-14109.b.astral.ro ([213.164.227.84]) by mail.norwich.edu
with ESMTP; 08 Mar 2012 05:55:16 -0500
Received: from apache by intuit.com with local (Exim 4.63) (envelope-from
Mar 2012 12:55:15 +0200
To:
Subject: Fraudulent tax return assistance accusations.
Date: Thu, 8 Mar 2012 12:55:15 +0200
From: Aaron Peters
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”————04040600104010406080606″
Return-Path: security@intuit.com
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
X-MS-Exchange-Organization-AuthSource:
CH1PRD0702HT008.namprd07.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
