wormhole_1Yesterday we began seeing a malware campaign posing as a message from “Microsoft Outlook”. The messages pose as a notification to the user that they have exceeded their mailbox storage limit. They advise the user to open the attachment to upgrade their account. The attachment in these messages is an ACE (.ace) archive that contains a malicious SCR (.scr) file. ACE is a data compression file format similar to the more commonly used ZIP or RAR files and though it is not as commonly used as ZIP or RAR, unpacking ACE files is supported my many third party archivers so it should not pose a problem for most users. The file inside is a rather large (643kb) SCR file named updatemail(dot)ace.


While the majority of malware hitting our filters each day contain an smaller Trojan ‘dropper’ file that pulls down additional malicious software from the internet, this particular piece contains all needed functionality in the original attached file. In other words, it has no need to pull down more malicious software from the internet to do its damage. Once executed the malware drops a file in AppData then adds to run regkey to ensure that it remains running on the system at all times in the future. It also immediately registers a hook to monitor keyboard input (keylogging) as well as setting up a listener on TCP port 49202. We also observed the malware attempting to harvest bitcoin that might be stored on the user system. We also observed a self-propagation functionality via smtp so we can likely expect to see more of these in the future.

File Name Updatemail(dot)ace
MD5 7e46f98e98eb39d13ddfaa66551181b7
SHA1 6baeced8fdf6c93a024167fb961e5037b59e5006
SHA256 eb97f6d0a454e0034e06d16e69ab6dddbf9d3d8e790e66003d6b3cfebd9d29e7

When W2’s started arriving earlier in the year, we saw an increase in the amount of tax-related spam attempting to phish users for sensitive data or infect their PC’s outright.  It’s no surprise then that 2015 has been quite a busy year for tax scams of all sorts.

Early in the year, Intuit (the company that owns the very popular tax software/service Turbo Tax) announced that it was shutting down state tax filing capabilities due to a recent rash of “suspicious” filings. The news came at a time when millions of US citizens were filing federal and state tax returns that resulted in a partial service outage (albeit temporary) for the most used online tax prep software provider in the US. The shutdown came on the heels of Minnesota deciding to stop accepting filings from Turbo Tax due to potential fraudulent activity. A full investigation is still pending but Intuit’s initial response was that the false filings were not a result of a breach of their internal network but rather occurred by some other means.  It stands to reason that the perpetrators may have utilized username/password combos stolen in any of the multitude of recent breaches that were being shared across multiple accounts. Or perhaps they were harvested through one of the many tax-themed phishing campaigns that we see hitting our spam filter on a daily basis.

We have seen hundreds of variants of tax-themed email campaigns attempting to dupe users in the first quarter of 2015. The majority of messages contain malware as an attachment or use a URL that leads to a malicious payload.

More and more users are filing their taxes electronically, and in the eyes of unsuspecting users, an email such as the one pictured below, may look legitimate.


This particular variant is quite simple and instructs the user to follow a link to view a message from the IRS regarding their tax documents. To the average user, these message look exactly like what a tax document email from the IRS should look like, the only problem is…the IRS “does not taxpayer communications through e-mail and won’t send a message about your tax account”. As is customary in these types of the messages the URL will lead to either a malware infection or a phishing landing page.

So, what can you do to stay safe this tax season?


  • Keep your Browser and Operating System up to date. Both receive frequent updates, many of which include fixes for vulnerabilities that could be used in an attack against an innocent taxpayer.
  • Online fraudsters (a.k.a. “phishers”) will attempt to contact taxpayers via email. Please note: the IRS will never initiate contact with a taxpayer through email.
  • The IRS will never ask you for PIN numbers or credit card information in an email
  • Never click on a link, or an attachment, from an unsolicited email.
  • You should never conduct unsecured transactions that include any account or password information over public hotspots including airports, hotels, libraries, restaurants, cafes, or other locations that offer free WiFi.
  • Always and completely log out of sensitive sites. It is possible for an attacker to hijack a session that has been left open.
  • Do not file online using the same computer that your kids do. A good portion of online scams and spam target today’s younger generation of Internet users.
  • Remain vigilant and try to use simple logic – if it seems too good to be true, and it is sitting in your inbox, delete it. Especially if it is from someone you did not initiate contact with.
  • Before entering sensitive information into a website, look for the security padlock symbol.
  • Create strong passwords; choose passwords that are complex and utilize a combination of upper and lower case letters, numbers and symbols.
  • Limit Your Exposure Through E-mail and Web. It is perhaps online behavior that bears the most scrutiny. Mitigating the risk through the use of a reliable e-mail and Web filtering solutions are essential.


