Tuesday, 13 January 2015

Your FED TAX payment Rejected - TAX@irs.gov - malware

Your FED TAX payment Rejected malware is now arriving in the form of a html email,
with an attached ZIP file.

Headers:
Date: Tue, 13 Jan 2015 13:27:05 -0500
From: "TAX@irs.gov" {tax@irs.gov}
Subject: Your FED TAX payment (ID:MKPIRS625698164) was Rejected
Message body:

*** PLEASE DO NOT RESPOND TO THIS EMAIL ***

Your federal Tax payment (ID: MKPIRS625698164), recently sent from your  checking account was returned by the your financial institution.

For more information, please download attached notification. (Security Adobe PDF file)

Transaction Number: MKPIRS625698164}

Payment Amount: $ 5170.18
Transaction status: Rejected           
                                      
ACH Trace Number: 5555555555                
Transaction Type: ACH Debit Payment-DDA      

Internal Revenue Service
Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.

Attached to the email is a ZIP file:

FEDERAL_tax_notify.pdf.zip

On the Windows machine, Inside the zip, is Windows executable (Note the dual extension)
FEDERAL_tax_notify.pdf.scr

Md5 Hashes:
45f3c660daf2e9013c34a5708242af92

Malware Information:

VirusTotal Report [1]
(hits 13/57 Virus Scanners)

Malwr Report [1]

Summary:



Steals private information from local Internet browsers
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup


Cheers,

Steve
Sanesecurity.com

No comments: