FCW Insider

Blog archive

IRS spam hits close to home



Attacks against executives of major global companies continue to be launched with increasing frequency. Attackers spammed out a malicious rich text format (RTF) attachment, via e-mail, spoofed to appear as if they are from the Internal Revenue Service (IRS). The file, complaint.rtf, contains a hostile embedded executable called "The original document was not fully loaded. Please double click to reload msword.exe". If opened the Trojan installs itself to steal sensitive information and upload data to three remote servers. General raw data related to the attack is below:

COMPLAINT.rtf (141,340 bytes)
MD5: bfb196bb3a68b52d18991cfd1b2c0e94

The original document was not fully loaded. Please double click to reload msword.exe (60,928 bytes)
MD5: ea8279d30d548f6608487f69691715a3

Creates the Following:
C:\WINDOWS\system32\drivers\ssl
C:\WINDOWS\System32\drivers\ssl\01 (directories may be 01-06)

WINDOWS\svchost32.dll (55,296 bytes)
MD5: b32533de26bd548f472cce3a5d762eaa

WINDOWS\svchost32.exe (60,928 bytes) (installed as a service named
svchost)
MD5: ea8279d30d548f6608487f69691715a3

Uploads log files to www2.scasd.org (205.173.168.113), in-2-web2.com (72.18.141.26), and www.huquqalinsan.com (72.52.139.11)

Multiple SYN packets to 203.121.79.49:54321 (static), every 30 seconds.


QUOTES
1. Attacks targeted executives are increasingly common. Executives should be on the alert for potentially hostile RTF and DOC files delivered over e-mail, containing potentially hostile embedded files such as EXE and PDF.
This latest attack is not highly prevalent on a global scale but represents a clear and present emergent threat against corporate executives.

2. The Trojan (aka Robofo, Talpalk, Maha, and Dumbnod) installed in this latest attack attempts to steal passwords from Internet Explorer, FireFox, opera, ICQ, Yahoo Messenger, Paltalk, and other similar data. Look for egress traffic to 203.121.79.49:54321 to identify infected computers on a network.

3. "MrTheif11" is an interesting string in the binary, which may be an alias for the attacker. This string exists in former binaries related to Better Business Bureau attacks using similar code, techniques, and remote file servers.

Posted by Christopher Dorobek on May 30, 2007 at 12:16 PM


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.