In what appears to be more work from the same people who brought you Jon French’s blog post last week, we began seeing a blast of malicious spreadsheets pouring into our filters this morning. The emails that carried them had some minor randomness in their subject lines but all shared the line “Remittance Advice for” followed by a random decimal number and a random company name such as JP Morgan or Powerchip Technology. The bodies of these emails simply restated the random company name found in the subject line along with the name that was spoofed as the sender. The attachment was a seemingly blank xls document. Underneath the hood however was a malicious VBA macro that attempts to download an executable masquerading as a gif file from a remote server. The macro uses some minor obfuscation in the form of ASCII integer values in place of more readable text values to hide its intent.

vb1After a quick conversion, we can see that this script is attempting to download the file ddls.gif from the IP which is located in Moscow Russia.

vb2Even though the server at this IP is up and responding, it is no longer fulfilling requests for this file, so I can’t quite say what it’s intentions were, but you can likely bet on a keylogger in there somewhere, in addition to other things as per usual.

At the time of analysis these xls docs scored a whopping 0/57 on Virustotal meaning that none of these AVs recognized them as malicious. It’s unclear as to how long the communication between the file and the remote server was active in order to download the major payload (ddls.gif), if it was at all, but it didn’t appear to be very long.

Emails purporting to come from Stanford Health Care deliver malware inside an attachment entitled Customer_department_offer.zip. These emails will use one of six different subject lines in their attempts to trick recipients into fall prey to their campaign. They include: “Special offer”, “Health Care”, “Thank You”, “Important”, “check out”, and my favorite “Stanford Medecine”[sic]. I enjoy the fact that this particular subject line misspells the word “medicine” especially considering the proper spelling is right there in the graphic they used to spoof Stanford to begin with, but I digress.

This campaign is directly related to similar campaigns that we have been seeing on a daily basis that usually begin in the mornings as people in the US are getting into work, usually around 6am cst and last for just over an hour delivering right around 1 million pieces. The functionality in these campaigns is the same, as is the fake pdf icon attached to the zipped up executable. The main difference between them is the entity in which they decide to spoof and the contact domains and IPs that the malware attempts to reach out to. This particular campaign reaches out to the domain estelareventos.com as well as an IP in Ukraine on port 13912.

This just in, as I was writing this post the same group began sending yet another campaign, this time impersonating Chase bank which they have been keen to do. This time the malware attempts to connect to sncielles.de, restaurantesdeasturias.com, and again, this time on port 13923.


This morning we had a malware campaign in the form of zipped vbs files (Visual Basic Script). The were rather small files but there was an attempt at obfuscation with them. Instead of having a nicely laid out script to see, they use some math to create the script using decimal encoding.

So you get to see something like this.

Screenshot from 2015-04-01 08:31:20

Using decimal and base64 encoding to try and obfuscate things is a normal tactic used in many of the scripting languages like javascript and used in html to try and mask the true purpose. In this case fortunately it was easy to get the full script of what they were doing. I can just pull out the string data and leave the math behind. A few additions later and running it through a decimal conversion, you get a plain text script.


Screenshot from 2015-04-01 08:34:07

So this vbs file creates a small script to download a file that looks like a gif, and run it as an exe. Fortunately it looks like the file it tries to download it currently offline. A connection is opened but there is no response from the server. So running the file at the moment doesn’t end up doing anything. But from comments online I was able to find, it was working properly earlier. There were a few main variants of this vbs file this morning and they were not getting any AV hits on Virustotal. Between the files, we had a little over 165,000 come in (and held) in the email campaign.

Screenshot from 2015-04-01 08:27:29